Henrik I'm testing ntlm_auth shipped with samba 3. I want to discuss these issues:
1) ntlm-ssp protocol seems to be not used from IE, testing with win2003, latest IIS if leaving only this in squid.conf: auth_param ntlm program /usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes Will make cache.log say when I connect with my IE: 2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU=' 2003/11/05 10:28:43| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU=' 2003/11/05 10:30:56| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU=' 2003/11/05 10:31:30| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU=' Naturally, gives access denied. seems that IE asks for Basic auth insted of ntlm one. 2) using ntlm_auth with this squid.conf' configuration: auth_param basic program usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external_acl_type wbinfo_group_helper concurrency=10 ttl=300 %LOGIN /usr/squid/libexec/wbinfo_group.pl acl InternetFull external wbinfo_group_helper InternetFull http_access allow InternetFull http_access deny all will give access denied for ever. Please note that using normal ntlm_auth, shipped with squid will make all work. seems that ntlm_auth doesn't give correct credential to wbinfo_group.pl Into the log this time I can see that user is recognized, but without the domain. Ah, note that using only basic auth, without external acl, all work correctly, so the ntlm_auth helper, in this configuration work correctly, or "seems" to work correctly example: in ntlm_auth squid one into the log I can see (when authorized from wbinfo_group): 1067944601.051 1799 192.168.5.12 TCP_MISS/200 25711 GET http://freshmeat.net domain\user DIRECT/216.218.248.174 text/html using ntlm_auth from samba will make my log: 1068025606.229 230 192.168.5.12 TCP_DENIED/407 2095 GET http://www.grandistazioni.it/popupFla.cfm? user so, no domain mapped in log. I've tried to specify domain in command line to ntlm_auth, but nothing.
