Ok, but at this time... what are the advantages using ntlm_auth shipped with samba3 instead of the same shipped with squid ? I'm finding out problems only using the first....
for know, I'm thinking that is quite problemful using squid with samba3. Better using it with samba 2.2.8a, wb_group and wb_ntlmauth works, and there is no other ntlm_auth except from squid one! :-) P.S. I wrote IIS, but I was meaning IE :-) sorry. Thanks in advance Federico ----- Original Message ----- From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Lombardo Federico" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 11:43 AM Subject: Re: [squid-users] testing ntlm_auth shipped with samba 3 > On Wed, 5 Nov 2003, Lombardo Federico wrote: > > > 1) ntlm-ssp protocol seems to be not used from IE, testing with win2003, > > latest IIS if leaving only this in squid.conf: > > Where does ISS come into the picture? > > > auth_param ntlm program > > /usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 10 > > auth_param ntlm max_challenge_reuses 0 > > auth_param ntlm max_challenge_lifetime 2 minutes > > Looks good to me. > > > Will make cache.log say when I connect with my IE: > > > > 2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured > > proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU=' > > Hmm.. confused browser. > > What does "log_mime_hdrs on" give in the initial 407 response headers from > the proxy? > > > 2) using ntlm_auth with this squid.conf' configuration: > > > > Into the log this time I can see that user is recognized, but without the > > domain. > > The user name logged in basic authentication is the username entered in > the browser. This may be with or without the NT domain when using a NT > domain backend. > > > Ah, note that using only basic auth, without external acl, all work > > correctly, so the ntlm_auth helper, in this configuration work correctly, or > > "seems" to work correctly > > Ok. So wbinfo_group.pl either does not like the username or the group > name. Your testing suggest that it does not like the domainless login > name. > > Solution a): Enter the login using domain name in the browser. > > Solution b): Teach wbinfo_group.pl how to handle "accuounts in the default > domain" where no domain name is specified in the login name. > > Regards > Henrik > >
