> What protocol did you tell ntlm_auth to use? I.e. what does your > auth_param lines look like?
Here is my entire setup: Here is my squid compile parameters: CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer" \ ./configure \ --prefix=/usr \ --datadir=/usr/share \ --localstatedir=/var \ --sysconfdir=/etc/squid \ --infodir=/usr/share/info \ --mandir=/usr/share/man \ --enable-useragent_log \ --enable-auth="ntlm,basic" \ --enable-basic-auth-helpers="winbind" \ --enable-ntlm-auth-helpers="fakeauth,no_check,SMB,winbind" \ --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group,winbind_group" (I am sure that some of these are NOT needed but I would rather compile everything, find out what works and then recompile with just what is needed) My squid.conf auth settings: auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp (yes this is the samba 3 version) auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 3 auth_param ntlm max_challenge_lifetime 2 minutes # these are used by every other browser auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 minutes My wbinfo output as requested: [EMAIL PROTECTED] ~> wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] ~> wbinfo -u Administrator Guest SUPPORT_388945a0 krbtgt testuser surfer samba [EMAIL PROTECTED] ~> wbinfo -g Domain Computers Domain Controllers Schema Admins Enterprise Admins Domain Admins Domain Users Domain Guests Group Policy Creator Owners AuthorizedUsers IntranetUsers StaffUsers [EMAIL PROTECTED] ~> wbinfo -a surfer%surfer2003 plaintext password authentication succeeded challenge/response password authentication succeeded [EMAIL PROTECTED] ~> squid -v Squid Cache: Version 2.5.STABLE4 configure options: --prefix=/usr --datadir=/usr/share --localstatedir=/var --sysconfdir=/etc/squid --infodir=/usr/share/info --mandir=/usr/share/man --enable-useragent_log --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=fakeauth,no_check,SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group [EMAIL PROTECTED] ~> su - squid [EMAIL PROTECTED] squid]$ /usr/local/bin/ntlm_auth --username=surfer password: NT_STATUS_OK: Success (0x0) Turning mime_headers on reveals the following in the squid access log: 1069265718.735 119 172.16.215.30 TCP_DENIED/407 1645 GET http://www.google.com/ - NONE/- text/html [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\nCookie: PREF=ID=56c8b0c142718d37:TM=1065216586:LM=1065560328:TB=2:S=FbXQxkoNGt1g8HVm\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE4\r\nMime-Version: 1.0\r\nDate: Wed, 19 Nov 2003 18:15:18 GMT\r\nContent-Type: text/html\r\nContent-Length: 1302\r\nExpires: Wed, 19 Nov 2003 18:15:18 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM\r\n\r] 1069265718.947 107 172.16.215.30 TCP_DENIED/407 1715 GET http://www.google.com/ - NONE/- text/html [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\nProxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IAoAQABAAoAAAACAAIACAAAABLQ001MDI5OEJVR1M=\r\nCookie: PREF=ID=56c8b0c142718d37:TM=1065216586:LM=1065560328:TB=2:S=FbXQxkoNGt1g8HVm\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE4\r\nMime-Version: 1.0\r\nDate: Wed, 19 Nov 2003 18:15:18 GMT\r\nContent-Type: text/html\r\nContent-Length: 1302\r\nExpires: Wed, 19 Nov 2003 18:15:18 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAACAgAg9nDlwSM9D0wAAAAAAAAAAAAAAAAwAAAA\r\n\r] This is where it breaks- It appears to me that squid is NOT logging the user/domain information in the log file AND when I run squid with the following (squid -XN -d 1) and then try to access the web page , squid says: FATAL: authenticateNTLMHandleReply: called with no result string Aborted So Samba's NTLM doesn't appear to give the answer in the form that Squid wants. Also, here is my samba compile settings and configuration file: CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer" \ ./configure \ --sysconfdir=/etc/samba \ --prefix=/usr/local/samba \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba \ --enable-auth="ntlm,basic" \ --enable-basic-auth-helpers="winbind" \ --enable-ntlm-auth-helpers="winbind" \ --enable-external-acl-helpers=winbind_group \ --with-fhs \ --with-quotas \ --with-msdfs \ --with-smbmount \ --with-ads \ --with-pam \ --with-pam_smbpass \ --with-syslog \ --with-utmp \ --with-sambabook=/usr/share/swat/using_samba \ --with-swatdir=/usr/share/swat \ --with-libsmbclient \ AND /etc/samba/smb.conf [global] workgroup = BUGS netbios name = BUGS00001 realm = BUGS.EXAMPLE.COM security = ads encrypt passwords = yes password server = W2003.BUGS.EXAMPLE.COM winbind separator = / winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes interfaces = 172.16.215.20 127.0.0.1 bind interfaces only = yes winbind use default domain = yes log file = /var/log/samba/log.%m log level = 3 client signing = Yes server signing = Yes client use spnego = Yes template shell = /bin/bash template homedir = /home/%D/%U finally, just for grins, my /etc/krb5.conf (krb5-1.3.1 compiled from source) contents: [libdefaults] default_realm = BUGS.EXAMPLE.COM default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 #default_etypes = arcfour-hmac-md5 #default_etypes_des = arcfour-hmac-md5 dns_lookup_realm = true dns_lookup_kdc = true [realms] BUGS.EXAMPLE.COM = { admin_server = W2003.BUGS.EXAMPLE.COM default_domain = BUGS.EXAMPLE.COM kdc = W2003.BUGS.EXAMPLE.COM } [domain_realm] .bugs.kcm.org = BUGS.EXAMPLE.COM bugs.kcm.org = BUGS.EXAMPLE.COM [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log Thanks for your time on this problem, Dave Augustus
