Hi Henrik, Interesting results today.....
I spent alot of time trying to get to where I was yesterday. Before I could even *start* to answer your questions, I had problems. wbinfo -u and wbinfo -g would work but wbinfo -t would not. So I really couldn't go any farther. I found a note about the same problem here http://www.mail-archive.com/[EMAIL PROTECTED]/msg25730.html So I did what this guy did in the email and wbinfo -t started working again. I realize that this is Samba problem but I am just sharing this with for background to troubleshooting this problem. > > So Samba's NTLM doesn't appear to give the answer in the form that Squid > > wants. > > Indeed. Well I recompiled squid with the settings I showed you earlier and set the squid.conf parameters for ntlm_auth to: # these are used by Internet Explorer auth_param ntlm program /usr/local/bin/ntlm_auth -d 64 --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 3 auth_param ntlm max_challenge_lifetime 2 minutes # these are used by every other browser auth_param basic program /usr/local/bin/ntlm_auth -d 2 --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 minutes I received no more information about the "aborted" message but also squid didn't crash this time either. On the browser side, I got prompted for the username/password/domain but always got denied after 3 times. Winbind log said: [2003/11/20 16:46:27, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(222) winbindd_pam_auth_crap: non-privileged access denied! [2003/11/20 16:46:27, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379) NTLM CRAP authentication for user [(null)]\[(null)] returned NT_STATUS_ACCESS_DENIED (PAM: 4) [2003/11/20 16:46:34, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(222) winbindd_pam_auth_crap: non-privileged access denied! [2003/11/20 16:46:34, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379) NTLM CRAP authentication for user [(null)]\[(null)] returned NT_STATUS_ACCESS_DENIED (PAM: 4) And the squid access log said: 1069368394.844 66 172.16.215.30 TCP_DENIED/407 1715 GET http://www.google.com/ - NONE/- text/html 1069368394.903 56 172.16.215.30 TCP_DENIED/407 1645 GET http://www.google.com/ - NONE/- text/html ****notice no username**** So it looks like we got somewhere, just not sure where we are!.... I remark the first set of ntlm_auth statements in squid.conf and restart squid. I am prompted for the username password. And BAM! I get to google.com.... The access log follows..... 1069368577.041 24 172.16.215.30 TCP_DENIED/407 1690 GET http://www.google.com/ - NONE/- text/html 1069368581.548 3237 172.16.215.30 TCP_MISS/200 1581 GET http://www.google.com/ surfer DIRECT/216.239.39.99 text/html Until next time, --Dave Augustus
