Trying to get NTLM/seamless authentication working with IE in domain/AD environment. Have browser setup to use proxy.
Basic authentication from a non-M$ machine/browser works fine to the domain. Basic authentication from a M$ machine with Netscape works fine to the domain. Any authentication from a M$ machine with a M$ browser fails. It appears that the NTLM between the client IE and Squid takes place due to seeing the username appearing in the logs (cache.log) as soon as IE is launched, but that authentication is never sent to the Domain Controllers (verified via tcpdump). TESTWKSN - WinXP - IE 6 - Netscape 7.0 Non M$ Workstation - Solaris 9 - Netscape 7.0 Proxy Server - FreeBSD 4.9 - Samba 3.0.0,1 from ports - Squid 2.5_4 from ports ----------------------------------------------------------------------------------- output of 'squid -v' Squid Cache: Version 2.5.STABLE3 configure options: --bindir=/usr/local/sbin --sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid --localstatedir=/usr/local/squid '--enable-storeio=ufs diskd null' '--enable-removal-policies=lru heap' --enable-auth=ntlm,basic '--enable-basic-auth-helpers=NCSA winbind' --enable-ntlm-auth-helpers=winbind '--enable-external-acl-helpers=wbinfo_group winbind_group' --enable-snmp --enable-delay-pools --enable-useragent-log --enable-referer-log --disable-ident-lookups --enable-underscores --prefix=/usr/local i386-portbld-freebsd4.9 ----------------------------------------------------------------------------------- CACHE.LOG Jan 9 16:10:05 cache02 [2004/01/09 16:10:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286) Jan 9 16:10:05 cache02 user=[TESTUSER1] domain=[TESTDOMAIN] workstation=[TESTWKSN] len1=24 len2=24 ----------------------------------------------------------------------------------- SQUID.CONF auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers ----------------------------------------------------------------------------------- SMB.CONF security = ads password server = TESTADC0 TESTADC1 encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind separator = " realm = TEST.COM winbind use default domain = yes workgroup = TESTDOMAIN domain master = no
