Hi, I am having real difficulty getting squid working with NTLM authentication on FreeBSD 4.10 and Samba 3.0.4.
I have read the FAQ thoroughly at http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.2 but still can't seem to figure out whats wrong. The only two things that stick out are that when I do the wbinfo -a test the challenge/response password authenticates fine but not plaintext. Running the ntlm_auth program by hand I also get the message "BH Helper detected protocol error" For info our domain controller is Windows 2003 server running AD and our domain is called TRIDENT. Reading the FAQ on NTLM Auth heres a walkthrough of what I did: 1) Build and install samba 3 with winbind support - done. 2) Configure smb.conf (below) and join to the domain - done. [global] workgroup = TRIDENT server string = Mungo security = domain log file = /var/log/samba/log.%m password server = DC1 socket options = TCP_NODELAY local master = no dns proxy = yes winbind seperator = + idmap uid = 10000-20000 idmap guid = 10000-20000 winbind enum users = yes winbind enum groups = yes 3) Check wbinfo -t command - done. (output below - output different from FAQ) [EMAIL PROTECTED]:/<2>etc/squid# wbinfo -t checking the trust secret via RPC calls succeeded 4) Test winbind user authentication - done. (Output below - command syntax different from FAQ? Note that only challenge/response password works). [EMAIL PROTECTED]:/<2>etc/squid# wbinfo -a TRIDENT\\jamie%xxxxxxx plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user TRIDENT\jamie%xxxxxxx with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user TRIDENT\jamie with challenge/response [EMAIL PROTECTED]:/<2>etc/squid# wbinfo -a jamie%xxxxxxx plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user jamie%xxxxxxx with plaintext password challenge/response password authentication succeeded 5) Set priveleges on winbindd_privileged - done (output below) [EMAIL PROTECTED]:/<2>etc/squid# chgrp squid /var/db/samba/winbindd_privileged [EMAIL PROTECTED]:/<2>etc/squid# l /var/db/samba <snip> Drwxrwx--- 2 root squid - 512 Jun 25 16:68 winbindd_privileged 6) Compile squid with --enable-auth="ntlm,basic" - Done. 7) Test squid without auth - works fine. Also tested with basic auth on ncsa passwd file which also works but pops up a username and password box, browsing ok once correct username and password entered. Relevant bits for my NTLM auth from squid.conf below: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes 8) Test the samba 3.x helper. Bleh. Command line seems completely different from the FAQ. Output below if the FAQ one and the one I think is correct: [EMAIL PROTECTED]:/<2>etc/squid# /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic TRIDENT+jamie xxxxxxx Couldn't grok domain-controller TRIDENT+jamie Couldn't grok domain-controller xxxxxxx You must specify at least one domain-controller! /usr/local/libexec/squid/ntlm_auth usage: /usr/local/libexec/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller [domain\controller ...] -b enables load-balancing among controllers -f enables failover among controllers (DEPRECATED and always active) -l changes behavior on domain controller failyures to last-ditch. -d enables debugging statements if DEBUG was defined at build-time. You MUST specify at least one Domain Controller. You can use either \ or / as separator between the domain name and the controller name [EMAIL PROTECTED]:/<2>etc/squid# /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic TRIDENT\\DC1 jamie xxxxxxx BH Helper detected protocol error Hmmmmmmmmmmmmmmmmmm. Everything appears to be configured fine to me. Is it a FreeBSD quirk?? There doesn't appear to be any relevant info in the squid logs about whats happening and IE just displays the "Cannot find page or DNS error" page. My goal out of this is for people who are authenticated on the domain to browse the internet without having to type in a username and password every time they open IE. Hope the reams of info above sheds some light on whats happening!!!! Any help mucho appreciated. Thanks, -- Jamie Heckford Network Manager Trident Microsystems Ltd. t: +44(0)1737-780790 f: +44(0)1737-771908 w: http://www.tridentmicrosystems.co.uk/
