Hi all. I need some help sorting out a problem I've got with ntlm_auth using squid and winbind. I'm using Squid-2.5.STABLE6 and Samba 3.0.7. I've setup squid and samba from source, and configured them, all according to the documentation found here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 I'm sure I've done everything right, according to the docco, but when the user requests a site, the challenge/response auth fails, and the user is prompted for a username and password (using basic auth as a fallback), which succeeds. I've done a lot of troubleshooting, and tried a lot of things to get this working. I'm running on Debian 3.0r2, but I had much the same problem on FC2. Eveything during setup seemed to work. The following gives the result: # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -a username%password plaintext password authentication succeeded challenge/response password authentication succeeded
However, if I do as per the docs I'm following: # wbinfo -a mydomain\\username%password plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user mydomain\username%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user Could not authenticate user mydomain\username with challenge/response But, doing: # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+username password OK Seems to be working there, but the browser still doesn't authenticate. With the debugging turned on, I get this in the cache log: 2004/10/14 16:15:59| aclMatchAclList: checking AuthorizedUsers 2004/10/14 16:15:59| aclMatchAcl: checking 'acl AuthorizedUsers proxy_auth REQUIRED' 2004/10/14 16:15:59| authenticateValidateUser: Auth_user_request was NULL! 2004/10/14 16:15:59| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2004/10/14 16:15:59| aclMatchAcl: returning 0 sending authentication challenge. 2004/10/14 16:15:59| aclMatchAclList: no match, returning 0 2004/10/14 16:15:59| aclCheck: match found, returning 2 2004/10/14 16:15:59| cbdataUnlock: 0x81eadf8 2004/10/14 16:15:59| aclCheckCallback: answer=2 2004/10/14 16:15:59| cbdataValid: 0x83d7430 2004/10/14 16:15:59| The request GET http://slashdot.org/ is DENIED, because it matched 'AuthorizedUsers' Searching around for that error I found that someone had suggested this was due to squid not being able to access winbinds privileged pipe, however, squid runs as the user and group "squid", and these are the perms on the directory in question: drwxr-s--- 2 root squid 4096 Oct 14 15:09 /usr/local/samba/var/locks/winbindd_privileged Seems okay to me, and consistent with the info on giving squid access to winbinds privileged pipe in the squid FAQ mentioned above. So, does anyone know what I've done wrong here, if anything? It seems to me that it SHOULD be working, unless I've got something wrong in the squid or samba .conf files. I wont post those, because this email is long enough already, but I'll provide links to them. Squid.conf: http://users.bigpond.com/xdouglas/stuff/4work/squid.conf Smb.conf: http://users.bigpond.com/xdouglas/stuff/4work/smb.conf Any help with this problem would be greatly appreciated. Thanks. ------------------- Hal Douglas I.T. Administrator Marist Regional College Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ------------------- This e-mail message and any attached files are intended solely for the addressee/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of Marist Regional College. If you receive this message in error, please immediately notify the sender and delete it since you are not authorised to use, disclose, distribute, print or copy all or part of the contained information.
