Thanks for your help Henrik. I checked, just to be sure, and we are using the ntlm_auth from samba.
Yes, we are trying to use NTLM auth. As per the documentation I was using, I've set it up to fall back to basic auth if NTLM challenge/response fails (which it does), basic auth works quite well, but challenge/response doesn't. Anyway, I took a look at the cache.log, and there aren't any messages at the default log level, other than the standard "starting X NTLM auth processes". I turned on log_mime_hdrs as you asked, and here's the output: 1098069200.802 1 10.0.1.8 TCP_DENIED/407 1747 GET http://www.google.com/ - NONE/- text/html [Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*\r\nAccept-Language: en-au\r\nCookie: PREF=ID=17238ed846c9d38d:CR=1:TM=1096527005:LM=1096527005:S=kyLy_3fTUQxpLp2g \r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE6\r\nMime-Version: 1.0\r\nDate: Mon, 18 Oct 2004 03:13:20 GMT\r\nContent-Type: text/html\r\nContent-Length: 1320\r\nExpires: Mon, 18 Oct 2004 03:13:20 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: Basic realm="Pandora Squid Test Proxy blah blah blah"\r\nProxy-Authenticate: NTLM\r\n\r] The dummy username used was "restricted" and the password was "password". This user worked with basic auth after the NTLM auth failed. Hope this helps. L8r. -----Original Message----- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, 15 October 2004 6:47 PM To: Hal Douglas Cc: Squid Users Subject: Re: [squid-users] NTLM Auth Problem. On Fri, 15 Oct 2004, Hal Douglas wrote: > I need some help sorting out a problem I've got with ntlm_auth using > squid and winbind. I'm using Squid-2.5.STABLE6 and Samba 3.0.7. Make sure to use the ntlm_auth from Samba, not the one from Squid. But I think you have done this already. > # wbinfo -t > checking the trust secret via RPC calls succeeded Good. > > # wbinfo -a username%password > plaintext password authentication succeeded challenge/response > password authentication succeeded Good. > However, if I do as per the docs I'm following: > > # wbinfo -a mydomain\\username%password plaintext password > authentication failed error code was NT_STATUS_NO_SUCH_USER > (0xc0000064) error messsage was: No such user Could not authenticate > user mydomain\username%password with plaintext password > challenge/response password authentication failed error code was > NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user > Could not authenticate user mydomain\username with challenge/response This is somewhat winbind version specific and may also be dependent on your smb.conf settings for the domain separator. But as the test above succeeded this is not critical. > But, doing: > > # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic > mydomain+username password > OK Good. > So, does anyone know what I've done wrong here, if anything? It seems > to me that it SHOULD be working, unless I've got something wrong in > the squid or samba .conf files. I wont post those, because this email > is long enough already, but I'll provide links to them. Are you using NTLM or Basic authentication? Please enable log_mime_hdrs, then test with a dummy account and post the result here, inlcuding the supposed account name and password. Also post any cache.log messages if there is any with the default log levels. Regards Henrik
