Yes, thanks Patricio, we sure did join the machine to the domain. It appears in the AD, and everything! :)
-----Original Message----- From: Patricio Bruna V. [mailto:[EMAIL PROTECTED] Sent: Friday, 15 October 2004 12:44 PM To: [EMAIL PROTECTED] Subject: Re: [squid-users] NTLM Auth Problem. El vie, 15-10-2004 a las 11:26 +1100, Hal Douglas escribi�: > Hi all. > > I need some help sorting out a problem I've got with ntlm_auth using > squid and winbind. I'm using Squid-2.5.STABLE6 and Samba 3.0.7. > > I've setup squid and samba from source, and configured them, all > according to the documentation found here: > > http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 > > I'm sure I've done everything right, according to the docco, but when > the user requests a site, the challenge/response auth fails, and the > user is prompted for a username and password (using basic auth as a > fallback), which succeeds. > > I've done a lot of troubleshooting, and tried a lot of things to get > this working. I'm running on Debian 3.0r2, but I had much the same > problem on FC2. Eveything during setup seemed to work. The following > gives the > result: > > # wbinfo -t > checking the trust secret via RPC calls succeeded > > # wbinfo -a username%password > plaintext password authentication succeeded challenge/response > password authentication succeeded > > However, if I do as per the docs I'm following: > > # wbinfo -a mydomain\\username%password plaintext password > authentication failed error code was NT_STATUS_NO_SUCH_USER > (0xc0000064) error messsage was: No such user Could not authenticate > user mydomain\username%password with plaintext password > challenge/response password authentication failed error code was > NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user > Could not authenticate user mydomain\username with challenge/response > > But, doing: > > # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic > mydomain+username password > OK > > Seems to be working there, but the browser still doesn't authenticate. > With the debugging turned on, I get this in the cache log: > > 2004/10/14 16:15:59| aclMatchAclList: checking AuthorizedUsers > 2004/10/14 16:15:59| aclMatchAcl: checking 'acl AuthorizedUsers > proxy_auth REQUIRED' > 2004/10/14 16:15:59| authenticateValidateUser: Auth_user_request was NULL! > 2004/10/14 16:15:59| authenticateAuthenticate: broken auth or no > proxy_auth header. Requesting auth header. > 2004/10/14 16:15:59| aclMatchAcl: returning 0 sending authentication > challenge. > 2004/10/14 16:15:59| aclMatchAclList: no match, returning 0 > 2004/10/14 16:15:59| aclCheck: match found, returning 2 > 2004/10/14 16:15:59| cbdataUnlock: 0x81eadf8 > 2004/10/14 16:15:59| aclCheckCallback: answer=2 > 2004/10/14 16:15:59| cbdataValid: 0x83d7430 > 2004/10/14 16:15:59| The request GET http://slashdot.org/ is DENIED, > because it matched 'AuthorizedUsers' > > Searching around for that error I found that someone had suggested > this was due to squid not being able to access winbinds privileged > pipe, however, squid runs as the user and group "squid", and these are > the perms on the directory in question: > > drwxr-s--- 2 root squid 4096 Oct 14 15:09 > /usr/local/samba/var/locks/winbindd_privileged > > Seems okay to me, and consistent with the info on giving squid access > to winbinds privileged pipe in the squid FAQ mentioned above. > > So, does anyone know what I've done wrong here, if anything? It seems > to me that it SHOULD be working, unless I've got something wrong in > the squid or samba .conf files. I wont post those, because this email > is long enough already, but I'll provide links to them. > > Squid.conf: > > http://users.bigpond.com/xdouglas/stuff/4work/squid.conf > > Smb.conf: > > http://users.bigpond.com/xdouglas/stuff/4work/smb.conf > > Any help with this problem would be greatly appreciated. > > Thanks. > > Did you join your machine to the domain?
