Squid and NTLM Authentication

codedv · 12-27-2004, 02:02 PM

Hi, this is my current set up. I have a SAMBA PDC and on the same machine running as a PDC I have squid installed. I would like to configure squid to use NTLM authentication against the Samba PDC.

The resources I've found on the Internet so far have been very confusing and I fail to understand how to set this up properly. From what I have gathered so far I need to compile smaba with Winbind and squid agains the samba sources:

Code:

Samba
#./configure --with-winbind --with-winbind-auth-challenge --with-automount --with-acl-support

Squid
# ./configure  --enable-gnuregex --enable-useragent-log --enable-arp-acl --enable-ssl --with-openssl=/usr/local/ssl \
--enable-default-err-language=English --enable-err-languages=English --enable-linux-netfilter --enable-auth="basic ntlm" \
--enable-basic-auth-helpers="PAM SMB" --enable-ntlm-auth-helpers=SMB --enable-ntlm-fail-open \
--with-samba-sources=/usr/local/src/samba-3.0.7

The installation and compliation was successful and I edited my squid.conf file to contain the following lines:

Code:

auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debugleve
l=0
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

However, it just repeatedly asks me for my authentication details. I started winbindd, but as I am unsure as to how this all works, it makes it extremely diffcult trying to findthe problem. Can anyone offer me some insight here?

codedv · 05-12-2005, 05:25 PM

Nearly 6 months on and I have still made no progress on this issue. Is there anyone out there with a similar configuaration?

All I need is to authenticate squid against my Samba PDC using NTLM, I just seem to be running into one problem after another though.

win32sux · 05-29-2005, 12:36 AM

still no luck?? please post some links to the documentation you've been using...

codedv · 05-29-2005, 04:52 PM

Still no luck

I think there is something I am not understanding. Maybe it is because I want to authenticate against a domain with a samba PDC. I have been following this tutorial: http://www1.fr.squid-cache.org/Doc/FAQ/FAQ-23.html. All is fine up until the point I try and get windbind working, this is when I begin to get errors:

Code:

[root@delves-s samba]# # join domain
[root@delves-s samba]# net rpc join -U Administrator
Password:
Joined domain DELVES.

[root@delves-s samba]# # check secret
[root@delves-s samba]# wbinfo -t
checking the trust secret via RPC calls succeeded

[root@delves-s samba]# wbinfo -D delves
Name              : DELVES
Alt_Name          :
SID               : S-1-5-21-752677008-808481252-3068482387
Active Directory  : No
Native            : No
Primary           : Yes
Sequence          : -1

[root@delves-s samba]# wbinfo -u
Error looking up domain users

[root@delves-s samba]# wbinfo -g
BUILTIN+system operators
BUILTIN+replicators
BUILTIN+guests
BUILTIN+power users
BUILTIN+print operators
BUILTIN+administrators
BUILTIN+account operators
BUILTIN+backup operators
BUILTIN+users

[root@delves-s samba]# wbinfo -a delves\\adam+password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user delves\adam+password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user delves\adam+password with challenge/response

Wbinfo doesn't appear to see my domain as a trusted domain but I don't know why.

I know now this isn't a distribution or version specific issue becuase I have tried this with various versions of Samba and squid and on both Debian and Fedora 3 with identicle results.

Any help would be appreciated because I am banging my head against a brick wall.

Decor_kev · 12-02-2005, 04:34 PM

Suffering from the same dilema. Any solutions?

moleno · 07-16-2006, 03:46 AM

check this ... i hope it will be enough

http://www.linuxquestions.org/questi...ight=ntlm_auth