Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 09-29-2008, 04:00 AM   #1
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Rep: Reputation: 37
Prompts password for squid using NTLM

Hi all,

I have setup a squid server with ntlm and dansguardian to track users via their AD username. I can now have AD username in both squid and DG access log. But the problem is sometimes all of a sudden it asks for users AD credentials. Upon giving it works fine again but cancelled then gives this below message which is logical:
PHP Code:
Cache Access Denied
trying to retrieve the URL 

The following error was encountered

Cache Access Denied

Sorryyou are not currently allowed to request from this cache until you have authenticated yourself. 

You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to workPlease contact the cache administrator if you have difficulties authenticating yourself or change your default password


Generated Mon29 Sep 2008 03:47:31 GMT by PROXY (squid/2.5.STABLE6
Currently using IE7.

Below is the settings that I did in squid.conf for NTLM

PHP Code:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 hour
auth_param ntlm use_ntlm_negotiate on
auth_param basic program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
acl manager proto cache_object
acl authenticated_users proxy_auth REQUIRED
acl localhost src
acl to_localhost dst

#Recommended minimum configuration:
# Only allow cachemgr access from localhost

##http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
#http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow authenticated_users 
Now when the login prompt comes it gives these meessages in /var/log/squid/cache.log
PHP Code:
[2008/09/29 13:38:373libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[testuserdomain=[XYZworkstation=[PC21len1=24 len2=24
[2008/09/29 13:39:113utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [XYZ]\[testuser]@[PC21failed due to [Reading winbind reply failed!]
2008/09/29 13:39:11The request GET,78 is DENIED, because it matched 'authenticated_users'
[2008/09/29 13:39:123utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [XYZ]\[testuser]@[PC21failed due to [Reading winbind reply failed!] 
Any idea how to stop this password prompt.
Thanks in advance.
Old 10-28-2008, 11:32 PM   #2
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Original Poster
Rep: Reputation: 37
Hi all,
Me again. After lots of searching I found this problem a very popular one but no one gave a clear answer of resolving it. At least I didn't found any.
NoW I am compiling samba and squid from source. And after compiling samba it's not letting me start the winbind service.

Here is the compile options:

./configure --with-ads --with-winbind --with-winbind-auth-challenge --prefix=/usr/local/samba --with-lockdir=/var/cache/samba --with-piddir=/var/run --with-privatedir=/etc/samba --with-logfilebase=/var/log/samba --with-coonfigdir=/etc/samba

After compiling I can start smbd,nmbd but not winbindd.

In log file it gives these messages
PHP Code:
[2008/10/29 10:32:01,  0winbindd/winbindd.c:main(1127)
winbindd version 3.2.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
[2008/10/29 10:32:01,  2lib/tallocmsg.c:register_msg_pool_usage(106)
[2008/10/29 10:32:01,  2lib/dmallocmsg.c:register_dmalloc_msgs(77)
Old 06-24-2013, 12:34 AM   #3
LQ Newbie
Registered: Oct 2011
Location: Shanghai
Posts: 4

Rep: Reputation: Disabled
I have the same issue, didn't find a solution.

Red Hat Enterprise Linux AS release 4 (Nahant Update 8)

I installed samba from here
I know RHEL4 is too old now, I am testing squid with a third party web filter product, that product supports old squid version only.

I read this wiki page
wbinfo worked as expected, and I also could test the helpers by this command
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

everything seems work well, but client browser couldn't authenticate by NTLM, but it works when we use basic only.
Old 06-24-2013, 01:36 AM   #4
LQ Newbie
Registered: Oct 2011
Location: Shanghai
Posts: 4

Rep: Reputation: Disabled
I fixed my issue.

# chown root:squid /var/lib/samba/winbindd_privileged

the key point is that samba changed the path of winbind pipe file.

The original path:

new path:

I always checked the old path, just notice the new path, it took me several hours to diagnose this. Maybe I should enable some debug option of winbind or samba package.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID NTLM Authentication keeps asking for a username and password rowellb Linux - Networking 15 09-22-2009 11:11 AM
(Samba 3.0.20) Vista prompts for username, XP prompts just for password Noffie Linux - Server 2 07-21-2008 10:26 AM
passwd prompts for new password only once when a short password is entered powah Linux - Security 0 09-19-2007 04:20 PM
Squid NTLM paul_mat Linux - Networking 2 09-15-2005 07:25 PM
IE password not saved for web site - NTLM/Squid?? percheron Linux - Networking 0 12-07-2003 11:16 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:32 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration