Hi ppl,
I need to setup a squid 2.5 with ntlm auth so windows XP users already
logged in the win2k PDC are automatically authenticated without a
user/passwd dialog box
the proxy is manually built squid 2.5STABLE4 running in a Debian woody
box. everything else in the box is from woody.
squid was built with the following options:
../configure --prefix=/usr --sysconfdir=/etc
--localstatedir=/var/spool/squid \
--enable-gnuregex --enable-icmp --enable-useragent-log
--enable-referer-log \
--enable-htcp --enable-ssl --with-openssl \
--enable-default-err-language=Portuguese --enable-ipf-transparent \
--enable-pf-transparent --enable-linux-netfilter \
--enable-auth=basic digest ntlm \
--enable-basic-auth-helpers="LDAP MSNT NCSA PAM SASL SMB YP
multi-domain-NTLM" \
--enable-ntlm-auth-helpers="SMB fakeauth no_check winbind" \
--enable-digest-auth-helpers=password --enable-ntlm-fail-open \
--enable-external-acl-helpers="ip_user unix_group winbind_group
ldap_group wbinfo_group
the domain on the PDC is adm.com and the controler's name is
servidor_adm.
the 2 authentication helpers that works in this setup are smb_auth and
msnt_auth, but they only work for basic auth, when "auth_param ntlm"
is configured in squid the client's browser (ie6) fails to
authenticate, even with "auth_param ntlm program
/usr/libexec/msnt_auth" or "auth_param ntlm program
/usr/libexec/msnt_auth -W adm -U 192.168.0.225" in squid.conf
my guess (a wild guess, let me add) is that this is caused by the dot
in the domain name.
i tried run all authentication helpers from the command line, and the
results are:
# ./ntlm_auth -d adm.com\\servidor_adm
ntlm-auth[10227](ntlm_auth.c:187): Adding domain-controller
adm.com\servidor_adm
ntlm-auth[10227](ntlm_auth.c:460): options processed OK
user passwd
ntlm-auth[10227](ntlm_auth.c:284): managing request
ntlm-auth[10227](ntlm_auth.c:290): ntlm authenticator. Got 'user
passwd' from Squid
ntlm-auth[10227](ntlm_auth.c:440): sending 'BH Helper detected
protocol error' to squid
BH Helper detected protocol error
same result when i use only "adm" as domain
this is the debug from smb_auth, just in case:
# ./smb_auth -d -W adm -U 192.168.0.225
user passwd
Domain name: adm
Pass-through authentication: no
Query address options: -U 192.168.0.225 -R
Domain controller IP address: 192.168.0.225
Domain controller NETBIOS name: SERVER_ADM
Contents of //SERVER_ADM/NETLOGON/proxyauth: allow
how can i have this setup working ? should i use winbind instead ? i
never used winbind and i have no idea on how to set it up, but i'm
willing to try.
TIA
Bento
|
Similar Threads
Linear Mode
