+ Post New Thread
Results 1 to 9 of 9
*nix Thread, ntlm_auth in Technical; Hi All, Its me again.... Anyhow, I seem to have a seriously frustrating problem at present. Having had to rebuild ...
  1. #1
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30

    ntlm_auth

    Hi All,

    Its me again.... Anyhow, I seem to have a seriously frustrating problem at present. Having had to rebuild my squid box back up after pam.d corruption fried local login access, I can't seem to get ntlm_auth too work.

    ntlm_auth is working regards talking to the domain.

    WBINFO -T - Working
    WBINFO -G - Working
    WBINFO -U - Working
    WBINFO -A XXX\username%password - Working
    /usr/bin/ntlm_auth --username=username%password - Working
    /var/run/samba/winbindd_privelleged/ - Proxy has permissions
    /etc/squid/squid.conf - Cache effective user = Proxy

    All seems working, krb5.conf all setup, smb.conf all setup, nsswitch permissions are "files winbind lwidentity" all the above lead me to believe its all running perfectly fine, however running the following nothing happens

    Code:
    /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    Returns nothing at all, adding the authenictation methods withing squid and it just sits there trying to load the page, but doesnt...

    What could be wrong?

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    Have you tried running the ntlm_auth manually to test that? eg

    Code:
    root@titan:~# ntlm_auth --username=Administrator --domain=DOMAIN --password=password
    NT_STATUS_OK: Success (0x0)

  3. Thanks to Geoff from:

    joe90bass (9th August 2010)

  4. #3
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Quote Originally Posted by Geoff View Post
    Have you tried running the ntlm_auth manually to test that? eg

    Code:
    root@titan:~# ntlm_auth --username=Administrator --domain=DOMAIN --password=password
    NT_STATUS_OK: Success (0x0)
    Hi Geoff,

    Tried the above and got the following: NT_STATUS_OK: Success (0x0)

    Is there any other way I can diagnose this problem? I seem to be efficiently connected to the domain, authentication, lookups etc all seem to work effortlessly until I try ntlm_auth within squid.

  5. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    You will have to enable debugging within squid.

  6. #5
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Quote Originally Posted by Geoff View Post
    You will have to enable debugging within squid.
    Fun fun fun.... indeed, I will have too, to diagnose the problem further.

    However,
    Code:
    /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    at the terminal has no direct interfaction with squid, or am I mistaken?

  7. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    you can't run ntlm_auth with the helper protocol option at the command line. As you are not squid.

  8. #7
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Quote Originally Posted by Geoff View Post
    you can't run ntlm_auth with the helper protocol option at the command line. As you are not squid.
    I was only following what a few websites suggested doing, from their outputs, its actually prompted withing terminal for username and password.

    However you are correct and the problem is now resolved.

    Want to know how?

    Safari.. I forgot it doesnt support either ntlmssp or basic helper protocols and just stalls its self all day long.

    Internet Explorer works perfectly, and squidview is showing all user traffic per name now.

    Firefox works as well, however would be nice to fix safari.

    Internet Explorer and Vista didn't work till I found a registry fix for it, should try that and hope Safari will actually play nice.

    HKLM> SYSTEM> CURRENTCONTROLSET> CONTROL> LSA> lmcomptatibiltylevel from [3 to 1] (Well thats the Vista fix for authentication anyhow!)

  9. #8

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    I thought Safari NTLM auth was fixed in 3.1.1?
    3.1.2 for Windows is out now though.

    I have a NTLM auth (using NTLM authentication option) problem when trying to authenticate against our School Guardian. It doesn't seem to work. Keeps requesting username and passwd. I changed the authentication type over to NTLM ident which seems to work OK.

  10. #9
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    Quote Originally Posted by HodgeHi View Post
    I thought Safari NTLM auth was fixed in 3.1.1?
    3.1.2 for Windows is out now though.

    I have a NTLM auth (using NTLM authentication option) problem when trying to authenticate against our School Guardian. It doesn't seem to work. Keeps requesting username and passwd. I changed the authentication type over to NTLM ident which seems to work OK.
    3.1.1 Sure, but thats an upgrade, specifically on the debian path to an unstable proxy which is annoying, however with time, and code testing it will become stable and user friendly.

    I have tried 3.x.x, and to be honest the delay_pools loving is something to be desired, at present, we have our blacklists and whitelists, both staff and students go through the machine, therefore to cause them annoyance we have every kind of messenger on a 256kb/s delay pool, which in turn speeds everything else up for everyone else, than again, youtube and facebook are AGGRESSIVELY cached via ACL's to minimize load on our end as well.

    Regards, NTLM: Just have a search for that registry key, and note the DWORD value, you'll be surprised how something so simple can cause you heartache.

    Should be DWORD:1 however its often DWORD:3 or 0, reboot and NTLM seems to work in what MS say "Negotiation Compatibilty Mode"

SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •