ntlm_auth

[ahuxham]

Hi All,

Its me again.... Anyhow, I seem to have a seriously frustrating problem at present. Having had to rebuild my squid box back up after pam.d corruption fried local login access, I can't seem to get ntlm_auth too work.

ntlm_auth is working regards talking to the domain.

WBINFO -T - Working
WBINFO -G - Working
WBINFO -U - Working
WBINFO -A XXX\username%password - Working
/usr/bin/ntlm_auth --username=username%password - Working
/var/run/samba/winbindd_privelleged/ - Proxy has permissions
/etc/squid/squid.conf - Cache effective user = Proxy

All seems working, krb5.conf all setup, smb.conf all setup, nsswitch permissions are "files winbind lwidentity" all the above lead me to believe its all running perfectly fine, however running the following nothing happens

Code:

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

Returns nothing at all, adding the authenictation methods withing squid and it just sits there trying to load the page, but doesnt...

What could be wrong?

[Geoff]

Have you tried running the ntlm_auth manually to test that? eg

Code:

root@titan:~# ntlm_auth --username=Administrator --domain=DOMAIN --password=password
NT_STATUS_OK: Success (0x0)

[ahuxham]

Have you tried running the ntlm_auth manually to test that? eg

Code:

root@titan:~# ntlm_auth --username=Administrator --domain=DOMAIN --password=password
NT_STATUS_OK: Success (0x0)

Hi Geoff,

Tried the above and got the following: NT_STATUS_OK: Success (0x0)

Is there any other way I can diagnose this problem? I seem to be efficiently connected to the domain, authentication, lookups etc all seem to work effortlessly until I try ntlm_auth within squid.

[Geoff]

You will have to enable debugging within squid.

[ahuxham]

You will have to enable debugging within squid.

Fun fun fun.... indeed, I will have too, to diagnose the problem further.

However,

Code:

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

at the terminal has no direct interfaction with squid, or am I mistaken?

[Geoff]

you can't run ntlm_auth with the helper protocol option at the command line. As you are not squid.

[ahuxham]

you can't run ntlm_auth with the helper protocol option at the command line. As you are not squid.

I was only following what a few websites suggested doing, from their outputs, its actually prompted withing terminal for username and password.

However you are correct and the problem is now resolved.

Want to know how?

Safari.. I forgot it doesnt support either ntlmssp or basic helper protocols and just stalls its self all day long.

Internet Explorer works perfectly, and squidview is showing all user traffic per name now.

Firefox works as well, however would be nice to fix safari.

Internet Explorer and Vista didn't work till I found a registry fix for it, should try that and hope Safari will actually play nice.

HKLM> SYSTEM> CURRENTCONTROLSET> CONTROL> LSA> lmcomptatibiltylevel from [3 to 1] (Well thats the Vista fix for authentication anyhow!)

[HodgeHi]

I thought Safari NTLM auth was fixed in 3.1.1?
3.1.2 for Windows is out now though.

I have a NTLM auth (using NTLM authentication option) problem when trying to authenticate against our School Guardian. It doesn't seem to work. Keeps requesting username and passwd. I changed the authentication type over to NTLM ident which seems to work OK.

[ahuxham]

I thought Safari NTLM auth was fixed in 3.1.1?
3.1.2 for Windows is out now though.

I have a NTLM auth (using NTLM authentication option) problem when trying to authenticate against our School Guardian. It doesn't seem to work. Keeps requesting username and passwd. I changed the authentication type over to NTLM ident which seems to work OK.

3.1.1 Sure, but thats an upgrade, specifically on the debian path to an unstable proxy which is annoying, however with time, and code testing it will become stable and user friendly.

I have tried 3.x.x, and to be honest the delay_pools loving is something to be desired, at present, we have our blacklists and whitelists, both staff and students go through the machine, therefore to cause them annoyance we have every kind of messenger on a 256kb/s delay pool, which in turn speeds everything else up for everyone else, than again, youtube and facebook are AGGRESSIVELY cached via ACL's to minimize load on our end as well.

Regards, NTLM: Just have a search for that registry key, and note the DWORD value, you'll be surprised how something so simple can cause you heartache.

Should be DWORD:1 however its often DWORD:3 or 0, reboot and NTLM seems to work in what MS say "Negotiation Compatibilty Mode"