Ahhh evil. I forgot to mention that I managed to get the NTLM working on a mock domain I have set up at home with no problems. But when I try and set it up on the school domain, with a few tweaks on the .conf files, I get a login box to the squid box I just set up via IE7. Kinda defeats the object of NTLM authentication methinks.
I'm probably clutching at staws but maybe it has something to do with the default domain policy in Active Directory?
My domain kerberos policy:
Account Policies/Kerberos Policy
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
NTP is set up correctly so it can't be the clock sync.
I haven't got any Dansguardian or similar stuff installed yet. Just want to make sure that no login boxes come up.
Thanks again guys :)
Ahhh I found this in the cache.log
Login for user [AYLSHAMHIGH]\[chillebrandt]@[ICT-003] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly.]
[2008/10/23 12:36:22, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
This could be reason why it's being a pain. Would I somehow need to add all the users to the squid group or something?
Do you know of a version of ident for Windows 2003 which works correctly with with terminal server. The version I have been using, since Windows 95, has a nasty habit of thinking everyone is the first user to log in.
Originally Posted by torry_loon
Originally Posted by Cragzman
Check your squid.conf, find the cache effective user. Write the user down.
it should list root root on the pipe.
ls -al /var/run/samba/winbindd_privileged
Would be easier to modify the winbind startup script, and force the change of user, otherwise every reboot, you need to re chown.
chown root:proxy /var/run/samba/winbindd_priveleged/