squid ntlm authentication problem ?

Web Server Talk > Web Servers reviews > Squid > squid ntlm authentication problem ?
Last Thread Next Thread Next
squid ntlm authentication problem ?
aries.ram@freenet.de
06-08-06 12:14 PM
Hi,

i have a problem with squid / samba ntlm authentication against a NT
domain. my server is a suse 9.1 with the following versions:

squid 2.5 /stable 9
samba 3.0.22

i configured winbind with this FAQ:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html

everything is fine. smbd, nmbd and winbindd are running.

# wbinfo -t
checking the trust secret via RPC calls succeeded

# wbinfo -g and -u lists the domainusers and groups

# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK

My squid.conf acl lines:

acl AuthorizedUsers proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl user src 192.168.0.65/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager user
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access deny all


The problem is that no authentication window comes up if I start the IE
browser or firefox. The logfile fom squid shows the following entry
that means an authentication is required but it prompts not to enter
username and password??

*****************************

If the header is missing, Squid returns an HTTP reply with status 407
(Proxy Authentication Required). The user agent (browser) receives the
407 reply and then prompts the user to enter a name and password. The
name and password are encoded, and sent in the Authorization header for
subsequent requests to the proxy.

*****************************


1149758301.809     25 192.168.0.65 TCP_DENIED/407 1760 GET
http://www.google.de/ - NONE/- text/html
1149758301.814      1 192.168.0.65 TCP_DENIED/407 1868 GET
http://www.google.de/ - NONE/- text/html
1149758301.896     81 192.168.0.65 TCP_MISS/200 3065 GET
http://www.google.de/ MYDOMAIN+hofmann DIRECT/66.249.85.104 text/html

The faq said that error TCP_DENIED/407 means that a ntlm_athentication
is required, but I don't understand why I don't get a popup window to
enter the domain username and password to authenticate me against our
windows NT domain ?

Who can help ?

Thanks in advance
Frank
[ Post a follow-up to this message ]