[squid-users] Problems with Squid 3 Authentication on Samba 4

Amos Jeffries squid3 at treenet.co.nz
Sun Aug 2 01:02:06 UTC 2015

On 2/08/2015 11:57 a.m., Marcio Demetrio Bacci wrote:
> Hi,
> I'm trying to authenticate the squid3 in Samba4. The part of Samba 4
> authentication is OK, because with the commands wbinfo -i, getent passwd,
> klist, kinit is all right and I can  get  the expected results. Also on the
> command line can authenticate users (/usr /bin/ntlm_auth --username =
> DomainUser), however, when using the squid does not.

That shows the helper is able to contact AD fine to do lookups in Basic
auth format. What it fails to tell is:

a) whether the browser is trying to use NTLM, Basic or both
b) whether the NTLM token assignment from AD to browser is working
c) whether the browser supports NTLM
d) whether the OS the browser is running on is NTLM-enabled
e) what NTLM v1 or v2 the OS the browser runs on supports
f) whether the OS the browser is running on is attached to the domain

Start by using the ntlm_auth helpers debug option. To see if there is
anything useful there.

Then move on to get debug out of Squid. Configure "debug_options ALL,1
11,2 29,9 84,6" in squid.conf to get a copy of the HTTP messages and the
auth helper activity in cache.log.

With that you can see the answer to (a), and the tokens that are being
passed around can be pasted to command line in for manual testing of the
helper with the same parameters Squid is using.

> I have already followed several tutorials, including to authenticate to AD,
> as the Samba 4  is fully compatible with AD. Nothing works.
> Follow my configuration file (squid.conf):

Looks okay to me. Though it does contain this oddity:

  auth_param ntlm children 30
  auth_param ntlm children 5

I suspect you meant the second one to be for basic auth.

You should also try using the hacky:

  auth_param ntlm keep_alive off

(required by older MSIE, some Firefox, and most Safari versions).

> I found that the Squid folder there is this file that does not know:
> msntauth.conf, with the following contents:

msntauth.conf is the config file for the basic_msnt_auth helper.

> I'm using Debian 8 and Samba 4.1.17.
> Do anybody have an idea?

I suspect the browser<->Squid interaction is not doing what you think it
is. The above debugging will give you a better idea whats going on.


More information about the squid-users mailing list