<html><body><div>I found one more thing in the cache.log:</div><div>Got user=[user1] domain=[DOM1] workstation=[machine1] len1=24 len2=334<br>Login for user [DOM1\[user1]@[machine1 failed due to [Reading winbind reply failed!]<br>ntlmssp_server_auth_send: Checking NTLMSSP password for DOM1\user1 failed: NT_STATUS_UNSUCCESSFUL<br>gensec_update_done: ntlmssp[0x55713e452900]: NT_STATUS_UNSUCCESSFUL<br>GENSEC login failed: NT_STATUS_UNSUCCESSFUL</div><div><br></div><div>Why failed?</div><div>/var/lib/samba:<br></div><div>drwxr-x--- 2 root winbindd_priv 4096 Jul 23 18:09 winbindd_privileged</div><div>/var/run/samba:</div><div>drwxr-xr-x 2 root root 60 Jul 23 18:09 winbindd</div><div><br></div><div>If I chmod to anything else than expected winbindd fails to start complaining about an unexpected dir mode.</div><div>The dir modes remain the same as "defined" in the debian package.</div><div>ntlm_auth --username=user1 run as a regular user results in: "NT_STATUS_OK: The operation completed successfully. (0x0)"</div><div>It should fail if not allowed to read from winbind, I suppose.</div><div><br></div><div>Thanks.</div><div>Zb</div><div><br></div><div><br></div><div><br></div><aside>
---------- Původní e-mail ----------<br>
Od: Amos Jeffries <squid3@treenet.co.nz><br>
Komu: squid-users@lists.squid-cache.org<br>
Datum: 23. 7. 2019 11:03:37<br>
Předmět: Re: [squid-users] squid 4 fails to authenticate using NTLM
</aside><br><blockquote data-email="squid3@treenet.co.nz">On 23/07/19 7:53 am, zby wrote:<br>> My problem: my browser keeps on prompting for authentication.<br>> Facts:<br>> <br>> Debian 10 x86_64<br>> squid-4.6 + samba-4.9<br>> joined AD using "net ads join -U ...". OK.<br>> wbinfo -t : OK<br>> wbinfo -P or -p : OK<br>> wbinfo -i userXYZ : returns data (OK)<br>> wbinfo -g (well, fails to "deliver", too many users?)<br>> smbclient -U userXYZ //host/share : works, logs me in<br><br>This is irrelevant to Squid. It only tells that the user account has<br>filesystem access privileges. Nothing about web access privileges, or<br>whether the *Squid* user account has access to authenticate user logins.<br><br><br>> <br>> wbinfo -a domain\\user%pass:<br>> plaintext password authentication succeeded<br><br> "plaintext" means Basic authentication.<br><br>> challenge/response password authentication failed<br>> <br><br>Challenge/Response could mean anything auth related.<br><br><br>> sqadmin@host13:~$ ntlm_auth --helper-protocol=squid-2.5-ntlmssp<br>> --domain=ad001<br>> userw01 Passwd001<br>> SPNEGO request [userw01 Passwd001] invalid prefix<br>> BH SPNEGO request invalid prefix<br>> <br><br>"userw01 Passwd001" is not a SPNEGO token.<br><br>see<br><https://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme><br><br>Pass the helper the "KK" request command and the token you see in the<br>HTTP headers. For example:<br><br>KK TlRMTVNTUAADAAAAGAAYAIwAAABOAU4BpAAAAAoACgBYAAAAEAAQAGIAAAAa...<br><br><br><br>Amos<br>_______________________________________________<br>squid-users mailing list<br>squid-users@lists.squid-cache.org<br>http://lists.squid-cache.org/listinfo/squid-users<br></blockquote></body></html>