Wednesday, January 19, 2011

Squid, NTLM, Windows 7 and IE8

I'm running Squid 2.7-stable4, Samba 3 and the Windows 7 RC with IE8.

I have NTLM authentication setup on my squid proxy server and it works fine for every combination of browser and Windows (including IE8 on XP and Firefox on Win7), but it doesn't work (keeps asking for authentication) for IE8 on Windows 7.

I can get it to work using the LmCompatibilityLevel registry hack, but I'd really prefer to get it working on the server.

Does anyone have any experience with this? Or know where to start looking? The samba logs don't reveal much.

EDIT: Here's what the wb-MYDOMAIN log says when I attempt to authenticate:

[2009/08/20 15:13:36, 4] nsswitch/winbindd_dual.c:fork_domain_child(1080)
  child daemon request 13
[2009/08/20 15:13:36, 10] nsswitch/winbindd_dual.c:child_process_request(478)
  process_request: request fn AUTH_CRAP
[2009/08/20 15:13:36, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1755)
  [ 4127]: pam auth crap domain: MYDOMAIN user: MYUSER
[2009/08/20 15:13:36, 0] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767)
  winbindd_pam_auth_crap: invalid password length 24/282
[2009/08/20 15:13:36, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1931)
  NTLM CRAP authentication for user [MYDOMAIN]\[MYUSER] returned NT_STATUS_INVALID_PARAMETER (PAM: 4)
[2009/08/20 15:13:36, 10] nsswitch/winbindd_cache.c:cache_store_response(2267)
  Storing response for pid 4547, len 3240
From serverfault Harley

  • You can't really do this in NTLM. You have to use kerberos, as described at http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp.

    From Harley

  • Run local GP on W7 (don't remember but in the 2000 and 2003 it is gpedit.msc). Look for local machine policy-> computer config->windows setting->local policies->security option->Network security: LAN Manager authentication level

    Set LM & NTLM - Use NTLMv2 session if negotited

    From $pageUsers[$post.author].name

  • I used squid on openSUSE11.2 NTLM authentication it work, I cant authenticate from Windows 7.

    Sam Cogan : Firstly, please do not add your own question to someone else's, start your own question. Secondly please do not include your blog URL as a signature.
    From $pageUsers[$post.author].name

  • I modified the local policy and it works!. thanks!!!

    From $pageUsers[$post.author].name

  • The right solution is to use ntlm_auth program from a more recent samba distribution: samba 3.4 and samba 3.5 seems to authenticate Win7 with NTLMv2 without problems. Samba 3.0 was unable to do it.

    From Giovanni
Posted by Mu Cat at 6:16 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)