[squid-users] NTLM Auth problems

Hi All,
=20
I'm having problems getting ntlm authentication to work with squid 2.5
(stable 1). It's running on a RH9 with samba 3.0.
I have winbind working fine with samba but for some reason I just can't
seem to get squid to auth with our win2K domain.

I keep getting 403 access denied messages. Is there a winbind/ntlm auth
configuration guide somewhere ?
I've included my squid.conf for review in case I'm suffering from
domestic blindness :-)

# squid conf file
# -------------------------------
# Network options
# -------------------------------
http_port 3128
icp_port 4141
acl QUERY urlpath_regex cgi-bin \?=20
no_cache deny QUERY
# -------------------------------
# Cache Neighbour options
# -------------------------------
cache_peer upstream.foo.com parent 80 0 no-query no-digest default=20
# -------------------------------=20
# Cache size options=20
# -------------------------------=20
maximum_object_size 4096 KB=20
minimum_object_size 0 KB=20
maximum_object_size_in_memory 512 KB=20
# -------------------------------=20
# Cache dir & logging options=20
# -------------------------------=20
cache_dir aufs /var/spool/squid 8192 16 256=20
pid_filename /var/run/squid.pid=20
debug_options all, 5=20
error_directory /usr/share/squid/errors/English=20
icon_directory /usr/share/squid/icons=20
cache_access_log /var/log/squid/access.log=20
cache_log /var/log/squid/cache.log=20
cache_store_log /var/log/squid/store.log=20
mime_table /etc/squid/mime.conf

#--------------------------------
# NTLM OPTIONS
#authenticate_program_ntlm
#authenticate_children_ntlm 5
auth_param ntlm program /usr/bin/ntlm_auth=20
auth_param ntlm children 10=20
auth_param ntlm max_challenge_reuses 0=20
auth_param ntlm max_challenge_lifetime 2 minutes=20
# -------------------------------=20
# options for external support programs=20
# -------------------------------=20
ftp_user squid@machinename.domain.com=20
ftp_list_width 64 ftp_passive on=20
# -------------------------------=20
# Cache tuning options=20
# -------------------------------=20
# REM - MRV - all these numbers are done on the basis of a T1 line
having=20
# 25 users on it, giving a viable request bandwidth of 5.5kb/sec=20
quick_abort_min 22 Kb=20
quick_abort_max 100 Kb=20
quick_abort_pct 75=20
# -------------------------------=20
# Cache admin options=20
# -------------------------------=20
cache_effective_user squid=20
cache_effective_group=20
squid visible_hostname kiftest1=20
# -------------------------------=20
# Cache misc options=20
# -------------------------------=20
#append_domain .domainname #chroot enable=20
#pipeline_prefetch on=20
# -------------------------------=20
# Cache ACL options=20
# -------------------------------=20
acl all src 0.0.0.0/0.0.0.0=20
acl manager proto cache_object=20
acl localhost src 127.0.0.1/255.0.0.0
acl AuthorizedUsers proxy_auth REQUIRED=20
acl local-domains dstdomain *.foo.com
acl SSL_ports port 443 563=20
acl Safe_ports port 80 # http=20
acl Safe_ports port 21 # ftp=20
acl Safe_ports port 443 563 # https, snews=20
acl Safe_ports port 70 # gopher=20
acl Safe_ports port 210 # wais=20
acl Safe_ports port 1025-65535 # unregistered ports=20
acl Safe_ports port 280 # http-mgmt=20
acl Safe_ports port 488 # gss-http=20
acl Safe_ports port 591 # filemaker=20
acl Safe_ports port 777 # multiling http=20
acl CONNECT method CONNECT=20

never_direct deny local-domains
never_direct allow all

http_access allow manager localhost
#http_access allow all
http_access allow AuthorizedUsers
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all=20
# ------------------------------- [eof]
=20
---
Rgds,=20
Chris MacKenzie=20
=20

************************************************** ********************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
************************************************** ********************