[squid-users] Squid 3.3.8 NTLM Group Authentication

Rich549 Richard.Aspley at hammonds-uk.com
Fri Dec 5 11:55:15 UTC 2014 

Hi,

I'm having problems getting NTLM authentication to work.  I need it to only
allow members of the Internet_Users AD group to be able to access the
internet.  Instead it is only allowing the websites that I've marked as OK
for all users (a lot of this config came from my SquidNT installation).

My config is as follows:

##	WELCOME TO SQUID 3.3.8
#	----------------------------

#-----------------------------------------------------------------------------
#DEFAULTS
#-----------------------------------------------------------------------------
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
cache_mem 1024 MB

#-----------------------------------------------------------------------------
# AUTHENTICATION
#-----------------------------------------------------------------------------
#
#
### negotiate kerberos and ntlm authentication
#auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME domain=HAMMONDS --kerberos
/usr/lib/squid3/negotiate_kerberos_auth srvham09.domain.com
#auth_param negotiate children 10
#auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=HAMMONDS
auth_param ntlm children 10
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via
kerberos/ntlm
#auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
"dc=domain,dc=com" -D squid at domain.com -W /etc/squid3/ldappass.txt -f
sAMAccountName=%s -h srvham09.domain.com 
#auth_param basic children 10
#auth_param basic realm Internet Proxy
#auth_param basic credentialsttl 1 minute

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
#acl localnet src 172.31.0.0/16

### set helper processes
external_acl_type internet_domain_group %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -b "ou=Service_Accounts,dc=domain,dc=com"
-D squid at domain.com -W /etc/squid3/ldappass.txt -f
"cn=Internet_Users,ou=Domain_Groups,dn=domain,dn=com" srvham09.domain.com



#-------------------------------------------------------------------------------------------------
### Allow authenticated users
#-------------------------------------------------------------------------------------------------
acl InetAllow external internet_domain_group Internet_Users 

#-------------------------------------------------------------------------------------------------
### Bypass Authentication
#-------------------------------------------------------------------------------------------------

# These domains will be reachable without authentication
acl OK_Unauthenticated dstdomain .domain.com .force24.co.uk .trakit.uk.net
194.73.60.21 .stanford.edu 171.65.103.68 212.100.232.212
acl OK_Unauthenticated dstdomain .canonical.com .sophos.com .ubuntu.com
.oracle.com .bt.com .refreshthis.com
acl OK_Unauthenticated dstdomain .oanda.com .dell.com .launchpad.net
acl OK_Unauthenticated dstdomain .dashboards.my-tmac.co.uk

#Squid Access Denied Screen
acl OK_Unauthenticated dstdomain .squid-cache.org

# ------------------------------------------------
# ------ Permit/Deny access as appropriate -------
# ------------------------------------------------

http_access allow OK_Unauthenticated
http_access allow InetAllow
    
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
shutdown_lifetime 10 seconds
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 4004	# Radii website download site uses this port
acl Safe_ports port 10000	# Webmin
acl Safe_ports port 900		# Swat
acl Safe_ports port 82		# Pacejet request - test site hosted on HTTP 82
acl Safe_ports port 81		# Image plus test server (hepplewhite)
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr otrs at domain.com
forwarded_for off

When I try to browse to any of the whitelisted websites the cache.log shows
an NTLM process starting so it looks like it's making sure that I'm an
authenticated user but isn't controlling my access correctly.

Any help would be appreciated as I'm totally stumped.

Thanks,

Rich



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-3-8-NTLM-Group-Authentication-tp4668615.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list