[squid-users] Squid 3.3.8 NTLM Group Authentication

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 5 13:26:07 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/12/2014 12:55 a.m., Rich549 wrote:
> Hi,
> 
> I'm having problems getting NTLM authentication to work.  I need it
> to only allow members of the Internet_Users AD group to be able to
> access the internet.  Instead it is only allowing the websites that
> I've marked as OK for all users (a lot of this config came from my
> SquidNT installation).
> 
> My config is as follows:
> 
> ##	WELCOME TO SQUID 3.3.8 #	----------------------------
> 
> #-----------------------------------------------------------------------------
>
> 
#DEFAULTS
> #-----------------------------------------------------------------------------
>
> 
http_port 3128

> hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? 
> cache deny QUERY

The above QUERY and hierarchy_stoplist actions are not much use in
recent Squid versions. There is a refresh_pattern (mentioned below)
that replaces them.

> acl apache rep_header Server ^Apache cache_mem 1024 MB
> 
> #-----------------------------------------------------------------------------
>
> 
# AUTHENTICATION
> #-----------------------------------------------------------------------------
>
> 
#
> # ### negotiate kerberos and ntlm authentication #auth_param
> negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm 
> /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos
> /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> domain=HAMMONDS --kerberos /usr/lib/squid3/negotiate_kerberos_auth
> srvham09.domain.com #auth_param negotiate children 10 #auth_param
> negotiate keep_alive off
> 
> ### pure ntlm authentication auth_param ntlm program
> /usr/bin/ntlm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=HAMMONDS auth_param
> ntlm children 10 auth_param ntlm keep_alive off
> 
> ### provide basic authentication via ldap for clients not
> authenticated via kerberos/ntlm #auth_param basic program
> /usr/lib/squid3/basic_ldap_auth -b "dc=domain,dc=com" -D
> squid at domain.com -W /etc/squid3/ldappass.txt -f sAMAccountName=%s
> -h srvham09.domain.com #auth_param basic children 10 #auth_param
> basic realm Internet Proxy #auth_param basic credentialsttl 1
> minute
> 
> ### acl for proxy auth and ldap authorizations acl auth proxy_auth
> REQUIRED #acl localnet src 172.31.0.0/16
> 
> ### set helper processes external_acl_type internet_domain_group
> %LOGIN /usr/lib/squid3/ext_ldap_group_acl -b
> "ou=Service_Accounts,dc=domain,dc=com" -D squid at domain.com -W
> /etc/squid3/ldappass.txt -f 
> "cn=Internet_Users,ou=Domain_Groups,dn=domain,dn=com"
> srvham09.domain.com
> 
> 
> 
> #-------------------------------------------------------------------------------------------------
>
> 
### Allow authenticated users
> #-------------------------------------------------------------------------------------------------
>
> 
acl InetAllow external internet_domain_group Internet_Users
> 
> #-------------------------------------------------------------------------------------------------
>
> 
### Bypass Authentication
> #-------------------------------------------------------------------------------------------------
>
>  # These domains will be reachable without authentication acl
> OK_Unauthenticated dstdomain .domain.com .force24.co.uk
> .trakit.uk.net 194.73.60.21 .stanford.edu 171.65.103.68
> 212.100.232.212 acl OK_Unauthenticated dstdomain .canonical.com
> .sophos.com .ubuntu.com .oracle.com .bt.com .refreshthis.com acl
> OK_Unauthenticated dstdomain .oanda.com .dell.com .launchpad.net 
> acl OK_Unauthenticated dstdomain .dashboards.my-tmac.co.uk
> 
> #Squid Access Denied Screen acl OK_Unauthenticated dstdomain
> .squid-cache.org
> 
> # ------------------------------------------------ # ------
> Permit/Deny access as appropriate ------- #
> ------------------------------------------------
> 
> http_access allow OK_Unauthenticated http_access allow InetAllow
> 
> refresh_pattern ^ftp:		1440	20%	10080 refresh_pattern ^gopher:	1440
> 0%	1440

Missing pattern:
  refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern .		0	20%	4320 shutdown_lifetime 10 seconds acl all
> src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl
> to_localhost dst 127.0.0.0/8

You are likely getting startup warnings about the above ACL
definitions. ACLs all, manager, localhost, and to_localhost are
predefined in your Squid version. Remove the above lines from your config.


> acl SSL_ports port 443 563 acl Safe_ports port 80		# http acl
> Safe_ports port 21		# ftp acl Safe_ports port 443 563	# https,
> snews acl Safe_ports port 70		# gopher acl Safe_ports port 210		#
> wais acl Safe_ports port 1025-65535	# unregistered ports acl
> Safe_ports port 280		# http-mgmt acl Safe_ports port 488		#
> gss-http acl Safe_ports port 591		# filemaker acl Safe_ports port
> 777		# multiling http acl Safe_ports port 4004	# Radii website
> download site uses this port acl Safe_ports port 10000	# Webmin

The above two ports are included in the range 1024-65535 (unregistered
ports). No need to add them specially.

> acl Safe_ports port 900		# Swat acl Safe_ports port 82		# Pacejet
> request - test site hosted on HTTP 82 acl Safe_ports port 81		#
> Image plus test server (hepplewhite) acl CONNECT method CONNECT 
> http_access allow manager localhost http_access deny manager 
> http_access deny !Safe_ports http_access deny CONNECT !SSL_ports 
> http_access deny all http_reply_access allow all icp_access allow
> all cache_mgr otrs at domain.com forwarded_for off
> 
> When I try to browse to any of the whitelisted websites the
> cache.log shows an NTLM process starting so it looks like it's
> making sure that I'm an authenticated user but isn't controlling my
> access correctly.

It should not be doing anything with NTLM  when you request the
whitelisted domains or raw-IP addresses.

* With your config it should start the helper processes right at teh
beginning when you start Squid, or if some of them die unexpectedly
early they should be restarted on a following login.

* Squid should do some lookups via the already running helpers only
when non-whiteisted domains are requested.


IIRC there was an issue with login when external ACL was the first ACL
to be tested. Try using a "http_access deny !auth" after the whitelist
and before the group check.
Like so:

  http_access allow OK_Unauthenticated
  http_access deny !auth
  http_access allow InetAllow


HTH
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUgbJvAAoJELJo5wb/XPRjNRAIAMp1eqekS+RxJrl0+ewg9jEH
CXONklru2cAvTA5pKkZtUE/NDLgRVyZAPE0P4/UYQumgXFPyeIfHnTOxUYaPiMVt
yD/ITGs8p8/BnsE9DGEbUJ0AS4Dex+PjLxfuCwoEFc2SVX3EqxfyWJIuwNJJFo3E
pDhqoa8+LpsbJvJNeV21IWB6D51fq4RW0rsLQW+mA/xLFD2bFdYdAO/hknTXSq/w
wTdLACc3+gDoyfEDd48p8Bi1tO+bAu8xsWVGtDPNKIz0KOCp81mexweqtYHuKINC
EVrVXb2lLdtc/QqM+XCUC5coB8n1FT26+npd3QJRHZuisNRyspA3g3ibeARl2+w=
=lPSb
-----END PGP SIGNATURE-----

More information about the squid-users mailing list