[squid-users] squid basic ntlm auth error after upgrade to 3.3.8

Lupick lupick at gmail.com
Tue Apr 28 08:46:31 UTC 2015 

I've found probably where is the problem but I don't know how to solve it.

If I try to connect with a PC outside the domain squid ntlm auth prompt for
username/password. On the password prompt banner I have the proxy ip
address; so the ntlm auth is used.
I can put my domain\username + password but it keep requesting the
password.

I've tried to comment out all the ntlm auth stuff in squid.conf; and I kept
only the basic.

Now the PC request to me the username\password but this time on the banner
I have " Squid proxy-caching web server"  so basic auth is used.  If I put
my domain\username + pwd all is working well.

So I assume the problem is due to ntlm auth doesn't fall back to basic but
it keeps requesting password.

Do you know how to force squid to fallback to basic auth if ntlm auth fail?
I remember in older version it was automatic.

Thank you for your help

L.

Il giorno gio 20 nov 2014 alle ore 16:54 Amos Jeffries [via Squid Web Proxy
Cache] <ml-node+s1019090n4668485h22 at n4.nabble.com> ha scritto:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 21/11/2014 12:38 a.m., Lupick wrote:
> > Hi I've a problem authenticating users outside my AD domain after
> > the upgrade to squid 3.3.8.
>
> 3.3.8 is far from the latest Squid. There is information about where
> to find updated packages for CentOS at
> <http://wiki.squid-cache.org/KnowledgeBase/CentOS>
>
> >
> > All the domain logged user are able to authenticate without any
> > issue.
> >
> > The local user or user of a non domain computer have a
> > username/password prompt as expected.
> >
> > If I provide the right doamin\username and password the promt
> > appear over and over.
>
> By "right" you mean the Basic or NTLM credentials?
>
> Which popup is the browser selecting to display?
>  - the realm value configured in squid.conf is displayed as part of
> the Basic auth popup, IIRC the proxy hostname or DOMAIN is listed in
> teh NTLM popup. So you should be able to tell which its asking for.
>
> NTLM requires machines to be signed into the domain to get the correct
> credentials crypto tokens from the DC to login with. Any attempt to
> use NTLM credentials without being signed onto the domain will fail.
>
> Basic auth only requires the domain\user:password combo gets delivered.
>
>
> >
> > BUT after the first time if I click cancel qnd I retry i'm able to
> > browse internet.  This happen cause the credential provided  are
> > stored under the windows credentian manager in the control panel.
> >
> > no problem using centos 6 and squid 3.3.1, the problem appears
> > after an upgrade to centos 7 and squid 3.3.8.
> >
> > this is my section on squid.conf:
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 45
> > #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm
> > max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server auth_param
> > basic credentialsttl 5 hours
> >
>
> PS. Have you considered migrating to Kerberos? it has a lot less
> problems than NTLM.
>
> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUbg6UAAoJELJo5wb/XPRjHzYIALBvTG3mVsl0QX0I1MzYdM2w
> h9Cz2ShzpYEJWP+JcqeyQsp8xd8eWcxC8jsnibTat60belprPjcG7HLVVKHnKacT
> jwQUQFId5B3KfuIad5MD887CxLwfujT3yoiBB2vFFki+bGWkkEDoOPzkcNY7TsUs
> pSAqlynOpHNWH6UTahzG7L/xvxcHMTv8Wd2n1XxKFSGrdShwkWixLP1x3zA/CB3q
> qckN8H5R/rOnMSBmWNCZ5VDFelPZTItXaxf4HmSbLw4XySxwLkthd8kHO9o/sv4E
> SwiOihvxVMcXD/GPyG+bW9aXDN1p51aPX0SIisUuznuhh6vTTrhCJTqCDU1o9mM=
> =pGgC
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4668485&i=0>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-basic-ntlm-auth-error-after-upgrade-to-3-3-8-tp4668477p4668485.html
>  To unsubscribe from squid basic ntlm auth error after upgrade to 3.3.8, click
> here
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4668477&code=bHVwaWNrQGdtYWlsLmNvbXw0NjY4NDc3fC0xMjk5NDA0Njcx>
> .
> NAML
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-basic-ntlm-auth-error-after-upgrade-to-3-3-8-tp4668477p4670949.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list