[squid-users] Fwd: NTLM LDAP authentication problem

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 16 21:06:44 UTC 2015 

On 17/11/2015 4:48 a.m., Eugene M. Zheganin wrote:
> Hi,
> 
> On 16.11.2015 19:51, Matej Kotras wrote:
>> Thank you for your response, as this is my first try with Squid, and
>> fairly newb in Linux.
>> I do not understand at all differences between basic/ntlm/gss-spnego
>> auths so I will do my homework and read about them. I've managed to
>> get this working after few weeks of "trial and error" method (I know,
>> I know, but I gotta start somewhere rite) following multiple guides.
>>
> The usual issue with all those copy/paste tutorials is that they tend to
> teach how to do everything at once, instead of moving from simple things
> to more difficult ones. This order of simplicity/difficulty is the
> following:
> 
> - adding Basic authentication, all authenticated users are authorized to
> use proxy
> - adding NTLM authentication, all authenticated users are authorized to
> use proxy
> - adding group-based authorization, authenticated users are authorized
> to use proxy basing on the group membership, using simple helper like
> squid_group_ldap
> - adding GSS-SPNEGO authentication
> - adding full-fledged GSS-SPNEGO group authorization helper.
> 
> You can try my article,
> http://squidquotas.hq.norma.perm.ru/squid-auth.shtml. Though it's not
> perfect and still lacks two last steps, at least it tries to follow that
> approach.

Unfortunately it is not quite as simple as that.

The difference between the PC-NAME vs USER-LABEL logins is whether the
particular client software has access to the Windows Integrated
Authentication credentials or not. Whether that machine is registered to
the DOMAIN, or the User account is logged in specifically under their
own name, or a service account on the machine. And whether the software
is actually being used by a "user".

Notice how I avoid the word "username" - since that is not applicable.
Only the account label as passed in the auth tokens is seen by Squids
part of the authentication. As you have noticed machines do traffic too,
users are not always involved.


One might also want to follow the simple Config examples provided in the
Squid wiki. They are carefully restricted to only documenting one thing
task at a time. Not going into unrelated features configuration that the
author was interested in.

Negotiate/Kerberos only:
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos>

NTLM (with Basic backup for non-NTLM clients):
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm>

Full Windows AD integration. (Negotiate/Kerberos, Negotiate/NTLM, NTLM,
and Basic):
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory>


PS. Eugene, your section on "Add remaining permissions" is wrong and
suggests a very broken configuration be done. Squid needs *read*
permission and that is done with unix group membership not by editing
the pipe itself. Please have a read of our NTLM+Basic examples' section
on Winbind privileges. Doing it the right way allows Samba to manage its
pipe properly.

Amos

More information about the squid-users mailing list