[squid-users] Problems with NTLM authentication

VerĂ³nica Ovando vero.ovando at live.com
Tue Nov 24 15:08:25 UTC 2015

My Squid Version:  Squid 3.4.8

OS Version:  Debian 8

I have installed Squid on a server using Debian 8 and seem to have the basics operating, at least when I start the squid service, I have am no longer getting any error messages.  At this time, the goal is to authenticate users from Active Directory and log the user and the websites they are accessing.

I followed the official guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I verified that samba is properly configured, as the guide suggest, with the basic helper in this way:

# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
domain\user pass

Here is a part of my squid.conf where I defined my ACLs for the groups in AD:

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
auth_param ntlm children 30

auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Servidor proxy-cache de mi Dominio
auth_param basic credentialsttl 2 hours

external_acl_type AD_Grupos ttl=10 children=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d

acl AD_Standard external Grupos_AD Standard
acl AD_Exceptuados external Grupos_AD Exceptuados
acl AD_Bloqueados external Grupos_AD Bloqueados
acl face url_regex -i "/etc/squid3/facebook"
acl gob url_regex -i "/etc/squid3/gubernamentales"

http_access allow AD_Standard
http_access allow AD_Exceptuados !face !gob
http_access deny AD_Bloqueados

I tested using only the basic scheme (I commented the lines out for NTLM auth) and every time I open the browser it asks me my user and pass. And it works well because I can see in the access.log my username and all the access policies defined are correctly applied.

But if I use NTLM auth, the browser still shows me the pop-up (it must no be shown) and if I enter my user and pass it still asks me for them until I cancel it.

My access.log, in that case, shows a TCP_DENIED/407 as expected.

What could be the problem? It suppose that both Kerberos and NTLM protocols work together, I mean that can live together in the same environment and Kerberos is used by default. How can I check that NTLM is really working? Could it be a squid problem in the conf? Or maybe AD is not allowing NTLM traffic?

Sorry for my English. Thanks in advance.

More information about the squid-users mailing list