[squid-users] Problems with NTLM authentication
bpk678 at gmail.com
Tue Nov 24 15:44:21 UTC 2015
On 11/24/2015 10:08 AM, Verónica Ovando wrote:
> My Squid Version: Squid 3.4.8
> OS Version: Debian 8
> I have installed Squid on a server using Debian 8 and seem to have the
> basics operating, at least when I start the squid service, I have am
> no longer getting any error messages. At this time, the goal is to
> authenticate users from Active Directory and log the user and the
> websites they are accessing.
> I followed the official guide
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I
> verified that samba is properly configured, as the guide suggest, with
> the basic helper in this way:
> # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> domain\user pass
> Here is a part of my squid.conf where I defined my ACLs for the groups
> in AD:
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
> auth_param ntlm children 30
> auth_param basic program /usr/local/bin/ntlm_auth
> auth_param basic children 5
> auth_param basic realm Servidor proxy-cache de mi Dominio
> auth_param basic credentialsttl 2 hours
> external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl -d
> acl AD_Standard external Grupos_AD Standard
> acl AD_Exceptuados external Grupos_AD Exceptuados
> acl AD_Bloqueados external Grupos_AD Bloqueados
> acl face url_regex -i "/etc/squid3/facebook"
> acl gob url_regex -i "/etc/squid3/gubernamentales"
> http_access allow AD_Standard
> http_access allow AD_Exceptuados !face !gob
> http_access deny AD_Bloqueados
> I tested using only the basic scheme (I commented the lines out for
> NTLM auth) and every time I open the browser it asks me my user and
> pass. And it works well because I can see in the access.log my
> username and all the access policies defined are correctly applied.
> But if I use NTLM auth, the browser still shows me the pop-up (it must
> no be shown) and if I enter my user and pass it still asks me for them
> until I cancel it.
> My access.log, in that case, shows a TCP_DENIED/407 as expected.
> What could be the problem? It suppose that both Kerberos and NTLM
> protocols work together, I mean that can live together in the same
> environment and Kerberos is used by default. How can I check that NTLM
> is really working? Could it be a squid problem in the conf? Or maybe
> AD is not allowing NTLM traffic?
> Sorry for my English. Thanks in advance.
> squid-users mailing list
> squid-users at lists.squid-cache.org
make sure Internet Explorer is set to use Integrated Windows
Authentication (IWA). Tools --> Internet Options --> Advanced -->
Security --> Enable Integrated Windows Authentication.
More information about the squid-users