[squid-users] NTLM Authentication Failing

Ilias Clifton adilias3 at gmx.com
Wed Oct 21 02:38:53 UTC 2015

> On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
> > Hi All,
> > I've been following the guide at this location for Active Directory integration
> > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy]
> >
> > First, some versions for sanity..
> > Ubuntu : 14.04.3 LTS
> > Squid : 3.3.8 (from ubuntu repositories)
> > Samba : 4.1.6-Ubuntu
> > DC : Windows Server 2012 R2
> >
> > I am currently testing the authentication, negotiate kerberos and basic ldap are
> > both working correctly. However ntlm is not and I don't seem to making any
> > progress on debugging further.
> Date: Tue, 20 Oct 2015 18:06:17 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> Your version of Squid has big problems with (4) and some with (2), and
> your DC server version has big problems with (1) and (3).
> Amos

Hi Amos, 

Thank you for your detailed answer.

So what is the best way to authenticate users in a mixed environment? I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome - plus various mobile devices.

I've tried getting rid of ntlm and just using negotiate kerberos and ldap for basic, is that all I need?

On the non-domain joined PCs, if I disable 'Enable Integrated Windows Authentication', they now correctly use basic ldap.

My config now looks like..

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes

### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local

Does that look ok?

More information about the squid-users mailing list