[squid-users] NTLM Authentication Failing

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 21 04:17:59 UTC 2015 

On 2015-10-21 15:38, Ilias Clifton wrote:
>> 
>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
>> > Hi All,
>> > I've been following the guide at this location for Active Directory integration
>> > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy]
>> >
>> > First, some versions for sanity..
>> > Ubuntu : 14.04.3 LTS
>> > Squid : 3.3.8 (from ubuntu repositories)
>> > Samba : 4.1.6-Ubuntu
>> > DC : Windows Server 2012 R2
>> >
>> > I am currently testing the authentication, negotiate kerberos and basic ldap are
>> > both working correctly. However ntlm is not and I don't seem to making any
>> > progress on debugging further.
>> 
>> Date: Tue, 20 Oct 2015 18:06:17 +1300
>> From: Amos Jeffries <squid3 at treenet.co.nz>
>> 
>> 
>> 
>> Your version of Squid has big problems with (4) and some with (2), and
>> your DC server version has big problems with (1) and (3).
>> 
>> 
>> Amos
>> 
>> 
>> 
> 
> Hi Amos,
> 
> Thank you for your detailed answer.
> 
> So what is the best way to authenticate users in a mixed environment?
> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
> plus various mobile devices.
> 
> I've tried getting rid of ntlm and just using negotiate kerberos and
> ldap for basic, is that all I need?

I believe thats at least very close to the solution. The getting rid of 
NTLM is something that needs to happen at the client end though, so IE 
does not attempt to use it over Negotiate scheme.


> 
> On the non-domain joined PCs, if I disable 'Enable Integrated Windows
> Authentication', they now correctly use basic ldap.

And thats the way to do it IIRC. Someone more familiar may know a better 
way.


> 
> My config now looks like..
> 
> ### negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
> -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> ### provide basic authentication via ldap for clients not
> authenticated via kerberos/ntlm
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
> "DC=domain,DC=local" -D proxyuser at domain.local -W
> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 30 minutes
> 
> ### ldap authorisation
> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
> /etc/squid3/ldappass.txt -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
> -h dc1.domain.local
> 
> Does that look ok?

Looks reasonable for a small installation. If you have a medium to large 
network you may find Squid mentioning queue issues and requesting more 
helper children be configured. Simply increasing the numbers there 
should resolve that.

Amos

More information about the squid-users mailing list