[squid-users] Squid/NTLM Auth

Keith White keith.white at emdmillipore.com
Thu Oct 22 15:25:08 UTC 2015

I was able to confirm that ntlm_auth worked for the squid user.  We currently use BlueCoat proxies so IE is definitely configured to use integrated authentication. No cache_effective* in the config.  I will enable debugging and see what is happening as well as enable Kerberos.



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Thursday, October 22, 2015 4:53 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid/NTLM Auth

On 22/10/2015 8:21 a.m., Keith White wrote:
> I have squid running on Centos 7 and am trying to setup AD
> authentication. I have samba/winbindd installed and the system was
> added to the domain with authconfig. I have tested authentication with
> auth_ntlm and that works. I have also tested group membership with
> auth_ntlm and that works as well. When attempting to access squid with
> either IE or Firefox I am presented with the authentication dialog box.

If you have cache_effective_user or cache_effective_group directives in your config file remove them. They break the Winbind helpers group permissions.

Were your successful tests made using the Squid low-privileged user account ?
 If no, then your test results are not relevant. Re-test as the Squid user. Which will need membership of the winbindd_priv group.

What Windows version are the IE and Firefox being run on?
If it is newer than Windows 2000, then you should be moving to Negotiate/Kerberos authentication instead of NTLM.

Does the client machine have Windows Integrated Authentication enabled?
and is it on-domain?
 Off-domain machines have no chance of NTLM working. Disable their integrated authentication settings.
Note that without the integrated auth Firefox has no access to NTLM credentials and MSIE has a tendency to use the machine credentials instead of the users.

> Manually entering credentials does not work. What debugging can I
> enable to see what is going on? Squid is built with the following


At least these:
  debug_options ALL,0 11,2 28,5 29,5

> Squid Cache: Version 3.5.9-20150917-r13917 Service Name: squid
> configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/varsquid' '--sysconfdir=/etc/squid' '--enable-auth' '--enable-auth-ntlm' '--enable-external-acl-helpers' '--enable-auth-negotiate' '--enable-auth-basic' '--enable-auth-digest'
> relevant section from squid.conf
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-basic auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server auth_param basic
> credentialsttl 2 hours

You should list Basic as first choice since it is the more secure of those two protocols.

Sounds like a joke, but it is true NTLM is less secure these days than Basic auth. Namely because clients that accept NTLM can be auto-downgraded by attackers to using LanMan protocols that broadcast the username and password just like Basic - BUT most network software treats Basic auth as the insecure one and do a lot more to protect its weak credentials.

> acl AuthorizedUsers proxy_auth REQUIRED http_access allow localnet
> http_access allow AuthorizedUsers http_access allow localhost

The above implies that the authenticated users will be outside the LAN (localnet). The 'L' in NTLM is "LAN" and old 1980-1990's style flat LAN networks are where it was designed for use. It does *not* work properly over Internet connections or even in many of todays complex LAN environments.

You need Negotiate/Kerberos auth for Internet clients to even have half a chance of authenticating securely. Then you also need to get the whole on/off domain thing sorted out and working.

PS. you will probably need a few hundred helpers for NTLM. It is an
*extremely* inefficient protocol. I've not seen even a home network operate with less than 50, usual minimum is 100.

squid-users mailing list
squid-users at lists.squid-cache.org

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.

Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer.

More information about the squid-users mailing list