[squid-users] Strange NTLM problem.

Bruno de Paula Larini bruno.larini at riosoft.com.br
Tue Jun 28 12:45:17 UTC 2016

Em 28/06/2016 03:14, drcimino drcimino escreveu:
> Dear all,
> i have a strange problem with my squid 3.5.19 and authentication NTLM.
> On my configuration i have 2 auth method:
> NTLM negotiated with ntlm_auth from samba 3
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 200 startup=100 idle=10 concurrency=0
> auth_param ntlm keep_alive on
> and as a fallback basic ntlm
> auth_param basic program /usr/local/samba/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic
> auth_param basic children 25 startup=15 idle=5 concurrency=0
> auth_param basic realm PROXY AUTHORIZATION REQUIRED
> auth_param basic credentialsttl 30 minutes
> authenticate_cache_garbage_interval 1 hours
> authenticate_ttl 30 minutes
> authenticate_ip_ttl 30 minutes
> Groups identification with LDAPS
> external_acl_type NAV children-max=200 children-startup=100 
> children-idle=10 ttl=1800 %LOGIN
> /usr/local/squid/libexec/ext_ldap_group_acl -s sub -b 
> "dc=domain,dc=xxx" -D "cn=squid,cn=Users,dc
> =domain,dc=xxx" -w "password" -f 
> "(&(objectclass=person)(sAMAccountName=%v)(membero
> f=cn=%a,ou=INTERNET,ou=AAA,dc=domain,dc=xxx))" -S -K -H 
> ldaps://domain.xxx:3269

I've been using the helper "ext_wbinfo_group_acl" to work with AD groups 
and transparent authentication for domain members. The config below also 
makes the auth pop-up to show when the machine isn't member of the 
domain - no need to use the fallback part. You just have to configure 
Kerberos, Samba, join the Squid machine to the domain with "net ads 
join" and enable winbind.

     auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN 
     auth_param ntlm children 10 startup=0 idle=2

     external_acl_type NTGroup children-startup=10 children-idle=2 
children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

     acl authenticated proxy_auth REQUIRED

     acl ad_group external NTGroup MYDOMAIN\AD_Group
     acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
     http_access deny ad_group denied_websites

In my set of acls, the pop-up was also appearing in specific sites. 
Changing the order of acls made it stop appearing for me.

     http_access allow website_list user_list

seems to work differently from this:

     http_access allow user_list website_list


More information about the squid-users mailing list