[squid-users] Strange NTLM problem.

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 28 13:43:09 UTC 2016

On 29/06/2016 12:45 a.m., Bruno de Paula Larini wrote:
> Em 28/06/2016 03:14, drcimino drcimino escreveu:
>> Dear all,
>> i have a strange problem with my squid 3.5.19 and authentication NTLM.
>> On my configuration i have 2 auth method:
>> NTLM negotiated with ntlm_auth from samba 3
>> auth_param ntlm program /usr/local/samba/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 200 startup=100 idle=10 concurrency=0
>> auth_param ntlm keep_alive on
>> and as a fallback basic ntlm
>> auth_param basic program /usr/local/samba/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 25 startup=15 idle=5 concurrency=0
>> auth_param basic realm PROXY AUTHORIZATION REQUIRED
>> auth_param basic credentialsttl 30 minutes
>> TTL
>> authenticate_cache_garbage_interval 1 hours
>> authenticate_ttl 30 minutes
>> authenticate_ip_ttl 30 minutes
>> Groups identification with LDAPS
>> external_acl_type NAV children-max=200 children-startup=100
>> children-idle=10 ttl=1800 %LOGIN
>> /usr/local/squid/libexec/ext_ldap_group_acl -s sub -b
>> "dc=domain,dc=xxx" -D "cn=squid,cn=Users,dc
>> =domain,dc=xxx" -w "password" -f
>> "(&(objectclass=person)(sAMAccountName=%v)(membero
>> f=cn=%a,ou=INTERNET,ou=AAA,dc=domain,dc=xxx))" -S -K -H
>> ldaps://domain.xxx:3269
> I've been using the helper "ext_wbinfo_group_acl" to work with AD groups
> and transparent authentication for domain members. The config below also
> makes the auth pop-up to show when the machine isn't member of the
> domain - no need to use the fallback part. You just have to configure
> Kerberos, Samba, join the Squid machine to the domain with "net ads
> join" and enable winbind.

You are not using Negotiate/Kerberos, so I'm not sure why that is related.

Winbind is needed for the particular wbinfo helper. Note that winbind
has much more several issues with concurrent number of connections to AD
being only 256.

>     auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
> --enable-external-acl-helpers="ext_wbinfo_group_acl"
>     auth_param ntlm children 10 startup=0 idle=2
>     external_acl_type NTGroup children-startup=10 children-idle=2
> children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>     acl authenticated proxy_auth REQUIRED
>     acl ad_group external NTGroup MYDOMAIN\AD_Group
>     acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
>     http_access deny ad_group denied_websites
> In my set of acls, the pop-up was also appearing in specific sites.
> Changing the order of acls made it stop appearing for me.
> This:
>     http_access allow website_list user_list
> seems to work differently from this:
>     http_access allow user_list website_list

Not seem to. It does. Intentionally.

Having something like website_list, which I guess is a dstdomain or such
ACL at the end of the line prevents auth or group test mis-matches from
re-authenticating to get credentials that might pass the ACL test.

Preventing these ACLs triggering authentication activity is probably a
large part of what actually got fixed in your situation. NTLM related
auth takes a relatively long time so reducing the number of auth and
re-auth tests needed to check a users access permissions can be a big win.


More information about the squid-users mailing list