[squid-users] squid basic ntlm auth error after upgrade to 3.3.8

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 20 15:53:58 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21/11/2014 12:38 a.m., Lupick wrote:
> Hi I've a problem authenticating users outside my AD domain after
> the upgrade to squid 3.3.8.

3.3.8 is far from the latest Squid. There is information about where
to find updated packages for CentOS at
<http://wiki.squid-cache.org/KnowledgeBase/CentOS>

> 
> All the domain logged user are able to authenticate without any
> issue.
> 
> The local user or user of a non domain computer have a
> username/password prompt as expected.
> 
> If I provide the right doamin\username and password the promt
> appear over and over.

By "right" you mean the Basic or NTLM credentials?

Which popup is the browser selecting to display?
 - the realm value configured in squid.conf is displayed as part of
the Basic auth popup, IIRC the proxy hostname or DOMAIN is listed in
teh NTLM popup. So you should be able to tell which its asking for.

NTLM requires machines to be signed into the domain to get the correct
credentials crypto tokens from the DC to login with. Any attempt to
use NTLM credentials without being signed onto the domain will fail.

Basic auth only requires the domain\user:password combo gets delivered.


> 
> BUT after the first time if I click cancel qnd I retry i'm able to
> browse internet.  This happen cause the credential provided  are
> stored under the windows credentian manager in the control panel.
> 
> no problem using centos 6 and squid 3.3.1, the problem appears
> after an upgrade to centos 7 and squid 3.3.8.
> 
> this is my section on squid.conf:
> 
> auth_param ntlm program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 45 
> #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm
> max_challenge_lifetime 2 minutes
> 
> auth_param basic program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic auth_param basic children 5 
> auth_param basic realm Squid proxy-caching web server auth_param
> basic credentialsttl 5 hours
> 

PS. Have you considered migrating to Kerberos? it has a lot less
problems than NTLM.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUbg6UAAoJELJo5wb/XPRjHzYIALBvTG3mVsl0QX0I1MzYdM2w
h9Cz2ShzpYEJWP+JcqeyQsp8xd8eWcxC8jsnibTat60belprPjcG7HLVVKHnKacT
jwQUQFId5B3KfuIad5MD887CxLwfujT3yoiBB2vFFki+bGWkkEDoOPzkcNY7TsUs
pSAqlynOpHNWH6UTahzG7L/xvxcHMTv8Wd2n1XxKFSGrdShwkWixLP1x3zA/CB3q
qckN8H5R/rOnMSBmWNCZ5VDFelPZTItXaxf4HmSbLw4XySxwLkthd8kHO9o/sv4E
SwiOihvxVMcXD/GPyG+bW9aXDN1p51aPX0SIisUuznuhh6vTTrhCJTqCDU1o9mM=
=pGgC
-----END PGP SIGNATURE-----


More information about the squid-users mailing list