[squid-users] Authentication Problem

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 4 01:55:07 UTC 2015


On 4/12/2015 9:46 a.m., Dima Ermakov wrote:
> Hi!
> I have a problem with authentiation.
> 
> I use samba ntlm authentication in my network.
> 
> Some users ( not all ) have problems with http traffic.
> 
> They see basic authentication request.

Meaning you *dont* have NTLM authentication on your network.

Or you are making the mistake of thinking a popup means Basic
authentication.

> If they enter correct domain login and password, they have auth error.
> If this users try to open https sites: all works good, they have not any
> type of errors.

So,
 a) they are probably not going through this proxy, or
 b) the browser is suppressing the proxy-auth popups, or
 c) the authentication request is not coming from *your* proxy.

> 
> So we have errors only with unencrypted connections.
> 
> I have this error on two servers:
> debian8, squid3.4 (from repository)
> CentOS7, squid3.3.8 (from repository).
> 

Two things to try:

1) Adding a line like this before the group access controls in
frntend.conf. This will ensure that authentiation credentials are valid
before doing group lookups:
 http_access deny !AuthorizedUsers


2) checking up on the Debian winbind issue mentioned in
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions>

Im not sure about this it is likely to be involved on Debian, but CentOS
is not known to have that issue.


Oh and:
 3) remove the "acl manager" line from squid.conf.

 4) change your cachemgr_passwd. Commenting it out does not hide it from
view when you post it on this public mailing list.

You should remove all the commented out directives as well, some of them
may be leading to misunderstanding of what the config is actually doing.


Amos


More information about the squid-users mailing list