[squid-users] ntlm_auth defaulting to succeed
Noel Kelly
nkelly at citrusnetworks.net
Sun Dec 6 20:54:59 UTC 2015
Thanks for this Francesco. I have been experimenting with the various
authenticators without much success.
I have compiled squid-3.5.11 from source and ntlm_fake_auth doesn't
appear to work. I have scoured the docs and the forums but I can't find
anyone saying it doesn't work.
I have it set up like this in my squid.conf:
auth_param ntlm program /usr/local/squid/libexec/ntlm_fake_auth -d -v -S
but I just get denied access whilst sending ADS 2008R2 domain
authentication via Firefox:
==> /usr/local/squid/var/logs/access.log <==
1449434911.652 0 192.168.5.35 TCP_DENIED/407 4473 GET
http://www.bbc.co.uk/ - HIER_NONE/- text/html
==> /usr/local/squid/var/logs/cache.log <==
ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2 NTLMSSP. ........
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0020] 06 01 B1 1D 00 00 00 0F 00 00 ........ ..
ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010] AE AA AA AA 07 82 08 A2 E4 9D FA 04 45 14 D1 A5 ........ ....E...
[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030] 50 P
==> /usr/local/squid/var/logs/access.log <==
1449434911.660 0 192.168.5.35 TCP_DENIED/407 4640 GET
http://www.bbc.co.uk/ - HIER_NONE/- text/html
1449434911.706 0 192.168.5.35 TCP_IMS_HIT/304 249 GET
http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
1449434913.266 0 192.168.5.35 TCP_DENIED/407 4473 GET
http://www.bbc.co.uk/ - HIER_NONE/- text/html
==> /usr/local/squid/var/logs/cache.log <==
ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2 NTLMSSP. ........
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0020] 06 01 B1 1D 00 00 00 0F 00 00 ........ ..
ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010] AE AA AA AA 07 82 08 A2 CE 7D A2 0A 08 8A 68 B2 ........ ......h.
[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030] 50 P
==> /usr/local/squid/var/logs/access.log <==
1449434913.272 0 192.168.5.35 TCP_DENIED/407 4640 GET
http://www.bbc.co.uk/ - HIER_NONE/- text/html
1449434913.319 0 192.168.5.35 TCP_IMS_HIT/304 249 GET
http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
I have tried ntlm_fake_auth.pl.in and ntlm_smb_lm_auth without success
too. We have used ntlm_auth for years but have issues with the process
sometimes failing due to ADS password changes etc so hence the desire
for a dummy/fake authentication.
Does anyone know if ntlm_fake_auth should work with squid v3.5.11 ?
Many thanks
Noel
On 03/12/15 05:19, Kinkie wrote:
> Hi,
> you can check the ntlm_fake_auth helper; it'll blandly trust
> anything the user says.
>
> On Wed, Dec 2, 2015 at 10:10 PM, Noel Kelly<nkelly at citrusnetworks.net> wrote:
>> Hello All
>>
>> We have been using Squid and ntlm_auth for many years with mainly success.
>> However we have always had a few annoyances like continual authentication
>> pop-ups if a user has changed their password and not restarted their session
>> or, as now, persistent popups which seem related to a browser update (Google
>> Chrome is the suspect currently).
>>
>> It occurred to me that thee days we don't use ntlm_auth to block Internet
>> access per se but rather to capture the username to manage access using ACLs
>> and the username.
>>
>> So I was wondering if anyone had any ideas for a Squid config where the
>> ntlm_auth helper always succeeded regardless of the password so they user
>> gets waived through and Squid has the username needed to process the ACLs?
>>
>> Thanks
>> Noel
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
--
=======================
Noel Kelly
Citrus Networks
m: 07939 528 478
t: 0207 100 2410
e:nkelly at citrusnetworks.net
=======================
Citrus Networks UK Ltd is registered
in England and Wales with company
number 3927941. Registered Office:
Gladstone House, 77-79 High St,
Egham, Surrey TW20 9HY.
VAT Reg. 748716690
=======================
More information about the squid-users
mailing list