[squid-users] Problems with NTLM authentication
VerĂ³nica Ovando
vero.ovando at live.com
Tue Nov 24 15:08:25 UTC 2015
My Squid Version: Squid 3.4.8
OS Version: Debian 8
I have installed Squid on a server using Debian 8 and seem to have the basics operating, at least when I start the squid service, I have am no longer getting any error messages. At this time, the goal is to authenticate users from Active Directory and log the user and the websites they are accessing.
I followed the official guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I verified that samba is properly configured, as the guide suggest, with the basic helper in this way:
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
domain\user pass
OK
Here is a part of my squid.conf where I defined my ACLs for the groups in AD:
========================================================================================================
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
auth_param ntlm children 30
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Servidor proxy-cache de mi Dominio
auth_param basic credentialsttl 2 hours
external_acl_type AD_Grupos ttl=10 children=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -d
acl AD_Standard external Grupos_AD Standard
acl AD_Exceptuados external Grupos_AD Exceptuados
acl AD_Bloqueados external Grupos_AD Bloqueados
acl face url_regex -i "/etc/squid3/facebook"
acl gob url_regex -i "/etc/squid3/gubernamentales"
http_access allow AD_Standard
http_access allow AD_Exceptuados !face !gob
http_access deny AD_Bloqueados
========================================================================================================
I tested using only the basic scheme (I commented the lines out for NTLM auth) and every time I open the browser it asks me my user and pass. And it works well because I can see in the access.log my username and all the access policies defined are correctly applied.
But if I use NTLM auth, the browser still shows me the pop-up (it must no be shown) and if I enter my user and pass it still asks me for them until I cancel it.
My access.log, in that case, shows a TCP_DENIED/407 as expected.
What could be the problem? It suppose that both Kerberos and NTLM protocols work together, I mean that can live together in the same environment and Kerberos is used by default. How can I check that NTLM is really working? Could it be a squid problem in the conf? Or maybe AD is not allowing NTLM traffic?
Sorry for my English. Thanks in advance.
More information about the squid-users
mailing list