[squid-users] Strange NTLM problem.
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Tue Jun 28 12:45:17 UTC 2016
Em 28/06/2016 03:14, drcimino drcimino escreveu:
> Dear all,
> i have a strange problem with my squid 3.5.19 and authentication NTLM.
> On my configuration i have 2 auth method:
> NTLM negotiated with ntlm_auth from samba 3
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 200 startup=100 idle=10 concurrency=0
> auth_param ntlm keep_alive on
>
> and as a fallback basic ntlm
> auth_param basic program /usr/local/samba/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 25 startup=15 idle=5 concurrency=0
> auth_param basic realm PROXY AUTHORIZATION REQUIRED
> auth_param basic credentialsttl 30 minutes
> TTL
>
> authenticate_cache_garbage_interval 1 hours
> authenticate_ttl 30 minutes
> authenticate_ip_ttl 30 minutes
>
> Groups identification with LDAPS
> external_acl_type NAV children-max=200 children-startup=100
> children-idle=10 ttl=1800 %LOGIN
> /usr/local/squid/libexec/ext_ldap_group_acl -s sub -b
> "dc=domain,dc=xxx" -D "cn=squid,cn=Users,dc
> =domain,dc=xxx" -w "password" -f
> "(&(objectclass=person)(sAMAccountName=%v)(membero
> f=cn=%a,ou=INTERNET,ou=AAA,dc=domain,dc=xxx))" -S -K -H
> ldaps://domain.xxx:3269
I've been using the helper "ext_wbinfo_group_acl" to work with AD groups
and transparent authentication for domain members. The config below also
makes the auth pop-up to show when the machine isn't member of the
domain - no need to use the fallback part. You just have to configure
Kerberos, Samba, join the Squid machine to the domain with "net ads
join" and enable winbind.
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
--enable-external-acl-helpers="ext_wbinfo_group_acl"
auth_param ntlm children 10 startup=0 idle=2
external_acl_type NTGroup children-startup=10 children-idle=2
children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl authenticated proxy_auth REQUIRED
acl ad_group external NTGroup MYDOMAIN\AD_Group
acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
http_access deny ad_group denied_websites
In my set of acls, the pop-up was also appearing in specific sites.
Changing the order of acls made it stop appearing for me.
This:
http_access allow website_list user_list
seems to work differently from this:
http_access allow user_list website_list
Bruno
More information about the squid-users
mailing list