Squid NTLM passthrough to parent ISA

[_Jo_]

I've tried for a few days now to get my squid configuration to work with a parent ISA server using NTLM. I've read through a lot of really good threads on edugeek and elsewhere to get it this far, but I just can't get the authentication to work.

Initial installation seemed to go ok. Samba, winbind appear to work.

However, when I request a page in a browser, I get 3 pop up boxes asking for user / password.

squid access.log shows:

Code:

1206709266.220 7 <source IP> TCP_denied/407 2287 GET http://www.google.co.uk/ - NONE/- text/html

After 3 retries of putting in a user/password (and I was hoping it wouldn't prompt at all) I then get an error page from the parent proxy:

HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)

-----------------------------------------------------------------
Internet Security and Acceleration Server
ISA Server: ISA.<somain>
Via: 1.0 UBFW.<domain>:3128 (squid/2.6.STABLE14)

wbinfo -t

checking the trust secret via RPC calls succeeded

net ads status -U <username>

Outputs a lot of information about the squid host from AD

my squid.conf contains

Code:

cache_peer servername parent 8080 0 default no-query login=PASS

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
authenticate_ttl 180 seconds
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users

IF I change the parent proxy address to that of another Linux box I have here running NTLMAPS, the request goes through and I can browse.
So I must be getting something really wrong with my squid.conf as far as the authentication side goes.

I've tried specifying a user/password on the cache_peer line and that didn't work either. I still got prompted at the client, and it still failed.

Any help appreciated, getting a bit fed up!

Jo

Ubuntu server 7.10
Squid v2.6.STABLE14
NTLM_AUTH Version 3.0.26a

[Geoff]

Squid cannot be used as a NTLM auth client to another proxy. You must configure another authentication method that squid supports on your parent ISA proxy (eg, basic). Alternatively add an IP rule so that squid does not need to authenticate.

[monkeyx]

Does this answer your question ?

use 'login=PASS' if users must authenticate against
the upstream proxy. This will pass the users credentials
as they are to the peer proxy. This only works for the
Basic HTTP authentication sheme. Note: To combine this
with proxy_auth both proxies must share the same user
database as HTTP only allows for one proxy login.
Also be warned this will expose your users proxy
password to the peer. USE WITH CAUTION


Could you explain a little more about what you are trying to do.

I currently have squid/dansgauradian logging ntml usernames for all staff/students so that we can apply local policies and track usernames.

We then forward all requests to the LEA ISA server, which does not track credentialls only IP addresses. So we do not need the PASS option.

[el8linuxel8]

Check out ntlmaps, probably not really practical but you could mod it, pretty simple python.

[_Jo_]

...This only works for the
Basic HTTP authentication sheme.

Oops. I remember reading that bit now. Back to square 1.
Thanks for pointing that out.

Could you explain a little more about what you are trying to do.

I wanted to put all pupil requests through DansGuardian before they went on to the LEA ISA proxy server, which requires authentication. They also log all access and put requests through websense.

I could put them all through NTLMAPS, but as far as I know, all access would then be recorded at the LEA under the same username. (This is the only way I've configured it before.)

@Geoff:
"Alternatively add an IP rule so that squid does not need to authenticate."
Is this simple? Would DG still work with this configuration?
I thought squid would have to authenticate with the ISA.

Jo

[_Jo_]

The ISA doesn't appear to support basic authentication. So I've tried putting NTLMAPS on the server and running all internet access through that so:

Client -> dansguardian -> squid -> ntlmaps -> ISA

While this works, I'm not sure if it will work quickly enough for 250 users at the same time.

The clients still get prompted for authentication by squid when the open a new browser. Is there any way to avoid this and still record the usernames?

[Geoff]

There is something wrong with NTLM auth in your dansguardian/Squid configuration. It should be transparent. Do you have a new enough version of dansguardian to support ntlm pass through?

[_Jo_]

Hi Geoff, It's running Dansguardian 2.8.0.6

[DMcCoy]

Hi Geoff, It's running Dansguardian 2.8.0.6

You need 2.9 for the ntlm passthrough, 2.8 needs squid (ntlm) -> dansguardian -> squid

[_Jo_]

You need 2.9 for the ntlm passthrough, 2.8 needs squid (ntlm) -> dansguardian -> squid

2 Instances of squid? That sounds complicated. I'm having trouble configuring one instance properly at the moment! (I'll get the hang of it eventually)

I'll give 2.9 a try.
(the webmin report viewer said it didn't work with that version. Typical.)

Is there any way I can get squid to talk to the ISA directly? ISA is set not to allow basic auth. I don't really want to use NTLMAPS as we could have 250 people connecting at the same time and I'm not sure how it'll cope.

[DMcCoy]

2 Instances of squid? That sounds complicated. I'm having trouble configuring one instance properly at the moment! (I'll get the hang of it eventually)

I'll give 2.9 a try.
(the webmin report viewer said it didn't work with that version. Typical.)

Is there any way I can get squid to talk to the ISA directly? ISA is set not to allow basic auth. I don't really want to use NTLMAPS as we could have 250 people connecting at the same time and I'm not sure how it'll cope.

webmin doesn't work with 2.9 at all, no update appears to be on the horizon either. I was going to get smoothwall instead

[el8linuxel8]

Webmin is bad in general, some of the perl code in it is terrible! I'd configure it manually, id imagine there are alot of docs online on how to setup squid and dansguardian.

[_Jo_]

Webmin is bad in general, some of the perl code in it is terrible! I'd configure it manually, id imagine there are alot of docs online on how to setup squid and dansguardian.

I have been configuring it manually.
I put webmin on as an afterthought to view the log files.

Ok... installing DG 2.9 : installs ok, but when I try to run it I get

Unable to getgrnam(): Success

and DG won't start.

[Geoff]

In your dansguardian.conf, what is the 'daemongroup' option set to?

[_Jo_]

In your dansguardian.conf, what is the 'daemongroup' option set to?

Both commented out.

# daemonuser='nobody'
# daemongroup='nobody'

(I just tried uncommenting them and restarting, and same error.)

Edit:
Hm. Just tried changing that to
# daemonuser='nobody'
# daemongroup='nogroup'
and restarted:
Error openting / creating log file. (Check ownership and access rights).
I am running as nobody and I am trying to open /var/log/dansguardian/access.log