+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
*nix Thread, Squid NTLM passthrough to parent ISA in Technical; I've tried for a few days now to get my squid configuration to work with a parent ISA server using ...
  1. #1

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Squid NTLM passthrough to parent ISA

    I've tried for a few days now to get my squid configuration to work with a parent ISA server using NTLM. I've read through a lot of really good threads on edugeek and elsewhere to get it this far, but I just can't get the authentication to work.

    Initial installation seemed to go ok. Samba, winbind appear to work.

    However, when I request a page in a browser, I get 3 pop up boxes asking for user / password.

    squid access.log shows:
    Code:
    1206709266.220 7 <source IP> TCP_denied/407 2287 GET http://www.google.co.uk/ - NONE/- text/html
    After 3 retries of putting in a user/password (and I was hoping it wouldn't prompt at all) I then get an error page from the parent proxy:
    HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)

    -----------------------------------------------------------------
    Internet Security and Acceleration Server
    ISA Server: ISA.<somain>
    Via: 1.0 UBFW.<domain>:3128 (squid/2.6.STABLE14)

    wbinfo -t
    checking the trust secret via RPC calls succeeded

    net ads status -U <username>
    Outputs a lot of information about the squid host from AD

    my squid.conf contains
    Code:
    cache_peer servername parent 8080 0 default no-query login=PASS
    
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 5
    authenticate_ttl 180 seconds
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    acl ntlm_users proxy_auth REQUIRED
    http_access allow ntlm_users

    IF I change the parent proxy address to that of another Linux box I have here running NTLMAPS, the request goes through and I can browse.
    So I must be getting something really wrong with my squid.conf as far as the authentication side goes.

    I've tried specifying a user/password on the cache_peer line and that didn't work either. I still got prompted at the client, and it still failed.

    Any help appreciated, getting a bit fed up!

    Jo

    Ubuntu server 7.10
    Squid v2.6.STABLE14
    NTLM_AUTH Version 3.0.26a

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Squid cannot be used as a NTLM auth client to another proxy. You must configure another authentication method that squid supports on your parent ISA proxy (eg, basic). Alternatively add an IP rule so that squid does not need to authenticate.

  3. #3
    monkeyx's Avatar
    Join Date
    Nov 2006
    Posts
    364
    Thank Post
    8
    Thanked 52 Times in 41 Posts
    Rep Power
    25
    Does this answer your question ?

    use 'login=PASS' if users must authenticate against
    the upstream proxy. This will pass the users credentials
    as they are to the peer proxy. This only works for the
    Basic HTTP authentication sheme. Note: To combine this
    with proxy_auth both proxies must share the same user
    database as HTTP only allows for one proxy login.
    Also be warned this will expose your users proxy
    password to the peer. USE WITH CAUTION


    Could you explain a little more about what you are trying to do.

    I currently have squid/dansgauradian logging ntml usernames for all staff/students so that we can apply local policies and track usernames.

    We then forward all requests to the LEA ISA server, which does not track credentialls only IP addresses. So we do not need the PASS option.

  4. #4

    Join Date
    Nov 2007
    Location
    Preston
    Posts
    98
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    14
    Check out ntlmaps, probably not really practical but you could mod it, pretty simple python.

  5. #5

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by monkeyx View Post
    ...This only works for the
    Basic HTTP authentication sheme.
    Oops. I remember reading that bit now. Back to square 1.
    Thanks for pointing that out.

    Quote Originally Posted by monkeyx View Post
    Could you explain a little more about what you are trying to do.
    I wanted to put all pupil requests through DansGuardian before they went on to the LEA ISA proxy server, which requires authentication. They also log all access and put requests through websense.

    I could put them all through NTLMAPS, but as far as I know, all access would then be recorded at the LEA under the same username. (This is the only way I've configured it before.)

    @Geoff:
    "Alternatively add an IP rule so that squid does not need to authenticate."
    Is this simple? Would DG still work with this configuration?
    I thought squid would have to authenticate with the ISA.

    Jo

  6. #6

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The ISA doesn't appear to support basic authentication. So I've tried putting NTLMAPS on the server and running all internet access through that so:

    Client -> dansguardian -> squid -> ntlmaps -> ISA

    While this works, I'm not sure if it will work quickly enough for 250 users at the same time.

    The clients still get prompted for authentication by squid when the open a new browser. Is there any way to avoid this and still record the usernames?

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    There is something wrong with NTLM auth in your dansguardian/Squid configuration. It should be transparent. Do you have a new enough version of dansguardian to support ntlm pass through?

  8. #8

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Geoff, It's running Dansguardian 2.8.0.6

  9. #9
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,424
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by _Jo_ View Post
    Hi Geoff, It's running Dansguardian 2.8.0.6
    You need 2.9 for the ntlm passthrough, 2.8 needs squid (ntlm) -> dansguardian -> squid

  10. #10

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by DMcCoy View Post
    You need 2.9 for the ntlm passthrough, 2.8 needs squid (ntlm) -> dansguardian -> squid
    2 Instances of squid? That sounds complicated. I'm having trouble configuring one instance properly at the moment! (I'll get the hang of it eventually)

    I'll give 2.9 a try.
    (the webmin report viewer said it didn't work with that version. Typical.)

    Is there any way I can get squid to talk to the ISA directly? ISA is set not to allow basic auth. I don't really want to use NTLMAPS as we could have 250 people connecting at the same time and I'm not sure how it'll cope.

  11. #11
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,424
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by _Jo_ View Post
    2 Instances of squid? That sounds complicated. I'm having trouble configuring one instance properly at the moment! (I'll get the hang of it eventually)

    I'll give 2.9 a try.
    (the webmin report viewer said it didn't work with that version. Typical.)

    Is there any way I can get squid to talk to the ISA directly? ISA is set not to allow basic auth. I don't really want to use NTLMAPS as we could have 250 people connecting at the same time and I'm not sure how it'll cope.
    webmin doesn't work with 2.9 at all, no update appears to be on the horizon either. I was going to get smoothwall instead

  12. #12

    Join Date
    Nov 2007
    Location
    Preston
    Posts
    98
    Thank Post
    2
    Thanked 4 Times in 4 Posts
    Rep Power
    14
    Webmin is bad in general, some of the perl code in it is terrible! I'd configure it manually, id imagine there are alot of docs online on how to setup squid and dansguardian.

  13. #13

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by el8linuxel8 View Post
    Webmin is bad in general, some of the perl code in it is terrible! I'd configure it manually, id imagine there are alot of docs online on how to setup squid and dansguardian.
    I have been configuring it manually.
    I put webmin on as an afterthought to view the log files.

    Ok... installing DG 2.9 : installs ok, but when I try to run it I get

    Unable to getgrnam(): Success

    and DG won't start.
    Last edited by _Jo_; 2nd April 2008 at 01:29 PM.

  14. #14

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    In your dansguardian.conf, what is the 'daemongroup' option set to?

  15. #15

    Join Date
    Mar 2006
    Posts
    17
    Thank Post
    11
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Geoff View Post
    In your dansguardian.conf, what is the 'daemongroup' option set to?
    Both commented out.

    # daemonuser='nobody'
    # daemongroup='nobody'

    (I just tried uncommenting them and restarting, and same error.)

    Edit:
    Hm. Just tried changing that to
    # daemonuser='nobody'
    # daemongroup='nogroup'
    and restarted:
    Error openting / creating log file. (Check ownership and access rights).
    I am running as nobody and I am trying to open /var/log/dansguardian/access.log
    Last edited by _Jo_; 2nd April 2008 at 02:31 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moodle & NTLM Authentication
    By alan-d in forum Virtual Learning Platforms
    Replies: 12
    Last Post: 15th December 2009, 02:19 PM
  2. SIMS - Nova P5 - Parent's Consultation Evening
    By BKGarry in forum MIS Systems
    Replies: 0
    Last Post: 19th November 2007, 10:12 AM
  3. The exploits of a parent!
    By mrcrazy04 in forum General Chat
    Replies: 8
    Last Post: 5th November 2007, 12:19 PM
  4. Apache passthrough AD group authentication
    By CyberNerd in forum *nix
    Replies: 3
    Last Post: 14th September 2007, 09:19 AM
  5. MRBS + NTLM Authentication
    By Frazer in forum *nix
    Replies: 13
    Last Post: 29th June 2006, 02:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •