NTLM auth squid

[Jackd]

Hi,
Ive joined my proxy to the domain (its running ubuntu 7.10 server) and i think ive configured squid to authenticate with the domain using NTLM. I can run wbinfo -u and it lists the users on the domain so i can tell its joined correctly.
Heres the auth_ntlm part of the squid file

Code:

##ADDED BY JACK
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds

# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds

And for my ACL ive got

Code:

acl passwd proxy_auth REQUIRED

Code:

http_access allow passwd

It doesnt seem to be putting the users name in the access.log file, how can i check that its authenticating properly.

Heres my full squid.conf

[Geoff]

any errors in the cache.log? Is samba configured correctly (eg, does wbinfo -t/-g/u work?)? Have you allowed squid access to the winbindd named pipe?

[Jackd]

No errors in cache.log, wbinfo -t/-u/-g all work correctly, and how would i check if squid has access to the winbind named pipe?

[Geoff]

Check the permissions on the directory the pipe is located. Squid needs to be able to read from the pipe.

[Jackd]

Wheres that located?

[Jackd]

Found it, ive chmod'ed that to 0777 for the time being, now in cache.log im getting,

Code:

AclAuthenticated: authentication not applicable on transparently intercepted requests

I thought NTLM could be made to work with transparent requests?

[Geoff]

No, because browsers wont let you.

SquidFaq/InterceptionProxy - Squid Web Proxy Wiki

[Jackd]

I thought you had something that worked transparently like that? Nevermind ill just set the proxy on the clients.

[Geoff]

You can either have a transparent proxy with no authentication. Or a normal proxy with authentication.

[tom_newton]

Actually... it is possible to do both - we do.
I don't know precisely how it works, and it isn't exactly standard procedure, but we can get NTLM auth working in transparent proxy mode. AFAIK only ourselves and Bluecoat have managed this.

[Geoff]

But that's evil, it's a man in the middle attack and a huge security hole..