+ Post New Thread
Results 1 to 11 of 11
*nix Thread, NTLM auth squid in Technical; Hi, Ive joined my proxy to the domain (its running ubuntu 7.10 server) and i think ive configured squid to ...
  1. #1

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20

    NTLM auth squid

    Hi,
    Ive joined my proxy to the domain (its running ubuntu 7.10 server) and i think ive configured squid to authenticate with the domain using NTLM. I can run wbinfo -u and it lists the users on the domain so i can tell its joined correctly.
    Heres the auth_ntlm part of the squid file
    Code:
    ##ADDED BY JACK
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 10
    #auth_param ntlm max_challenge_reuses 0
    #auth_param ntlm max_challenge_lifetime 2 minutes
    #auth_param ntlm use_ntlm_negotiate off
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Domain Proxy Server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off
    authenticate_cache_garbage_interval 10 seconds
    
    # Credentials past their TTL are removed from memory
    authenticate_ttl 0 seconds
    And for my ACL ive got
    Code:
    acl passwd proxy_auth REQUIRED
    Code:
    http_access allow passwd
    It doesnt seem to be putting the users name in the access.log file, how can i check that its authenticating properly.

    Heres my full squid.conf

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    any errors in the cache.log? Is samba configured correctly (eg, does wbinfo -t/-g/u work?)? Have you allowed squid access to the winbindd named pipe?

  3. Thanks to Geoff from:

    ranj (18th April 2008)

  4. #3

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20
    No errors in cache.log, wbinfo -t/-u/-g all work correctly, and how would i check if squid has access to the winbind named pipe?

  5. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Check the permissions on the directory the pipe is located. Squid needs to be able to read from the pipe.

  6. #5

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20
    Wheres that located?

  7. #6

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20
    Found it, ive chmod'ed that to 0777 for the time being, now in cache.log im getting,
    Code:
    AclAuthenticated: authentication not applicable on transparently intercepted requests
    I thought NTLM could be made to work with transparent requests?

  8. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    No, because browsers wont let you.

    SquidFaq/InterceptionProxy - Squid Web Proxy Wiki

  9. #8

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20
    I thought you had something that worked transparently like that? Nevermind ill just set the proxy on the clients.

  10. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    You can either have a transparent proxy with no authentication. Or a normal proxy with authentication.

  11. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,487
    Thank Post
    867
    Thanked 855 Times in 675 Posts
    Rep Power
    197
    Actually... it is possible to do both - we do.
    I don't know precisely how it works, and it isn't exactly standard procedure, but we can get NTLM auth working in transparent proxy mode. AFAIK only ourselves and Bluecoat have managed this.

  12. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    But that's evil, it's a man in the middle attack and a huge security hole..



SHARE:
+ Post New Thread

Similar Threads

  1. Moodle & NTLM Authentication
    By alan-d in forum Virtual Learning Platforms
    Replies: 12
    Last Post: 15th December 2009, 03:19 PM
  2. Squid NTLM passthrough to parent ISA
    By _Jo_ in forum *nix
    Replies: 19
    Last Post: 12th November 2008, 06:25 PM
  3. Replies: 3
    Last Post: 30th April 2007, 11:32 PM
  4. Replies: 6
    Last Post: 27th February 2007, 09:00 PM
  5. MRBS + NTLM Authentication
    By Frazer in forum *nix
    Replies: 13
    Last Post: 29th June 2006, 03:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •