NTLM auth squid
Ive joined my proxy to the domain (its running ubuntu 7.10 server) and i think ive configured squid to authenticate with the domain using NTLM. I can run wbinfo -u and it lists the users on the domain so i can tell its joined correctly.
Heres the auth_ntlm part of the squid file
And for my ACL ive got
##ADDED BY JACK
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
acl passwd proxy_auth REQUIRED
It doesnt seem to be putting the users name in the access.log file, how can i check that its authenticating properly.
http_access allow passwd
Heres my full squid.conf
any errors in the cache.log? Is samba configured correctly (eg, does wbinfo -t/-g/u work?)? Have you allowed squid access to the winbindd named pipe?
No errors in cache.log, wbinfo -t/-u/-g all work correctly, and how would i check if squid has access to the winbind named pipe?
Check the permissions on the directory the pipe is located. Squid needs to be able to read from the pipe.
Found it, ive chmod'ed that to 0777 for the time being, now in cache.log im getting,
I thought NTLM could be made to work with transparent requests?
AclAuthenticated: authentication not applicable on transparently intercepted requests
I thought you had something that worked transparently like that? Nevermind ill just set the proxy on the clients.
You can either have a transparent proxy with no authentication. Or a normal proxy with authentication.
Actually... it is possible to do both - we do.
I don't know precisely how it works, and it isn't exactly standard procedure, but we can get NTLM auth working in transparent proxy mode. AFAIK only ourselves and Bluecoat have managed this.
But that's evil, it's a man in the middle attack and a huge security hole..