On Thu, 9 Jan 2003 02:56, Kenneth Magnusson wrote:
> Hi all.
> I have some problem with squid and ntlm_auth.
> All users that are allowed to connect internet works but when
> "baduser" connects they get a login box for username, password and
> domain. If they type there username, password and domain a error text
> come up, but if they type the correct userid and password but WRONG
> domain can they connect to internet. Is it anybody that can help me?
>
It's my undertanding that ntlm_auth (or perhaps the DC) doesn't consider the
domain when checking username/password credentials. For example, if you have
"domain\user-x" in your not_allowed_users file below, then it could be
circumvented by someone creating a "workstation\user-x" account with the same
password as "domain\user-x". Try just specifying the username in
not_allowed_users and see how that goes with proxy_auth_regex, or switch to
winbind authentication which seems to be the recommended NTLM helper
nowadays.
- Gerard
> auth_param ntlm program /usr/local/squid/bin/ntlm_auth -b
> domain/pdc_server
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> acl baduser proxy_auth "/usr/local/squid/users/not_allowed_users.txt"
> acl special_url url_regex -i "/usr/local/squid/users/ok_site.txt"
> acl all src 0.0.0.0/0.0.0.0
> http_access allow all special_url
> http_access deny baduser
>
> Regards Kenneth
Received on Thu Jan 09 2003 - 07:29:41 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:36 MST