You should swap "auth_param basic ..." and "auth_param ntlm ..." sections.
You can find some explanation in squid.conf section about auth_param:
---------
# The order that authentication prompts are presented to the
client_agent
# is dependant on the order the scheme first appears in config file.
# IE has a bug (it's not rfc 2617 compliant) in that it will use the
basic
# scheme if basic is the first entry presented, even if more secure
schemes
# are presented. For now use the order in the file below. If other
browsers
# have difficulties (don't recognise the schemes offered even if you
are using
# basic) then either put basic first, or disable the other schemes
(by commenting
# out their program entry).
---------
Hope this can help.
Michele
|---------+------------------------------------------------------------------------>
| | daniel.jarboe@custserv.com |
| | Sent by: |
| | squid-users-return-27142-michele.de-martin=electrolux.it@squi|
| | d-cache.org |
| | |
| | |
| | 03/20/2003 06:11 PM |
| | |
|---------+------------------------------------------------------------------------>
>-------------------------------------------------------------------------------------|
| |
| To: squid-users@squid-cache.org |
| cc: |
| Subject: [squid-users] Ntlm authentication problems |
>-------------------------------------------------------------------------------------|
Hi, I cannot get ntlm authentication working with IE... W2k client
logged into a NT domain. Squid version 2.5.STABLE2-20030320 on a RH 8.0
box.
wbinfo -a DOMAIN\\user%pass shows:
plaintext password authentication succeeded
challenge/response password authentication succeeded
# squid -v
Squid Cache: Version 2.5.STABLE2-20030320
configure options: --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
--sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include
--libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var
--sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin
--libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid
--datadir=/usr/share/squid --enable-poll --enable-snmp
--enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,ufs,null --enable-delay-pools
--enable-linux-netfilter --with-pthreads --enable-ssl --enable-arp-acl
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,winbind_grou
p,wbinfo_group --enable-auth=basic,ntlm
--enable-ntlm-auth-helpers=winbind --enable-digest-auth-helpers=password
--enable-basic-auth-helpers=winbind
The above is a bit bloated, but this was based on an RPM and I plan to
whittle the ./configure down after I get ntlm working.
my squid.conf minus comments:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/lib/squid/wb_auth
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr (my.email@address)
coredump_dir /usr/local/squid/var/cache
Whenever I try to connect, IE falls back to basic authentication, which
does work (DOMAIN\USER)... but I need ntlm working. The w2k client is
logged into the domain. Does anybody see anything glaring in squid.conf
or maybe the configure options?
Thanks,
~ Daniel
-----------------------------------------------------------------------
This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.
Received on Thu Mar 20 2003 - 10:22:36 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:11 MST