Re: [squid-users] NTLM auth keeps asking for password.

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 27 Dec 2006 14:14:58 -0900

Craig Van Tassle wrote:
> Hello list.
>
> I have been trying to get NTLM authentication working with squid and winbind
> under ubuntu 6.10. I can get user names and account with winbind, I can even try
> using a domain user to login and I see this in my logs.
> Dec 27 13:00:06 proxy pam_winbind[6734]: user 'domainuser' granted access
>
> The proxy works well if I have no authentication, however if I try to put
> authentication in place, I get asked for the user name and password 3 time then
> I get kicked out to a cache access denied page saying I cant access anything
> until I authenticate to the proxy. According to what I have found on line my
> setup should be correct. Any help would be appreciated.
>

By "on line" do you mean the FAQ
(http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2)?
  If so, did you test the helper as the cache_effective_user? When
prompted for authentication, were you prompted for the Windows domain,
or did you include it?

> access_log /var/log/squid/access.log squid
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> cache_mem 4 MB
> cache_swap_low 85
> cache_swap_high 90
> cache_dir ufs /var/spool/squid 100 16 256
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> #Authenticate users agaist a dc
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 10
> auth_param basic realm Chemtool Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> #authenticate_cache_garbage_interval 10 seconds
> # Credentials past their TTL are removed from memory
> #authenticate_ttl 0 seconds
>
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 555 # Sysaid
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl internal_src src x.x.x.x/x
> acl auth proxy_auth REUQIRED
>

Hopefully, this is a typo in the email only. I'm not sure how this
misspelling would effect authentication.

> acl internal_dst dst x.x.x.x/x
>
> acl porn dstdomain "/etc/squid/blacklists/porn/domains"
> acl virus dstdomain "/etc/squid/blacklists/virusinfected/domains"
> acl radio dstdomain "/etc/squid/blacklists/radio/domains"
> acl phish dstdomain "/etc/squid/blacklists/phishing/domains"
> acl games dstdomain "/etc/squid/blacklists/onlinegames/domains"
>
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny porn
> http_access deny virus
> http_access deny radio
> http_access deny phish
> http_access allow internal_src
>

This would allow internal_src computers to surf without authenticating.
Perhaps what you are trying to do.

> #http_access deny !auth
> always_direct allow internal_dst
>

Seeing as you don't have any cache_peers assigned, this is not going to
do what you expect.

> #http_access deny all
> #http_reply_access allow all
> miss_access allow all
> icp_access deny all
> coredump_dir /var/spool/squid
>
>
>

Chris
Received on Wed Dec 27 2006 - 16:15:04 MST

This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST