[squid-users] ntlm_auth problem with file of users

From: CyberSoul <cybersoul_at_gmx.com>
Date: Tue, 7 Feb 2012 17:15:40 +0400

Hi all,
   could anyone give any suggestion for solve next problem:

I have been configured squid with Single Sign-On (kerberos+samba+ntlm)
So,commands wbinfo -t,wbinfo -p, wbinfo -u, wbinfo -g is working well (domain is KNG, realm kng.local), examples:
$wbinfo -u
KNG\ldapreader
KNG\testproxyad1
KNG\testproxyad2

$wbinfo -a kng\\ldapreader%12345678
plaintext password authentication succeeded
challenge/response password authentication succeeded

squid.conf
....
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Proxy_AD
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
...

So, when acl & http_access is next, it works:
acl users proxy_auth REQUIRED
...
http_access allow users

But, i need to give access in the internet by lists of users, so i re-edit squid config & create list:
file /etc/squid/users.acl, it contain user names:
ldapreader
testproxyad1
testproxyad2

squid.conf
...
acl users proxy_auth "/etc/squid/users.acl"
...
http_access allow users

After that, in browser squid says that "access denied",
access.log:
bla-bla-bla <IP-user> TCP_DENIED/407 1874 GET <bla-bla-bla> KNG\ldapreader NONE/- text/html

Changing file with names users.acl as this:
KNG\ldapreader
KNG\testproxyad1
KNG\testproxyad2

No result, "access denied".

Add options in smb.conf [global]
winbind separator = \

No result, "access denied".

Checking ntlm_auth (basic), well done:
$/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
kng\ldapreader 12345678
OK

Checking ntlm_auth (ntlmssp), well done:
$/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
YR
TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAA7TEzPz/FpREAAAAAAAAAAAAAAAAwAAAA

What's wrong? Why squid don't want to work with list of users?
Maybe I do not correct edit squid.conf in acl tag (acl users proxy_auth "/etc/squid/users.acl")?
Or maybe get ntlm_auth from samba source, not from squid?

Will waiting for respone.
Received on Tue Feb 07 2012 - 13:19:06 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 10 2012 - 12:00:02 MST