On 1/02/2013 6:22 a.m., Baird, Josh wrote:
> Try again.
>
> -----Original Message-----
> From: muno
>
> I need to configure the Squid3 to authenticate via NTLM
> reverse proxy authentication. I have instaled and configured
> the squid but the browser requires the password again and
> again.
>
>
> Anyone have a clue to help me?
LAN traffic or WAN traffic?
* The ntlm_auth helper supplied with Squid only suports NTLMv1 and older
LANMan protocol versions. Use the identically named ntlm_auth helper
from the Samba project for proper NTLM support.
* No version of Squid supports doing NTLM authentication handshakes with
cache_peer's. Meaning your NTLM credentials cease at the first Squid.
- In reverse-proxy the www-authenticate credential stop at the first
Squid.
+ You can relay the username authenticated to a peer server using
Basic authentication.
+ OR, with squid-3.2+ you use login=PASSTHRU and *no* Squid auth setup
to offload the whole auth process onto a backend peer.
* NTLM was officially deprecated by Microsoft in 2006. Modern software
(built since 2002) uses Negotiate/Kerberos protocol.
+ Squid-3.1 and later are in that group, with the cache_peer
login=NEGOTIATE option. Note that the client-facing and the peer-facing
connections are completely separate HTTP connections and credentials
used on each do not have to be related in any way.
Enough hints?
>
>
> Here my configuration:
>
> ./configure --prefix=/usr/local/squid
> --exec_prefix=/usr/local/squid --enable-ssl
> --enable-auth-ntlm="ntlm,basic"
the above option is a squid-3.2 build option.
> --enable-basic-auth-helpers="winbind"
> --enable-ntlm-auth-helpers="winbind"
> --enable-external-aclhelpers="winbind_group,wbinfo_group"
you are missing a '-' between in "-acl-helpers="
> --enable-delay-pools --enable-removal-policies
> --enable-underscores --enable-cache-digests
> --disable-ident-lookups --enable-truncate
> --with-winbind-auth-challenge
This build option above must have an amusing tale to tell. It is a
*Samba* build option with no use in Squid.
But looking it up in google I see a whole lot of people copy-n-pasting
it from somewhere.
>
> -------------------------------
> squid.conf
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/lib/squid/ntlm_auth
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
> ### provide basic authentication via ldap for clients not
> authenticated via kerberos/ntlm
What are you talking about kerberos for? what you configured above was
NTLM version 1 *only*.
Which kind of explains why you are having problems. All MS software
since Windows2k has used NTLMv2 by default with NTLMv1 as a fallback.
The Squid bundles helper works, but at cost of all meaningful security
NTLMv2 introduced.
Since Windows Vista all MS software uses Kerberos by default with NTLMv2
as a fallback *if* configured. NTLMv1 is not available. Meaning the
Squid bundled helper will not work with any of that software. Use the
Samba project helper instead please.
> #auth_param basic program /usr/lib/squid3/squid_ldap_auth
> -R -b "dc=example,dc=local" -D squid_at_example.local -W
> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h
> dc1.example.loc
> al
> #auth_param basic children 10
> #auth_param basic realm Internet Proxy
> #auth_param basic credentialsttl 1 minute
>
>
> acl warp dstdomain warpx.uninet.com.br
> acl xymon dstdomain monitorx.uninet.com.br
> acl uninet dstdomain www.uninet.com.br
> acl admin src 200.220.1.0/24
> acl admin src 200.220.102.0/24
> acl unisys src 129.222.0.0/16
> acl unisys src 129.224.0.0/16
> acl unisysvpn src 172.0.0.0/8
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_port 80 accel
> https_port 443 accel cert=/usr/local/squid/CA/cacert.pem
> key=/usr/local/squid/CA/cakey.pem
>
> cache_peer 200.220.0.103 parent 80 0 no-query no-digest
> connection-auth=on originserver proxy-only no-netdb-exchange
> login=PASS name=warpsite
> cache_peer_access warpsite allow warp
login=PASS relays the username and password to the peer in Basic
authentication format.
NTLM does not supply the password. So what gets sent back is username
with no password at best.
Amos
Received on Fri Feb 01 2013 - 04:44:15 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 01 2013 - 12:00:05 MST