I'm *really* enjoying squid but I'm having some problems that I just can't seem to figure out. I was able to join my Linux box the squid is running on to an active directory and use ntlm and wbinfo_groups.pl to control access with some luck. My questions are: 1) Do I even need a "basic" auth_param? All the examples I see have ntlm and basic. What would be the need to have both? 2) What does this top log entry show? Why would I have it if the user is authed with ntlm? Wouldn't they all show "DOMAIN+admin" or whatever? (example below) ... - NONE/- text/html DOMAIN+admin DIRECT/72.14.203.19 text/html ... 3) When viewing a page that I should be able to load the browser acts like it is loading but it just hangs (IE and FF). I know the page is not being block because the deny_info page is not showing. It just kinda hangs. This is my biggest problem. Ideas? Thanks for everything, Gabe SYSTEM INFO: /etc/squid/squid.conf ###################################### auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Web Proxy / Caching Server auth_param basic credentialsttl 2 hours external_acl_type wbg %LOGIN /usr/lib/squid/wbinfo_group.pl acl all src 0.0.0.0/0.0.0.0 acl DOMAIN-net src 10.0.0.0/255.255.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl auth-users proxy_auth REQUIRED acl unrestricted-groups external wbg "/etc/squid/lists/unrestricted-groups.txt" acl black-list-groups external wbg "/etc/squid/lists/black-list-groups.txt" acl white-list-groups external wbg "/etc/squid/lists/white-list-groups.txt" acl black-list-sites dstdomain "/etc/squid/lists/black-list-sites.txt" acl white-list-sites dstdomain "/etc/squid/lists/white-list-sites.txt" acl work-sites dstdomain "/etc/squid/lists/work-sites.txt" acl ssl-ports port 443 563 acl safe-ports port 80 20 21 443 1025-65535 acl connect method CONNECT acl query urlpath_regex cgi-bin \? acl manager proto cache_object acl never-cache dstdomain "/etc/squid/lists/never-cache.txt" acl windows-update dstdomain .microsoft.com .windowsupdate.com no_cache deny query no_cache deny never-cache http_access allow manager localhost http_access deny manager http_access deny !safe-ports http_access deny connect !ssl-ports http_access allow work-sites http_access allow windows-update http_access allow localhost http_access deny !auth-users http_access allow unrestricted-groups http_access allow black-list-groups black-list-sites http_access allow white-list-groups white-list-sites http_access deny all /var/log/squid/access.log ###################################### TCP_MISS/200 859 GET http://mail.google.com/mail/? DOMAIN+admin DIRECT/72.14.203.83 text/plain TCP_DENIED/407 585 GET http://mail.google.com/mail/? - NONE/- text/html TCP_DENIED/407 593 GET http://mail.google.com/mail/? - NONE/- text/html TCP_MISS/200 3570 GET http://mail.google.com/mail/? DOMAIN+admin DIRECT/72.14.203.19 text/html TCP_DENIED/407 585 GET http://mail.google.com/mail/? - NONE/- text/html TCP_DENIED/407 593 GET http://mail.google.com/mail/? - NONE/- text/html /var/log/squid/cache.log ###################################### Got DOMAIN+admin DOMAIN+Management DOMAIN+MIS "DOMAIN+Domain Admins" from squid User: -DOMAIN+admin- Group: -DOMAIN+Management- SID: -S-1-5-21-2732840889-2280141153-3048588358-1128 Domain Group (2)- GID: -16777225- User: -DOMAIN+admin- Group: -DOMAIN+MIS- SID: -S-1-5-21-2732840889-2280141153-3048588358-1129 Domain Group (2)- GID: -16777223- User: -DOMAIN+admin- Group: -DOMAIN+Domain Admins- SID: -S-1-5-21-2732840889-2280141153-3048588358-512 Domain Group (2)- GID: -16777222- Sending OK to squid squid -v ###################################### Squid Cache: Version 2.5.STABLE6 (CentOS 4.1) configure options: --build=i686-redhat-linux-gnu --host=i686-redhat-linux-gnu --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-useragent-log --enable-referer-log --disable-dependency-tracking --enable-cachemgr-hostname=localhost --disable-ident-lookups --enable-truncate --enable-underscores --datadir=/usr/share --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind -- Gabriel Gunderson http://gundy.org
