Craig Van Tassle wrote:
Hello list. I have been trying to get NTLM authentication working with squid and winbind under ubuntu 6.10. I can get user names and account with winbind, I can even try using a domain user to login and I see this in my logs. Dec 27 13:00:06 proxy pam_winbind[6734]: user 'domainuser' granted access The proxy works well if I have no authentication, however if I try to put authentication in place, I get asked for the user name and password 3 time then I get kicked out to a cache access denied page saying I cant access anything until I authenticate to the proxy. According to what I have found on line my setup should be correct. Any help would be appreciated.
By "on line" do you mean the FAQ (http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2)? If so, did you test the helper as the cache_effective_user? When prompted for authentication, were you prompted for the Windows domain, or did you include it?
access_log /var/log/squid/access.log squid http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY cache_mem 4 MB cache_swap_low 85 cache_swap_high 90 cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log acl apache rep_header Server ^Apache broken_vary_encoding allow apache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #Authenticate users agaist a dc auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Chemtool Proxy Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off #authenticate_cache_garbage_interval 10 seconds # Credentials past their TTL are removed from memory #authenticate_ttl 0 seconds #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl Safe_ports port 555 # Sysaid acl purge method PURGE acl CONNECT method CONNECT acl internal_src src x.x.x.x/x acl auth proxy_auth REUQIRED
Hopefully, this is a typo in the email only. I'm not sure how this misspelling would effect authentication.
acl internal_dst dst x.x.x.x/x acl porn dstdomain "/etc/squid/blacklists/porn/domains" acl virus dstdomain "/etc/squid/blacklists/virusinfected/domains" acl radio dstdomain "/etc/squid/blacklists/radio/domains" acl phish dstdomain "/etc/squid/blacklists/phishing/domains" acl games dstdomain "/etc/squid/blacklists/onlinegames/domains" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny porn http_access deny virus http_access deny radio http_access deny phish http_access allow internal_src
This would allow internal_src computers to surf without authenticating. Perhaps what you are trying to do.
#http_access deny !auth always_direct allow internal_dst
Seeing as you don't have any cache_peers assigned, this is not going to do what you expect.
#http_access deny all #http_reply_access allow all miss_access allow all icp_access deny all coredump_dir /var/spool/squid
Chris
