Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) ----- Original Message ---- From: Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx> To: nairb rotsak <ipguru99@xxxxxxxxx> Cc: matlor <bfrobu@xxxxxx>; squid-users@xxxxxxxxxxxxxxx Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99@xxxxxxxxx> wrote: > I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. > > > > ----- Original Message ---- > From: Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx> > To: matlor <bfrobu@xxxxxx> > Cc: squid-users@xxxxxxxxxxxxxxx > Sent: Wednesday, October 29, 2008 8:48:39 AM > Subject: Re: SQUID + FIREFOX + ACTIVE DIRECTORY > > On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu@xxxxxx> wrote: >> >> I have configured squid with winbind integrated in the active directory of a >> windows 2003 domain. >> If I browse internet trough IE 7 everething is ok, no user and password >> prompted, because of the common login. While, if I open Firefox (2 or 3 >> version), it prompts for user and password. > > One other note: While FF does support NTLM, it does not do transparent > auth as IE does. Hence the prompting for username/password. > Furthermore, due to M$ having a broken implementation of NTLM, FF will > at times repeatedly prompt ad infinitum. There is an open bug on this > at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but > action on it is understandably slow. You can mess with FF's NTLM > related settings under 'about:config' to gain some respite. You can > also run a basic auth that authenticates against NTLM which for some > reason seems to avoid the multi-prompt issue. Something like: > > auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > auth_param basic children 2 > auth_param basic realm somerealm > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > > Regards, > Chris > > > > >
