Search squid archive

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am actually flabbergasted at all the people saying this doesn't work.  I haven't tried Squid 3 yet.. so I can't comment on it.  The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today).  I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one)

When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business.  As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something.  I would go into firefox, change the proxy setting, get the file, then put the proxy setting back.  THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back.

I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years..  I know it is catching them, because it blocks files and I use SARG to report their activities.. 

But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy.  Just to make sure.. 



----- Original Message ----
From: matlor <bfrobu@xxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Sent: Thursday, October 30, 2008 9:15:55 AM
Subject: Re:  SQUID + FIREFOX + ACTIVE DIRECTORY


I have tried your configuration... but I have the same problem.
squid version is 3.0.5

in attachment there is one of my tested squid.conf.
only IE7 is working properly

thanks in advance....




nairb rotsak wrote:
> 
> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
> below is what I sent Chris:
> 
> Below is for w2k3 AD and Ubuntu 6.06.1:
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp 
> auth_param ntlm children 15
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> #auth_param ntlm use_ntlm_negotiate off
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl NTLMUsers proxy_auth REQUIRED
> acl our_networks src 192.168.0.0/16
> http_access allow all NTLMUsers
> http_access allow our_networks
> 
> Here is our current setup (w2k8 and Ubuntu 8.04.1):
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp 
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
> acl our_networks src 192.168.0.0/16
> acl NTLMUsers proxy_auth REQUIRED
> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
> acl NOINTERNET external ntgroup no-internet
> http_access deny NOINTERNET
> http_access allow all NTLMUsers
> http_access allow our_networks
> http_access allow localhost
> 
> 
> We
> have a group policy do the IE browser, but with Firefox, we have to set
> it manually.  Once it is set, there is no prompt... I use SARG to get
> the results.. Been doing it for almost three years.. I would get
> evangelical on people using iPrism/Barracuda/Websense.. but now I
> figure I will just let them spend the money.. ;-)
> 
> 
> ----- Original Message ----
> From: Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx>
> To: nairb rotsak <ipguru99@xxxxxxxxx>
> Cc: matlor <bfrobu@xxxxxx>; squid-users@xxxxxxxxxxxxxxx
> Sent: Wednesday, October 29, 2008 9:31:32 AM
> Subject: Re:  SQUID + FIREFOX + ACTIVE DIRECTORY
> 
> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99@xxxxxxxxx> wrote:
>> I am totally confused by this statement?.. as I have 300 people using
>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>> one gets a user/pass prompt?  I am not using it as a transparent proxy,
>> it is listed in firefox under proxy settings (8080 because it goes to DG
>> first.. but I have tested just Squid at 3128 and it works as well).. and
>> I haven't touched anything else in firefox
> 
> 
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.
> 
> 
>>
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx>
>> To: matlor <bfrobu@xxxxxx>
>> Cc: squid-users@xxxxxxxxxxxxxxx
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re:  SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu@xxxxxx> wrote:
>>>
>>> I have configured squid with winbind integrated in the active directory
>>> of a
>>> windows 2003 domain.
>>> If I browse internet trough IE 7 everething is ok, no user and password
>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>> version), it prompts for user and password.
>>
>> One other note: While FF does support NTLM, it does not do transparent
>> auth as IE does. Hence the prompting for username/password.
>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>> at times repeatedly prompt ad infinitum. There is an open bug on this
>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>> action on it is understandably slow. You can mess with FF's NTLM
>> related settings under 'about:config' to gain some respite. You can
>> also run a basic auth that authenticates against NTLM which for some
>> reason seems to avoid the multi-prompt issue. Something like:
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 2
>> auth_param basic realm somerealm
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> Regards,
>> Chris
>>
>>
>>
>>
>>
> 
> 
> 
>      
> 
> 
http://www.nabble.com/file/p20247889/squid.conf squid.conf 
-- 
View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20247889.html
Sent from the Squid - Users mailing list archive at Nabble.com.


      

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux