Search squid archive

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



nairb rotsak wrote:
I am actually flabbergasted at all the people saying this doesn't work.  I haven't tried Squid 3 yet.. so I can't comment on it.  The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today).  I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one)

When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business.  As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something.  I would go into firefox, change the proxy setting, get the file, then put the proxy setting back.  THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back.

I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years.. I know it is catching them, because it blocks files and I use SARG to report their activities.. But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy. Just to make sure..

Um, I'm not so sure the people having trouble are using the right helper.

There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and Squid-2 releases that is incapable of doing full NTLM for modern windows domains.

There is also something calling itself 'ntlm_auth' bundled with Samba, which provides full working NTLM functionality.

We have fixed this mixup in 3.1, but please check the helper you are using. Please prefer to use the one by Samba.

IE7 is more advanced than the ealier IE and seems to be actually capable of proper negotiate auth. But can be expected fail with the limits imposed by Squid's 'ntlm_auth' thing.

Amos


----- Original Message ----
From: matlor <bfrobu@xxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Sent: Thursday, October 30, 2008 9:15:55 AM
Subject: Re:  SQUID + FIREFOX + ACTIVE DIRECTORY


I have tried your configuration... but I have the same problem.
squid version is 3.0.5

in attachment there is one of my tested squid.conf.
only IE7 is working properly

thanks in advance....




nairb rotsak wrote:
Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
below is what I sent Chris:

Below is for w2k3 AD and Ubuntu 6.06.1:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl NTLMUsers proxy_auth REQUIRED
acl our_networks src 192.168.0.0/16
http_access allow all NTLMUsers
http_access allow our_networks

Here is our current setup (w2k8 and Ubuntu 8.04.1):

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl NTLMUsers proxy_auth REQUIRED
external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
acl NOINTERNET external ntgroup no-internet
http_access deny NOINTERNET
http_access allow all NTLMUsers
http_access allow our_networks
http_access allow localhost


We
have a group policy do the IE browser, but with Firefox, we have to set
it manually.  Once it is set, there is no prompt... I use SARG to get
the results.. Been doing it for almost three years.. I would get
evangelical on people using iPrism/Barracuda/Websense.. but now I
figure I will just let them spend the money.. ;-)


----- Original Message ----
From: Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx>
To: nairb rotsak <ipguru99@xxxxxxxxx>
Cc: matlor <bfrobu@xxxxxx>; squid-users@xxxxxxxxxxxxxxx
Sent: Wednesday, October 29, 2008 9:31:32 AM
Subject: Re:  SQUID + FIREFOX + ACTIVE DIRECTORY

On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99@xxxxxxxxx> wrote:
I am totally confused by this statement?.. as I have 300 people using
firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
one gets a user/pass prompt?  I am not using it as a transparent proxy,
it is listed in firefox under proxy settings (8080 because it goes to DG
first.. but I have tested just Squid at 3128 and it works as well).. and
I haven't touched anything else in firefox

I'd be very interested in knowing what is different about your setup.
I have fought this problem for several years now.




----- Original Message ----
From: Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx>
To: matlor <bfrobu@xxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxx
Sent: Wednesday, October 29, 2008 8:48:39 AM
Subject: Re:  SQUID + FIREFOX + ACTIVE DIRECTORY

On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu@xxxxxx> wrote:
I have configured squid with winbind integrated in the active directory
of a
windows 2003 domain.
If I browse internet trough IE 7 everething is ok, no user and password
prompted, because of the common login. While, if I open Firefox (2 or 3
version), it prompts for user and password.
One other note: While FF does support NTLM, it does not do transparent
auth as IE does. Hence the prompting for username/password.
Furthermore, due to M$ having a broken implementation of NTLM, FF will
at times repeatedly prompt ad infinitum. There is an open bug on this
at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
action on it is understandably slow. You can mess with FF's NTLM
related settings under 'about:config' to gain some respite. You can
also run a basic auth that authenticates against NTLM which for some
reason seems to avoid the multi-prompt issue. Something like:

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm somerealm
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Regards,
Chris








http://www.nabble.com/file/p20247889/squid.conf squid.conf


--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
  Current Beta Squid 3.1.0.1

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux