2009/7/28 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Harley Jackson Willmott wrote: >> >> 2009/7/27 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>> >>> On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott >>> <open.harley@xxxxxxxxx> wrote: >>>> >>>> Hey all. >>>> >>>> I've done lots of searching and haven't been able to find examples of >>>> this particular scenario so I'm putting it to you guys for help. >>>> >>>> Basically, my boss has me setting up a Squid server for our company's >>>> primarily Microsoft-based network (We use Active Directory). We've >>>> already got a proxy server set up running Webmarshal. Webmarshal takes >>>> care of all the filtering stuff based on Active Directory membership. >>>> >>>> I'm implementing a Squid server to both cache (obviously) and to >>>> throttle certain users using delay pools. >>>> >>>> The original plan was to have Squid in front of Webmarshal, which >>>> means Squid needs to be able to pass the AD credentials to Webmarshal. >>>> The server itself is running Ubuntu 9.04 Server with >>>> Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our >>>> AD domain through Likewise-Open. I'd like to create ACLs based on >>>> user/group membership in AD, but IPs are fine if that isn't possible. >>>> The main thing is that I -need- the credentials passed to Webmarshal >>>> so that the user isn't prompted to enter their username and password >>>> into their browser (this is how it acts prior to pointing it to >>>> Squid). >>>> >>>> Is this possible with my version of Squid? I've been trying to follow >>>> examples and documentation on the web, but frequently run into >>>> conflicting and/or outdated information. If so, can someone help me >>>> out with an example or something? If not, should I just be putting >>>> Squid behind Webmarshal? >>> >>> Behind would be the quickest fix. >>> >>> Or you could go the whole way and configure Squid AD authentication with >>> groups access control to completely replace WebMarshall. Squid bundles a >>> few external ACL helpers that check group access. The rest is up to how >>> you >>> set what access controls. >>> >>> Amos >>> >>> >> >> Thanks, Amos, I mulled it over a bit and talked to the boss and we've >> put Squid in front of Webmarshal >> >> I got Squid up and running but was getting a massive headache trying >> to make it pass credentials to Webmarshal. The problem was revealed to >> me by another thread on this mailing list that mentioned this would >> only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7 >> and it passes credentials to Webmarshal fine now! Delay pools are >> working great too (it's funny being happy about seeing the internet >> moving slowly) >> However, I'm faced with another problem. I still need to set up ACLs >> in Squid that are based on Active Directory groups. The box is in our >> domain with Samba and Winbind and wbinfo, wbinfo_group.pl and >> ntlm_auth all work flawlessly. >> Unfortunately, after I add the lines for ntlm authentication, my >> browser (even IE) prompts me for username and password a few times and >> then sends me to a Cache Access Denied page. My access.log also does >> not show any usernames/groups. >> >> I've played around with the lines a bit but here is how they stand at >> the moment: >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 30 >> auth_param ntlm keep_alive on >> >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic >> auth_param basic children 5 >> auth_param basic realm mushmusic >> auth_param basic credentialsttl 2 hours >> auth_param basic casesensitive off >> >> acl authedusers proxy_auth REQUIRED >> http_access allow authedusers >> >> Any advice? >> Cheers :) > > You also need persistent connections enabled, and connection-auth= flags on > any cache_peer lines. > > http://www.squid-cache.org/Versions/v2/2.7/cfgman/ > See these settings: > * client_persistent_connections > * server_persistent_connections > * persistent_connection_after_error > * detect_broken_pconn > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 > Current Beta Squid 3.1.0.12 > Thanks again! I managed to get ntlm_auth working, with ACLs based on the user's AD groups to decide different bucket sizes and speeds without the browser prompting. I had disabled the passing of credentials to Webmarshal beforehand to isolate what I was working on and now that I've gotten ntlm_auth working, I re-enabled it. Unfortunately, I am prompted for credentials again. This time, however, entering the credentials seem to work (as opposed to just prompting me over and over again before). If I'm _only_ passing credentials or _only_ authenticating for Squid, then everything works swimmingly. However, having both at once causes it to prompt the user at the browser. Can I only have one or the other or is there a solution that allows Squid to authenticate as well as pass creds to Webmarshal? Cheers Harley
