On 23/03/11 18:14, Steve-Mustafa Ismail Mustafa wrote:
Hi, I've been trying to setup squid to limit the accessibility to the internet at the local Red Cross hospital because of over usage. As such, I've setup a security group on our AD, InternetUsers where only those members of that group are capable of connecting to the web, otherwise, all their traffic is within our local network. I've joined Debian Squeeze to the domain without much hassle. This is on a VM Debian Squeeze, Squid 2.7 stable 9. My squid.conf is: auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="RCH\InternetUsers" auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="RCH\InternetUsers" auth_param ntlm children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external acl type nt group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group.pl #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes http_port 3128 acl all src 192.168.10.0/24
A future problem will be this 'all'. There are a lot of security defaults in Squid which rely on it meaning the entire Internet. It should be defined as "acl all src all" in Squid-2.7 and omitted entirely in Squid-3.
Please use "acl localnet src 192.168.10.0/24" for your local networks.
acl InternetUsers proxy_auth REQUIRED http_access allow InternetUsers http_access deny all You can see that it needs cleaning up a bit because of the experimentation that went on trying to get it to work. max_challenge_reuses and max_challenge_lifetime are a carryover from when I followed the suggested config on the site (outdated I guess). Firing up squid through "/etc/init.d/squid start" gives me unrecognized '/usr/lib/squid/wbinfo_group.pl'
The external_acl_type config line appears to be mangled into one of the auth_basic ones. I thought that was a typo on your email cut-n-paste, but maybe not.
Starting it with "/usr/sbin/squid -NCdl" comes back with WARNING: ntlmauthenticator #2 (FD 9) exited WARNING: ntlmauthenticator #2 (FD 10) exited WARNING: ntlmauthenticator #2 (FD 11) exited Too few ntlmauthenticator processes are running Aborted
Popular helpers dying like this is usually incorrect access privileges. They are run as the same low-privilege user as Squid.
checking the log messages yields: Squid Parent: child process 24182 started Squid Parent: child process 24182 exited due to signal 6 Any clues? I'm completely stumped and I've been at this a few days now and I'd like to move on.
This may help: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
