I am in the process of evaluating and testing a Squid configuration in
my environment, I have everything working the way I want except for
one thing; NTLM authentication with Windows 7 clients to a site in
another domain
Squid proxy is configured with multiple Bluecoat proxy servers as
parents, which handles all the user authentication using LDAP.
However, I also have a requirement that users sometimes log on a site
located in a different domain, using personal Windows credentials for
that domain. This works without any problem with Windows XP clients,
but Windows 7 clients just keep getting the login prompt and are
unable to log in.
I've configured the GPO for NTLMv1 on my domain, as suggested by other
threads, but this did not make any difference. All other threads I
have found are for issues where you want to use NTLM for Squid
authentication, which is not what I am trying to do.
Hoping someone can assist or at least point me in the right direction
to solve this.
Server: Ubuntu 11.10
Squid Cache: Version 3.1.14
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g
-O2 -g -O2 -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
'CXXFLAGS=-g -O2 -g -O2 -Wall'
--with-squid=/build/buildd/squid3-3.1.14
Squid.conf (IP addresses and names altered before posting public, the
rest is the same as the running configuration)
http_port 8080 ignore-cc
cache_peer Bluecoat1 parent 80 0 no-query login=PASS weight=1
cache_peer Bluecoat2 parent 80 0 no-query login=PASS weight=2
#ACL for streaming
acl streaming dstdomain "/etc/squid3/streaming.acl"
#ACL for QoS after Squid
acl lan1 src 10.200.50.0/24
acl lan2 src 10.200.60.0/24
acl lan3 src 10.200.70.0/24
acl lan4 src 10.200.80.0/24
tcp_outgoing_address 10.0.0.205 lan1
tcp_outgoing_address 10.0.0.206 lan2
tcp_outgoing_address 10.0.0.207 lan3
tcp_outgoing_address 10.0.0.208 lan4
#Suggested off when using tcp_outgoing_address
#server_persistent_connections off //Breaks external NTLM for Windows
XP clients as well when off
#Apply ACL filters
http_access deny streaming
http_access allow all
never_direct allow all
#Cache configuration
cache_mem 512 MB
maximum_object_size_in_memory 1024 KB
cache_dir ufs /var/spool/squid3 45000 16 256
max_open_disk_fds 0
minimum_object_size 0 KB
maximum_object_size 128000 KB
# Refresh patterns
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200
90% 432000 override-expire ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
