The only error i get is: 1349294400.422 429 200.220.102.34 TCP_MISS/401 2171 GET http://warpx.uninet.c om.br/ - FIRSTUP_PARENT/200.220.0.103 text/html AND 349354025.463 0 200.220.102.34 TCP_DENIED/401 4014 GET http://warpx.uninet .com.br/favicon.ico - HIER_NONE/- text/html Just for my understanding. I need authenticated browser and squid passing credentials. I don't know if the path that i am trying is correct. am I correct? thanks emilio ----- Original Message ----- De: "E.S. Rosenberg" <esr+squid@xxxxxxxxxxx> Para: muno <muno@xxxxxxxxxxxxx> Cc: Amos Jeffries <squid3@xxxxxxxxxxxxx>, squid-users@xxxxxxxxxxxxxxx Assunto: Re: Squid3 reverse proxy ntlm authentication Data: Thu, 4 Oct 2012 19:28:19 +0200 > 2012/10/4 muno <muno@xxxxxxxxxxxxx>: > > > > Thanks Amos, but it doesn't work yet. > > > >> > >> You need an authentiction test around about here > somewhere >> (with any ACL tests for non-auth'd visitors > above it). >> > >> acl authenticated proxy_auth REQUIRED > >> > >> http_access deny !authenticated > > > > > > > > Now I get a "Cache Access Denied" message. > That means you're probably not authenticating. > Have you looked at cache.log? > Access.log? > Are you getting HTTP/417 Proxy auth requiered? > Is your client responding properly (you can use wireshark > to figure that out)? Is winbind working properly (does > wbinfo -g or -u show all the AD groups/users)? > Did you configure windbind/samba right? What happens when > you try to use ntlm_auth from CLI? > Do you succeed in authenticating (ntlm_auth --username=x > --domain=y --diagnostics)? > > And don't revert to basic over the internet, though NTLM > is leaky as anything these days it's still less leaky then > cleartext passwords on the wire (although as far as I > understand it it's close to cleartext these days). > > Hope that helps, > Eli > > > > Any other clue? > > > > tks > > > > ----- Original Message ----- > > De: Amos Jeffries <squid3@xxxxxxxxxxxxx> > > Para: squid-users@xxxxxxxxxxxxxxx > > Assunto: Re: Squid3 reverse proxy ntlm > > authentication > > Data: Fri, 05 Oct 2012 01:17:15 +1300 > > > >> On 5/10/2012 12:59 a.m., muno wrote: > >> > Thanks Amos, > >> > > >> > I understand the problems and i will analyze the > >> > alternative, but for while I need to configure the > >> > reverse NTLM. > >> > > >> > > >> > My squid version is: squid 3.2.1 > >> > > >> > > >> > The configuration file have a http_access allow. > Sorry, >> > but i forget to copy! > >> > > >> > > >> > Any suggestion? > >> > > >> > tks > >> > > ________________________________________________________ > >> > >> > root@proxy:/usr/local/squid/etc# more squid.conf > >> > > >> <snip> > >> > > >> > http_access allow manager localhost > >> > http_access deny manager > >> > http_access deny !Safe_ports > >> > http_access deny CONNECT !SSL_ports > >> > >> You need an authentiction test around about here > somewhere >> (with any ACL tests for non-auth'd visitors > above it). >> > >> acl authenticated proxy_auth REQUIRED > >> > >> http_access deny !authenticated > >> > >> > http_access allow localhost > >> > http_access allow admin > >> > http_access allow warp > >> > http_access allow uninet > >> > http_access allow xymon > >> > http_access deny all > >> > > >> > >> HTH > >> Amos
