On 1/02/2013 6:22 a.m., Baird, Josh wrote:
Try again.
-----Original Message-----
From: muno
I need to configure the Squid3 to authenticate via NTLM
reverse proxy authentication. I have instaled and configured
the squid but the browser requires the password again and
again.
Anyone have a clue to help me?
LAN traffic or WAN traffic?
* The ntlm_auth helper supplied with Squid only suports NTLMv1 and older
LANMan protocol versions. Use the identically named ntlm_auth helper
from the Samba project for proper NTLM support.
* No version of Squid supports doing NTLM authentication handshakes with
cache_peer's. Meaning your NTLM credentials cease at the first Squid.
- In reverse-proxy the www-authenticate credential stop at the first
Squid.
+ You can relay the username authenticated to a peer server using
Basic authentication.
+ OR, with squid-3.2+ you use login=PASSTHRU and *no* Squid auth setup
to offload the whole auth process onto a backend peer.
* NTLM was officially deprecated by Microsoft in 2006. Modern software
(built since 2002) uses Negotiate/Kerberos protocol.
+ Squid-3.1 and later are in that group, with the cache_peer
login=NEGOTIATE option. Note that the client-facing and the peer-facing
connections are completely separate HTTP connections and credentials
used on each do not have to be related in any way.
Enough hints?
Here my configuration:
./configure --prefix=/usr/local/squid
--exec_prefix=/usr/local/squid --enable-ssl
--enable-auth-ntlm="ntlm,basic"
the above option is a squid-3.2 build option.
--enable-basic-auth-helpers="winbind"
--enable-ntlm-auth-helpers="winbind"
--enable-external-aclhelpers="winbind_group,wbinfo_group"
you are missing a '-' between in "-acl-helpers="
--enable-delay-pools --enable-removal-policies
--enable-underscores --enable-cache-digests
--disable-ident-lookups --enable-truncate
--with-winbind-auth-challenge
This build option above must have an amusing tale to tell. It is a
*Samba* build option with no use in Squid.
But looking it up in google I see a whole lot of people copy-n-pasting
it from somewhere.
-------------------------------
squid.conf
### pure ntlm authentication
auth_param ntlm program /usr/lib/squid/ntlm_auth
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not
authenticated via kerberos/ntlm
What are you talking about kerberos for? what you configured above was
NTLM version 1 *only*.
Which kind of explains why you are having problems. All MS software
since Windows2k has used NTLMv2 by default with NTLMv1 as a fallback.
The Squid bundles helper works, but at cost of all meaningful security
NTLMv2 introduced.
Since Windows Vista all MS software uses Kerberos by default with NTLMv2
as a fallback *if* configured. NTLMv1 is not available. Meaning the
Squid bundled helper will not work with any of that software. Use the
Samba project helper instead please.
#auth_param basic program /usr/lib/squid3/squid_ldap_auth
-R -b "dc=example,dc=local" -D squid@example.local -W
/etc/squid3/ldappass.txt -f sAMAccountName=%s -h
dc1.example.loc
al
#auth_param basic children 10
#auth_param basic realm Internet Proxy
#auth_param basic credentialsttl 1 minute
acl warp dstdomain warpx.uninet.com.br
acl xymon dstdomain monitorx.uninet.com.br
acl uninet dstdomain www.uninet.com.br
acl admin src 200.220.1.0/24
acl admin src 200.220.102.0/24
acl unisys src 129.222.0.0/16
acl unisys src 129.224.0.0/16
acl unisysvpn src 172.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_port 80 accel
https_port 443 accel cert=/usr/local/squid/CA/cacert.pem
key=/usr/local/squid/CA/cakey.pem
cache_peer 200.220.0.103 parent 80 0 no-query no-digest
connection-auth=on originserver proxy-only no-netdb-exchange
login=PASS name=warpsite
cache_peer_access warpsite allow warp
login=PASS relays the username and password to the peer in Basic
authentication format.
NTLM does not supply the password. So what gets sent back is username
with no password at best.
Amos
