-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/12/2014 12:55 a.m., Rich549 wrote: > Hi, > > I'm having problems getting NTLM authentication to work. I need it > to only allow members of the Internet_Users AD group to be able to > access the internet. Instead it is only allowing the websites that > I've marked as OK for all users (a lot of this config came from my > SquidNT installation). > > My config is as follows: > > ## WELCOME TO SQUID 3.3.8 # ---------------------------- > > #----------------------------------------------------------------------------- > > #DEFAULTS > #----------------------------------------------------------------------------- > > http_port 3128 > hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY The above QUERY and hierarchy_stoplist actions are not much use in recent Squid versions. There is a refresh_pattern (mentioned below) that replaces them. > acl apache rep_header Server ^Apache cache_mem 1024 MB > > #----------------------------------------------------------------------------- > > # AUTHENTICATION > #----------------------------------------------------------------------------- > > # > # ### negotiate kerberos and ntlm authentication #auth_param > negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm > /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos > /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME > domain=HAMMONDS --kerberos /usr/lib/squid3/negotiate_kerberos_auth > srvham09.domain.com #auth_param negotiate children 10 #auth_param > negotiate keep_alive off > > ### pure ntlm authentication auth_param ntlm program > /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=HAMMONDS auth_param > ntlm children 10 auth_param ntlm keep_alive off > > ### provide basic authentication via ldap for clients not > authenticated via kerberos/ntlm #auth_param basic program > /usr/lib/squid3/basic_ldap_auth -b "dc=domain,dc=com" -D > squid@xxxxxxxxxx -W /etc/squid3/ldappass.txt -f sAMAccountName=%s > -h srvham09.domain.com #auth_param basic children 10 #auth_param > basic realm Internet Proxy #auth_param basic credentialsttl 1 > minute > > ### acl for proxy auth and ldap authorizations acl auth proxy_auth > REQUIRED #acl localnet src 172.31.0.0/16 > > ### set helper processes external_acl_type internet_domain_group > %LOGIN /usr/lib/squid3/ext_ldap_group_acl -b > "ou=Service_Accounts,dc=domain,dc=com" -D squid@xxxxxxxxxx -W > /etc/squid3/ldappass.txt -f > "cn=Internet_Users,ou=Domain_Groups,dn=domain,dn=com" > srvham09.domain.com > > > > #------------------------------------------------------------------------------------------------- > > ### Allow authenticated users > #------------------------------------------------------------------------------------------------- > > acl InetAllow external internet_domain_group Internet_Users > > #------------------------------------------------------------------------------------------------- > > ### Bypass Authentication > #------------------------------------------------------------------------------------------------- > > # These domains will be reachable without authentication acl > OK_Unauthenticated dstdomain .domain.com .force24.co.uk > .trakit.uk.net 194.73.60.21 .stanford.edu 171.65.103.68 > 212.100.232.212 acl OK_Unauthenticated dstdomain .canonical.com > .sophos.com .ubuntu.com .oracle.com .bt.com .refreshthis.com acl > OK_Unauthenticated dstdomain .oanda.com .dell.com .launchpad.net > acl OK_Unauthenticated dstdomain .dashboards.my-tmac.co.uk > > #Squid Access Denied Screen acl OK_Unauthenticated dstdomain > .squid-cache.org > > # ------------------------------------------------ # ------ > Permit/Deny access as appropriate ------- # > ------------------------------------------------ > > http_access allow OK_Unauthenticated http_access allow InetAllow > > refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 > 0% 1440 Missing pattern: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 shutdown_lifetime 10 seconds acl all > src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl > to_localhost dst 127.0.0.0/8 You are likely getting startup warnings about the above ACL definitions. ACLs all, manager, localhost, and to_localhost are predefined in your Squid version. Remove the above lines from your config. > acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl > Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, > snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # > wais acl Safe_ports port 1025-65535 # unregistered ports acl > Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # > gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port > 777 # multiling http acl Safe_ports port 4004 # Radii website > download site uses this port acl Safe_ports port 10000 # Webmin The above two ports are included in the range 1024-65535 (unregistered ports). No need to add them specially. > acl Safe_ports port 900 # Swat acl Safe_ports port 82 # Pacejet > request - test site hosted on HTTP 82 acl Safe_ports port 81 # > Image plus test server (hepplewhite) acl CONNECT method CONNECT > http_access allow manager localhost http_access deny manager > http_access deny !Safe_ports http_access deny CONNECT !SSL_ports > http_access deny all http_reply_access allow all icp_access allow > all cache_mgr otrs@xxxxxxxxxx forwarded_for off > > When I try to browse to any of the whitelisted websites the > cache.log shows an NTLM process starting so it looks like it's > making sure that I'm an authenticated user but isn't controlling my > access correctly. It should not be doing anything with NTLM when you request the whitelisted domains or raw-IP addresses. * With your config it should start the helper processes right at teh beginning when you start Squid, or if some of them die unexpectedly early they should be restarted on a following login. * Squid should do some lookups via the already running helpers only when non-whiteisted domains are requested. IIRC there was an issue with login when external ACL was the first ACL to be tested. Try using a "http_access deny !auth" after the whitelist and before the group check. Like so: http_access allow OK_Unauthenticated http_access deny !auth http_access allow InetAllow HTH Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUgbJvAAoJELJo5wb/XPRjNRAIAMp1eqekS+RxJrl0+ewg9jEH CXONklru2cAvTA5pKkZtUE/NDLgRVyZAPE0P4/UYQumgXFPyeIfHnTOxUYaPiMVt yD/ITGs8p8/BnsE9DGEbUJ0AS4Dex+PjLxfuCwoEFc2SVX3EqxfyWJIuwNJJFo3E pDhqoa8+LpsbJvJNeV21IWB6D51fq4RW0rsLQW+mA/xLFD2bFdYdAO/hknTXSq/w wTdLACc3+gDoyfEDd48p8Bi1tO+bAu8xsWVGtDPNKIz0KOCp81mexweqtYHuKINC EVrVXb2lLdtc/QqM+XCUC5coB8n1FT26+npd3QJRHZuisNRyspA3g3ibeARl2+w= =lPSb -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
