On 28/04/2015 8:46 p.m., Lupick wrote: > I've found probably where is the problem but I don't know how to solve it. > > If I try to connect with a PC outside the domain squid ntlm auth prompt for > username/password. On the password prompt banner I have the proxy ip > address; so the ntlm auth is used. The HTTP auth label "NTLM" was used by some old client software to deliver LanMan protocol credentials (DOS 1.0 thru Windows 98 to give you an idea of scale) - which is essentially 8-bit encrypted username+password. Naturally a lot of more modern systems are not permitting that type of downgrade attack anymore. I susect your OS upgrade came with an upgrade to either CentOS Samba version ntlm_auth helper which dropped supprot for those 20+ year old insecure protocols. IIRC the "fix" for this is to turn off MSIE "Windows Integrated Authentication" on machines which are not part of a domain. That leaves them with selecting Basic auth which works. Alternatively upgrading the domain to Kerberos (Negotiate auth) instead of NTLM has also long been recommended. > I can put my domain\username + password but it keep requesting the > password. > > I've tried to comment out all the ntlm auth stuff in squid.conf; and I kept > only the basic. > > Now the PC request to me the username\password but this time on the banner > I have " Squid proxy-caching web server" so basic auth is used. If I put > my domain\username + pwd all is working well. > > So I assume the problem is due to ntlm auth doesn't fall back to basic but > it keeps requesting password. > > Do you know how to force squid to fallback to basic auth if ntlm auth fail? > I remember in older version it was automatic. There is no way to force fallback. Squid is merely advertising the set of HTTP auth schemes it accepts. The client software makes the choice which to use. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
