On 11/24/2015 10:08 AM, Verónica Ovando wrote:
My Squid Version: Squid 3.4.8
OS Version: Debian 8
I have installed Squid on a server using Debian 8 and seem to have the
basics operating, at least when I start the squid service, I have am
no longer getting any error messages. At this time, the goal is to
authenticate users from Active Directory and log the user and the
websites they are accessing.
I followed the official guide
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm. I
verified that samba is properly configured, as the guide suggest, with
the basic helper in this way:
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
domain\user pass
OK
Here is a part of my squid.conf where I defined my ACLs for the groups
in AD:
========================================================================================================
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com
auth_param ntlm children 30
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Servidor proxy-cache de mi Dominio
auth_param basic credentialsttl 2 hours
external_acl_type AD_Grupos ttl=10 children=10 %LOGIN
/usr/lib/squid3/ext_wbinfo_group_acl -d
acl AD_Standard external Grupos_AD Standard
acl AD_Exceptuados external Grupos_AD Exceptuados
acl AD_Bloqueados external Grupos_AD Bloqueados
acl face url_regex -i "/etc/squid3/facebook"
acl gob url_regex -i "/etc/squid3/gubernamentales"
http_access allow AD_Standard
http_access allow AD_Exceptuados !face !gob
http_access deny AD_Bloqueados
========================================================================================================
I tested using only the basic scheme (I commented the lines out for
NTLM auth) and every time I open the browser it asks me my user and
pass. And it works well because I can see in the access.log my
username and all the access policies defined are correctly applied.
But if I use NTLM auth, the browser still shows me the pop-up (it must
no be shown) and if I enter my user and pass it still asks me for them
until I cancel it.
My access.log, in that case, shows a TCP_DENIED/407 as expected.
What could be the problem? It suppose that both Kerberos and NTLM
protocols work together, I mean that can live together in the same
environment and Kerberos is used by default. How can I check that NTLM
is really working? Could it be a squid problem in the conf? Or maybe
AD is not allowing NTLM traffic?
Sorry for my English. Thanks in advance.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
make sure Internet Explorer is set to use Integrated Windows
Authentication (IWA). Tools --> Internet Options --> Advanced -->
Security --> Enable Integrated Windows Authentication.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
