Search squid archive

Re: ntlm_auth defaulting to succeed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for this Francesco. I have been experimenting with the various authenticators without much success.

I have compiled squid-3.5.11 from source and ntlm_fake_auth doesn't appear to work. I have scoured the docs and the forums but I can't find anyone saying it doesn't work.

I have it set up like this in my squid.conf:

auth_param ntlm program /usr/local/squid/libexec/ntlm_fake_auth -d -v -S

but I just get denied access whilst sending ADS 2008R2 domain authentication via Firefox:

==> /usr/local/squid/var/logs/access.log <==
1449434911.652 0 192.168.5.35 TCP_DENIED/407 4473 GET http://www.bbc.co.uk/ - HIER_NONE/- text/html

==> /usr/local/squid/var/logs/cache.log <==
ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   01 00 00 00 07 82 08 A2 NTLMSSP. ........
[0010]   00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 ........ ........
[0020]   06 01 B1 1D 00 00 00 0F   00 00 ........ ..
ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010]   AE AA AA AA 07 82 08 A2   E4 9D FA 04 45 14 D1 A5 ........ ....E...
[0020]   00 00 00 00 00 00 3A 00   57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030]   50                                                  P

==> /usr/local/squid/var/logs/access.log <==
1449434911.660 0 192.168.5.35 TCP_DENIED/407 4640 GET http://www.bbc.co.uk/ - HIER_NONE/- text/html 1449434911.706 0 192.168.5.35 TCP_IMS_HIT/304 249 GET http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/- image/png 1449434913.266 0 192.168.5.35 TCP_DENIED/407 4473 GET http://www.bbc.co.uk/ - HIER_NONE/- text/html

==> /usr/local/squid/var/logs/cache.log <==
ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   01 00 00 00 07 82 08 A2 NTLMSSP. ........
[0010]   00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 ........ ........
[0020]   06 01 B1 1D 00 00 00 0F   00 00 ........ ..
ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
[0000]   4E 54 4C 4D 53 53 50 00   02 00 00 00 09 00 09 00 NTLMSSP. ........
[0010]   AE AA AA AA 07 82 08 A2   CE 7D A2 0A 08 8A 68 B2 ........ ......h.
[0020]   00 00 00 00 00 00 3A 00   57 4F 52 4B 47 52 4F 55 ........ WORKGROU
[0030]   50                                                  P

==> /usr/local/squid/var/logs/access.log <==
1449434913.272 0 192.168.5.35 TCP_DENIED/407 4640 GET http://www.bbc.co.uk/ - HIER_NONE/- text/html 1449434913.319 0 192.168.5.35 TCP_IMS_HIT/304 249 GET http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/- image/png


I have tried ntlm_fake_auth.pl.in and ntlm_smb_lm_auth without success too. We have used ntlm_auth for years but have issues with the process sometimes failing due to ADS password changes etc so hence the desire for a dummy/fake authentication.

Does anyone know if ntlm_fake_auth should work with squid v3.5.11 ?

Many thanks
Noel

On 03/12/15 05:19, Kinkie wrote:
Hi,
   you can check the ntlm_fake_auth helper; it'll blandly trust
anything the user says.

On Wed, Dec 2, 2015 at 10:10 PM, Noel Kelly<nkelly@xxxxxxxxxxxxxxxxxx>  wrote:
Hello All

We have been using Squid and ntlm_auth for many years with mainly success.
However we have always had a few annoyances like continual authentication
pop-ups if a user has changed their password and not restarted their session
or, as now, persistent popups which seem related to a browser update (Google
Chrome is the suspect currently).

It occurred to me that thee days we don't use ntlm_auth to block Internet
access per se but rather to capture the username to manage access using ACLs
and the username.

So I was wondering if anyone had any ideas for a Squid config where the
ntlm_auth helper always succeeded regardless of the password  so they user
gets waived through and Squid has the username needed to process the ACLs?

Thanks
Noel

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


--
=======================
Noel Kelly
Citrus Networks
m: 07939 528 478
t: 0207 100 2410
e:nkelly@xxxxxxxxxxxxxxxxxx
=======================
Citrus Networks UK Ltd is registered
in England and Wales with company
number 3927941. Registered Office:
Gladstone House, 77-79 High St,
Egham, Surrey TW20 9HY.
VAT Reg. 748716690
=======================

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux