Search squid archive

Re: Strange NTLM problem.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Em 28/06/2016 03:14, drcimino drcimino escreveu:

Dear all,
i have a strange problem with my squid 3.5.19 and authentication NTLM.
On my configuration i have 2 auth method:
NTLM negotiated with ntlm_auth from samba 3
auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 200 startup=100 idle=10 concurrency=0
auth_param ntlm keep_alive on

and as a fallback basic ntlm
auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
auth_param basic children 25 startup=15 idle=5 concurrency=0
auth_param basic realm PROXY AUTHORIZATION REQUIRED
auth_param basic credentialsttl 30 minutes
TTL

authenticate_cache_garbage_interval 1 hours
authenticate_ttl 30 minutes
authenticate_ip_ttl 30 minutes

Groups identification with LDAPS
external_acl_type NAV children-max=200 children-startup=100 children-idle=10 ttl=1800 %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -s sub -b "dc=domain,dc=xxx" -D "cn=squid,cn=Users,dc =domain,dc=xxx" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(membero f=cn=%a,ou=INTERNET,ou=AAA,dc=domain,dc=xxx))" -S -K -H ldaps://domain.xxx:3269
I've been using the helper "ext_wbinfo_group_acl" to work with AD groups and transparent authentication for domain members. The config below also makes the auth pop-up to show when the machine isn't member of the domain - no need to use the fallback part. You just have to configure Kerberos, Samba, join the Squid machine to the domain with "net ads join" and enable winbind.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN --enable-external-acl-helpers="ext_wbinfo_group_acl" 
    auth_param ntlm children 10 startup=0 idle=2
external_acl_type NTGroup children-startup=10 children-idle=2 children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl 

    acl authenticated proxy_auth REQUIRED

    acl ad_group external NTGroup MYDOMAIN\AD_Group
    acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
    http_access deny ad_group denied_websites
In my set of acls, the pop-up was also appearing in specific sites. Changing the order of acls made it stop appearing for me. 
This:

    http_access allow website_list user_list

seems to work differently from this:

    http_access allow user_list website_list


Bruno
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux