On 21/08/18 4:15 AM, Jon Cuthbert wrote: > On a new installation, I can not get the ntlm_auth working correctly: > Squid - v 3.5.20 > > 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes > 2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr243 exited > 2018/08/20 17:00:27| Too few basicauthenticator processes are running > (need 1/5) > 2018/08/20 17:00:27| Starting new helpers > 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes > 2018/08/20 17:00:27| WARNING: basicauthenticator #Hlpr244 exited > 2018/08/20 17:00:27| Too few basicauthenticator processes are running > (need 1/5) > 2018/08/20 17:00:27| Starting new helpers > 2018/08/20 17:00:27| helperOpenServers: Starting 1/5 'ntlm_auth' processes > > The ntlm_auth process respawns constantly, with the following error once > the request & user authentication attempt is sent from the browser: > 'helperOpenServers: Starting 1/10 'ntlm_auth' processes > username must be specified!' > > Above is with auth_param ntlm # commented out but the same happens if > ntlm is first. > > squid.conf file contains: > > auth_param ntlm program /usr/bin/ntlm_auth > -–helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 10 > auth_param basic program /usr/bin/ntlm_auth > -–helper-protocol=squid-2.5-basic > auth_param basic children 5 > acl AuthorizedUsers proxy_auth REQUIRED > http_access allow all AuthorizedUsers This use of "all" does nothing but add confusion. Also, what then do the other lines in your config then say to do with the NTLM type-1 requests (no credentials) and failed-login requests? Note those are different types of message. "http_access allow" only handles completed + successful logins. This is why our recommended and example configs always have three parts and a "deny" action associated to the login: # ... things which don't require login credentials http_access deny login # ... things which depend on credentials > > The following ownerships are in place: > root:wbpriv /var/lib/samba/winbindd_privileged/ > root:wbpriv /var/run/samba/winbindd/pipe > > wbinfo - works for both plaintext & challenge/response > wbinfo -t works Is the proxy user a member of that wbpriv group, AND the old cache_effective_* directives _absent_ from your squid.conf. > > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > works correctly - (if a space is left after the c basic, otherwise it > complains about username - I've tried squid.conf leaving a space as well) That's odd. > > /usr/bin/ntlm_auth -–helper-protocol=squid-2.5-ntlmssp > gives BH SPNEGO request invalid prefix - assume related to Negotiate, > but will investigate after basic authentication in case related). > > I've looked at as many install instructions as possible, and this should > be okay? The "BH SPEGNO" indicates that the client/ Browser is *not* sending NTLM authentication in the HTTP messages labled "Proxy-Authorization: NTLM ..." Have you considered configuring Kerberos instead? All MS products since WinXP should be defaulting to that more secure scheme. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users