Re: [squid-users] ntlm questions

In all configurations you need some kind of http_access rules telling
what access rules you want to apply. If your http_access rules never
makes use of authentication (via a proxy_auth acl type or an external
acl type with %LOGIN in the format specification) then authentication
will not be required..

As for the wb_group question: Make sure that you copy the correct
headers from Samba to each of the winbind helpers, as the winbind
headers shipped with Squid only works with Samba-2.2.4 and 2.2.5... This
applies to all three native winbind helpers shipped with Squid

   helpers/basic_auth/wb_auth/
   helpers/ntlm_auth/wbntlm_auth/
   helpers/external_acl/wb_group/

Regards
Henrik

Simon Bryan wrote:
>
> Hi all,
>
> I am using Squid2.5STABLE1 on RH7.2, have successfully implemented ntlm
> authentication (after much grief related to getting Samba to compile
> properly). I was following another thread in this list about ntlm and not
> needing a proxy_auth line when using an external authenticator. Which turned
> out to be true, however it seems to also then allow non-authenticated use of
> the proxy! I see now that there are large numbers of lines in my logs where
> the 'user' is the machines IP address and the download is permitted.
> Previously they would be denied. Is this correct behaviour? I find I need:
>
> acl password proxy_auth REQUIRED
> http_access deny all !password
>
> for access to non-authenticated users to be denied. Or am I doing something
> dumb(again!)?
>
> Also should I be able to use:
> acl staff external wb_group Teachers
>
> in http_access rule like:
>
> acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains"
> http_access allow webmail staff
> http_access deny webmail
>
> cause it doesn't seem to work for me, the docs seem to indicate that it is
> possible. 'Teachers' is a group on the NT Server.
>
> ****************************************************************************
> ********************************************
> I believe the relevant lines of my conf file are below:
>
> auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11
> auth_param basic children 20
> auth_param basic realm Poxy server at OLMC
> auth_param basic credentialsttl 1 hours
>
> external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group
> acl winauth external wb_group wwwusers
> acl staff external wb_group Teachers
> authenticate_ttl 1 hour
> authenticate_ip_ttl 300 seconds
>
> # TIMEOUTS
> # ACCESS CONTROLS
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl cachemanager src 10.192.0.21
> acl SSL_ports port 443 563 4545
> acl Safe_ports port 21 70 80 81 82 88 210 563 1010 1025-65535 1082 4545
> acl CONNECT method CONNECT
> acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCL UNLOCK
> acl password proxy_auth REQUIRED
>
> http_access deny all !password
>
> _________________________________________
> Simon Bryan
> IT Manager
> OLMC Parramata
> ICQ#: 137562751
> _________________________________________
Received on Mon Feb 10 2003 - 20:24:46 MST