[squid-users] Transparent authentication using Samba+Squid+NTLM Parent proxy from Van Hoorenbeeck, Peter (RST/Hammerstone EMEA) on 2004-07-21 (squid-users)

From: Van Hoorenbeeck, Peter (RST/Hammerstone EMEA) <peter.van-hoorenbeeck@dont-contact.us>
Date: Wed, 21 Jul 2004 18:34:13 +0200

Hey Squid community,

You probably start running when you see the combo Samba+Squid+NTLM, I
can imagine what the additional Parent proxy behind that combo would do
to somebody.

Let me define my goal:

I have an application that cannot handle NTLM authentication (but only
basic auth), and which uses http to transfer data. I also have a proxy
server that requires NTLM authentication. Yes, you already see where I
am heading: I want to enable the application to pass through the NTLM
authentication. How?... I don't care, as long as the application does
not have to do NTLM authentication.

So I went looking on the web. There was a lot of fuzz around the
Samba+Squid+NTLM combo, so I started working on that one. So I placed
the Squid in between the application and the existing proxy server.
After days and days, I got the NTLM authentication working (without the
existing NTLM proxy, so the Squid could authenticate perfectly to the
domain controller).

When I add the existing proxy to the squid.conf as the parent proxy
(cache_peer directive), the parent proxy returns HTTP1.1 407 (requiring
authentication) when I do a test. So I am stuck and I lost all hope.

This proves that NTLM authentication to the Domain controller actually
works:
[2004/07/22 00:01:53, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(616)
NTLMSSP OK!

I have read that NTLM works only hop-to-hop, and that is in fact the
only thing I want to accomplish, only Squid needs to authenticate to the
parent proxy. However, when I do not set the auth REQUIRED acl, it
doesn't authenticate at all.

I am using browsers to test the setup (IE and Firefox), but that does
not matter in fact, as I do not want to see ANY request for
authentication. I said earlier that I got the NTLM authentication
working, but that was accomplished by entering username/password in the
popup that squid prompts.

So... bottom line: how do I get squid to do the entire authentication to
the parent proxy? (only for getting access to the parent proxy, NOT to
the websites behind the proxy!!)

Please, please help?

Thanks,
Peter
Received on Wed Jul 21 2004 - 10:35:08 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT