Re: [squid-users] squid no ntlm_auth for certain IPs

From: James Gray <james_gray@dont-contact.us>
Date: Mon, 23 May 2005 22:43:08 +1000

On Mon, 23 May 2005 10:14 pm, Daniel wrote:
> Hello Squid Users,
>
> I've set up squid using samba and ntlm_auth for user authentication. And
> everything works fine. Users with a valid Active Directory
> authentication can surf the web. Users without such authentication
> can't. just like i intended it to work.
>
> But now i am facing a problem. We have some users within our network who
> work on "non-Active-Directory aware" machines (MAC OS X, Linux, Solaris
> to give them names) now my question is: how can i allow access to the
> proxy cache for this certrain ip addresses (static ones) which those
> clients use? is there a way i let certain IPs simply baypass the
> ntlm_auth authentication?
>
> thanks for any advice!
>
> Daniel

Hi Daniel,

Configure a "basic" authenticator in squid.conf that authenticates with samba
(winbind etc) then when they open a browser etc, they will be prompted for a
user name and password. The user name should be in the for "domain\userid"
where ""domain" is the active directory domain their account belongs to.

eg (exerpt from my squid.conf):
...
auth_param basic children 5
auth_param basic casesensitive off
auth_param basic realm Tell the user what they are authenticating to
auth_param basic credentialsttl 2 hour
# Next 2 lines are actually 1 in the config - they are wrapped by my mail
# client in this example and indented manually for clarity. :)
auth_param basic program /usr/local/bin/ntlm_auth
           --helper-protocol=squid-2.5-basic
...
(note the last two line are actually a single line)

We use this "dual-authentication" scheme and it works well - it also means
that browsers etc, that don't support NTLM authentication are supported.

FWIW, KDE 3.4 and Konqueror now support NTLM (transparent) authentication if
you configure the default user name and password in KDE's "Control Center"
under "Internet & Network -> Local Network Browsing". Once again, you'll
need to use the "domain\userid" notation here too. If you don't set up these
defaults with a valid account, it will "fall-back" to basic-auth.

HTH,

James
Received on Mon May 23 2005 - 06:43:47 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT