Re: [squid-users] Problem setting up SquidNT and NT Authentication from Serassio Guido on 2005-06-20 (squid-users)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Mon, 20 Jun 2005 20:16:26 +0200

Hi,

At 09.28 20/06/2005, Tom Cannaerts wrote:

>Hi, I'm new to Squid, and I can't seem to solve this problem (probably
>overlooking something)
>
>I'm using SquidNT running on a Windows Server 2003 Active Directory
>controller, and want to restrict access to a specific Windows user group
>(InternetUsers).
>What happens is that I always get a permission denied page, and the
>browser does not prompt me for a username/password (tried both IE and
>FireFox).
>I found a linux example on how this should be done (using a perl
>script), and changed it to use the exe files supplied with SquidNT, but
>it ain't working.

The behaviour is as expected.

>Here are the relevant lines of my squid.conf
>
>auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe
>auth_param ntlm children 5
>auth_param ntlm max_challenge_reuses 0
>auth_param ntlm max_challenge_lifetime 2 minutes
>auth_param ntlm use_ntlm_negotiate off

Usage of

auth_param ntlm use_ntlm_negotiate on

is recommended on Windows.

>auth_param basic program c:/squid/libexec/NT_auth.exe
>auth_param basic children 5
>auth_param basic realm Squid proxy-caching web server
>auth_param basic credentialsttl 2 hours
>auth_param basic casesensitive off
>
>external_acl_type NT_local_group %LOGIN
>c:/squid/libexec/win32_check_group.exe
>acl LProxyUsers external NT_local_group InternetUsers
>acl password proxy_auth REQUIRED
>http_access allow password LProxyUsers
>http_access deny all

win32_check_group.exe helper cannot lookup by design into DOMAIN Local
Groups, but only into MACHINE local group. You cannot use Local groups on a
Domain Controller, use Global groups instead.

>If anyone has done something similar, or simply knows how this must be
>done, please help me out.

First step: try with user authentication only, when it works, try with
group authorization.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Jun 20 2005 - 12:17:11 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT