[squid-users] Squid /NTLM, almost bald.. from Walker Tippit on 2005-08-26 (squid-users)

From: Walker Tippit <walker.tippit@dont-contact.us>
Date: Fri, 26 Aug 2005 09:25:46 -0500

OK. What I have here is a failure to communicate. I've got a Debian
server running Samba-3.0.2, winbind, and squid-2.5.9-10. All of these
came to me as debian packages. I've got ntlm authentication set up in
squid.conf:

#Recommended minimum configuration:
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=3Dsquid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 5
auth_param ntlm max_challenge_lifetime 2 hours
auth_param ntlm use_ntlm_negotiate on
#auth_param basic program /usr/lib/squid/smb_auth -W (My Domain)
#auth_param basic children 5
#auth_param basic realm (identifier)
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
-----

The ntlm_auth program came with winbind. Here's my acl section:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl localhosts proxy_auth REQUIRED src 192.168.0.0/255.255.248.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow all localhosts

Now my problem is that when a user logged into our domain and loads up
IE, it still brings up a password dialog box even though I've read
everywhere that IE isn't supposed to do this with ntlm authentication.
If I enter a correct username/password combination, I can browse just
fine.

Is there something I'm missing in order to get transparent proxying to
work?

Thanks in advance..
walker
Received on Fri Aug 26 2005 - 08:25:52 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT