[squid-users] A first crack at NTLM - 90% there :) from Gabriel Gunderson on 2005-10-19 (squid-users)

From: Gabriel Gunderson <ggundy@dont-contact.us>
Date: Wed, 19 Oct 2005 02:28:28 -0600

I'm *really* enjoying squid but I'm having some problems that I just
can't seem to figure out. I was able to join my Linux box the squid
is running on to an active directory and use ntlm and wbinfo_groups.pl
to control access with some luck.

My questions are:

1) Do I even need a "basic" auth_param? All the examples I see have
ntlm and basic. What would be the need to have both?

2) What does this top log entry show? Why would I have it if the
user is authed with ntlm? Wouldn't they all show "DOMAIN+admin" or
whatever? (example below)
...
- NONE/- text/html
DOMAIN+admin DIRECT/72.14.203.19 text/html
...

3) When viewing a page that I should be able to load the browser
acts like it is loading but it just hangs (IE and FF). I know the
page is not being block because the deny_info page is not showing. It
just kinda hangs. This is my biggest problem. Ideas?

Thanks for everything,
Gabe

SYSTEM INFO:

/etc/squid/squid.conf
######################################
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Web Proxy / Caching Server
auth_param basic credentialsttl 2 hours

external_acl_type wbg %LOGIN /usr/lib/squid/wbinfo_group.pl

acl all src 0.0.0.0/0.0.0.0
acl DOMAIN-net src 10.0.0.0/255.255.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl auth-users proxy_auth REQUIRED
acl unrestricted-groups external wbg "/etc/squid/lists/unrestricted-groups.txt"
acl black-list-groups external wbg "/etc/squid/lists/black-list-groups.txt"
acl white-list-groups external wbg "/etc/squid/lists/white-list-groups.txt"
acl black-list-sites dstdomain "/etc/squid/lists/black-list-sites.txt"
acl white-list-sites dstdomain "/etc/squid/lists/white-list-sites.txt"
acl work-sites dstdomain "/etc/squid/lists/work-sites.txt"
acl ssl-ports port 443 563
acl safe-ports port 80 20 21 443 1025-65535

acl connect method CONNECT
acl query urlpath_regex cgi-bin \?
acl manager proto cache_object
acl never-cache dstdomain "/etc/squid/lists/never-cache.txt"
acl windows-update dstdomain .microsoft.com .windowsupdate.com

no_cache deny query
no_cache deny never-cache
http_access allow manager localhost
http_access deny manager

http_access deny !safe-ports
http_access deny connect !ssl-ports
http_access allow work-sites
http_access allow windows-update
http_access allow localhost
http_access deny !auth-users
http_access allow unrestricted-groups
http_access allow black-list-groups black-list-sites
http_access allow white-list-groups white-list-sites
http_access deny all

/var/log/squid/access.log
######################################
TCP_MISS/200 859 GET http://mail.google.com/mail/? DOMAIN+admin
DIRECT/72.14.203.83 text/plain
TCP_DENIED/407 585 GET http://mail.google.com/mail/? - NONE/- text/html
TCP_DENIED/407 593 GET http://mail.google.com/mail/? - NONE/- text/html
TCP_MISS/200 3570 GET http://mail.google.com/mail/? DOMAIN+admin
DIRECT/72.14.203.19 text/html
TCP_DENIED/407 585 GET http://mail.google.com/mail/? - NONE/- text/html
TCP_DENIED/407 593 GET http://mail.google.com/mail/? - NONE/- text/html

/var/log/squid/cache.log
######################################
Got DOMAIN+admin DOMAIN+Management DOMAIN+MIS "DOMAIN+Domain Admins" from squid
User: -DOMAIN+admin-
Group: -DOMAIN+Management-
SID: -S-1-5-21-2732840889-2280141153-3048588358-1128 Domain Group (2)-
GID: -16777225-
User: -DOMAIN+admin-
Group: -DOMAIN+MIS-
SID: -S-1-5-21-2732840889-2280141153-3048588358-1129 Domain Group (2)-
GID: -16777223-
User: -DOMAIN+admin-
Group: -DOMAIN+Domain Admins-
SID: -S-1-5-21-2732840889-2280141153-3048588358-512 Domain Group (2)-
GID: -16777222-
Sending OK to squid

squid -v
######################################
Squid Cache: Version 2.5.STABLE6 (CentOS 4.1)
configure options: --build=i686-redhat-linux-gnu
--host=i686-redhat-linux-gnu --target=i386-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin
--libexecdir=/usr/lib/squid --localstatedir=/var
--sysconfdir=/etc/squid --enable-poll --enable-snmp
--enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl
--with-openssl=/usr/kerberos --enable-delay-pools
--enable-linux-netfilter --with-pthreads
--enable-ntlm-auth-helpers=SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
--enable-auth=basic,ntlm --with-winbind-auth-challenge
--enable-useragent-log --enable-referer-log
--disable-dependency-tracking --enable-cachemgr-hostname=localhost
--disable-ident-lookups --enable-truncate --enable-underscores
--datadir=/usr/share
--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind

--
Gabriel Gunderson
http://gundy.org

Received on Wed Oct 19 2005 - 02:28:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST