I'm using squid nt 2.6 stable 4 on windows 2003 server from 1 year (in
active directory environment) with ntlm auth and it works very well
(stable, fast, and no big problems)
My configuration file is (I report only interesting section):
---------------Squid config----------------
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
external_acl_type NT_global_group %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G -c
acl DomainUsers external NT_global_group "c:/squid/etc/DomainUsers.txt"
acl Proxy_Messengers_yes external NT_global_group Proxy_Messengers_yes
acl Proxy_Internet_Ts external NT_global_group Proxy_Internet_Ts
acl Proxy_All_Open external NT_global_group Proxy_All_Open
acl Proxy_ftp_porn_block_yes external NT_global_group
Proxy_ftp_porn_block_yes
acl porn dstdomain "c:/squid/block/pornblock.txt"
acl ftpblock url_regex -i \.exe$ \.mp3$ \.asx$ \.avi$ \.mpeg$ \.qt$
\.ram$ \.rm$ \.iso$ \.wav$ \.aif$ .\wma$ .\wmv$
..........
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny Proxy_Internet_Ts !trustedsites
http_access allow enabled
http_access deny porn !Proxy_All_Open
deny_info ERR_PORN_ACCESS_DENIED porn
http_access deny bad_word_content_type !Proxy_ftp_porn_block_yes
!Proxy_All_Open
deny_info ERR_PORN_ACCESS_DENIED bad_word_content_type
http_access deny msnmessenger !Proxy_Messengers_yes !Proxy_All_Open
http_access deny msnweb !Proxy_Messengers_yes !Proxy_All_Open
http_access deny msnit !Proxy_Messengers_yes !Proxy_All_Open
http_access deny BadDest !Proxy_Messengers_yes !Proxy_All_Open
http_access deny rs_deny !rs_allowed
http_access deny ftpblock !Proxy_ftp_porn_block_yes !Proxy_All_Open
http_access allow autorizzati DomainUsers
---------------Squid config end----------------
PROBLEM DESCRIPTION:
As already told squid works well but sometimes (10 pc in last 2 months)
happens that on a pc internet explorer continuosly require credentials
(user/password pop-up). If the same user logs on others pc the problem
isn't present.
I think should be an internet explorer (or windows bug) that
unexpectedly stops to work correctly with ntlm authentication and squid.
IMPORTANT: all users have outlook 2003 and exchange 2003 and it works
correctely thus the problem cannot be related to Active directory;
others applications that require kerberos or ntlm authentication
(netlogon, kix, web applications) work correctely also.
Thus...the problem is related to the user profile in fact if I recreate
it, the problem disappears
Can someone give me a suggestion? Is there a way to force internet
explorer clear cached credentials (or something similar...) and avoid to
recreate user's profile?
Thanks
Marco
Received on Fri Oct 20 2006 - 04:47:23 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST