[squid-users] NTLM authentication, but not for everyone

We have a rather disjointed network, primarily due to the way the
company works. As a result, not every one of our users is currently
logged in to the Windows domain.

However, we have squid acting as a proxy for everyone's web browsing
(wpad & etc), and our users don't know the difference. We would like to
increase the functionality of squid by preventing certain users from
accessing the web (via the proxy) while allowing everyone else to get
through. Again, not everyone is logged in to the domain.

My goal is to add NTLM authentication to make it transparent to the end
user and, essentially, avoid the windows pop-up. The less the users are
aware of the proxy, the better. :)

I added NTLM authentication (via winbind back to AD), and that works
great. I can see the user names populated in the output. However, I
cannot seem to get it to allow traffic through for those users that the
NTLM authentication fails on.

In other words, I have:
---squid.conf snippet---
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Web Proxy Server
auth_param basic credentialsttl 24 hours
...
acl all src 0.0.0.0/0.0.0.0
...
# This to never cache
no_cache deny QUERY

# We don't want to proxy FTP.
acl FTP proto FTP
always_direct allow FTP

##
# Allow WindowsUpdate to work.
##
acl update-micro-dom dstdomain .microsoft.com
acl update-micro-dom dstdomain .windowsupdate.com
#
http_access allow update-micro-dom

acl NoAccess proxy_auth baduser
#
acl AD_Users proxy_auth REQUIRED
http_access deny NoAccess
http_access allow AD_Users

http_access allow localhost
http_access allow all

# And finally deny all other access to this proxy (catch all)
http_access deny all
---squid.conf snippet---

Once I put the above in place (specifically the proxy_auth lines), the
logs show hits for those users logged in to the domain (good), but then
shows a whole mess of denied messages for users not part of the domain
(bad). It is as if it is ignoring the allow "all" line, and I have the
feeling I am missing something simple. But of course, I cannot help but
ask if this is this even possible?

-Rich
Received on Wed Jul 16 2008 - 20:54:26 MDT