Re: [squid-users] NTLM Authentication

From: Josh Haft <pacmansyu_at_gmail.com>
Date: Wed, 6 Aug 2008 08:38:18 -0500

Do you have an ACL in squid.conf allowing an AD group to use squid,
and is your user part of that group?

for example, in my config...

acl inet_group external group_nt squid_proxy
acl Auth proxy_auth REQUIRED

http_access allow Auth inet_group

(where inet_group is the acl name, external points to the external
auth helper you defined (nt_group in your case), and squid_proxy is
the AD group of which you must belong)

This may not be the best way to do it, but it works for me.

On Wed, Aug 6, 2008 at 1:55 AM, Thompson, Scott (WA)
<Scott.Thompson_at_affoods.com.au> wrote:
> Hi all
> After my previous run around with Winbind and Likewise Open I decided to rebuild the server from scratch and reinstall Ubuntu 8.04, after some firewall configs I was able to successfully join the server to our Active Directory domain without any issues using Winbind and Samba
> Some background info
> Server is Ubuntu 8.04
> Samba is 3.0.28a
> Squid is 2.6 STABLE18
>
> Wbinfo -u and -g shows all the AD groups, KINIT works etc
>
> We were running on the old server Squid 2.5 STABLE6
>
> I have simply done an apt-get on Squid and the 2.6 STABLE18 version is what it downloaded
> After doing an updatedb I can see all the files etc
>
> I have simply copied the squid.conf from my old server hoping this might work
>
> When I start squid using the following command, 'squid -NCd10' it seems to start OK but when I try and authenticate myself I get a logon dialox box. I would have hoped it would just do it by itself and authenticate me!
> The error I get on the console is
>
> AuthenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
>
>
> Part of my squid.conf that relates to authentication is
>
> # note: you may need to increase children based on your number of users
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 140
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 10 minute
> #auth_param ntlm use_ntlm_negotiate on
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 20
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hour
>
> # only need this if you want to use Windows Domain Groups for acl(s)
> external_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
>
>
> Is there a better way to do this?
> I didn't have to do a make or anything so do I need to recompile for the correct helpers etc?
> Is it a permission thing perhaps?
>
> Any suggestions would be MOST welcome
> On a side note within the last week my Linux skills have improved 100 fold!
>
> Regards,
>
> ___________________________________________
> Scott Thompson
> Network Administrator
> Australian Fast Foods Pty Ltd
> PO Box 676
> Balcatta WA 6914
>
> 08 9240 9761
> scott.thompson_at_affoods.com.au
>
>
>
Received on Wed Aug 06 2008 - 13:38:21 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 07 2008 - 12:00:02 MDT