[squid-users] SQUID with NTLM prompts password window from Tanveer Chowdhury on 2008-10-07 (squid-users)

From: Tanveer Chowdhury <tanveer.chowdhury_at_gmail.com>
Date: Wed, 8 Oct 2008 10:05:23 +0600

HI all,

I have setup NTLM authentication with squid-2.6.STABLE20, samba-3.0.10
and winbind. My purpose is to find the username in both squid and DG
access log which I am getting fine. But the problem is sometimes not
frequest IE prompts a pop up window for authentication and if not
given i.e., pressed cancel then it gives a message like " Cache access
denied". But if you then press Refresh button then it loads again
fine.

But if you provide the username and password at the login prompt it
also works though. My question is how to STOP this password prompting
pop up window.

Below is the output of /var/log/squid/cache.log when the password window prompts

[2008/09/29 13:39:11, 3] utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [XYZ][testuser]@[PC21] failed due to [Reading winbind
reply failed!]
2008/09/29 13:39:11| The request GET
http://search.live.com/LS/GLinkPing.aspx?/_1_9SE......

Below is my NTLM part of squid.conf file

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

.....
.......
acl manager proto cache_object
acl authenticated_users proxy_auth REQUIRED
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

...
.....
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost

##http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
#http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow authenticated_users

# cat /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files

# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM

[realms]
DOMAIN.COM = {
default_domain = DOMAIN.COM
kdc = abc.domain.com
kdc = efg.domain.com
kdc = xx.xx.xx.xx
kdc = xx.xx.xx.xx
}

[domain_realm]
.kerberos.server = DOMAIN.COM
Received on Wed Oct 08 2008 - 04:06:07 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 08 2008 - 12:00:02 MDT