Re: [squid-users] SQUID configure with NTLM prompts users password window

From: Jeff Gerard <mysubscriptions_at_shaw.ca>
Date: Wed, 8 Oct 2008 18:26:08 -0500

In IE internet options/security, try resetting "Local Intranet" to default
settings. There is also an option at the bottom of those custom settings
regarding username/passwords. I don't have IE in front of me at the moment
so can't say exactly what it says but give the default settings a try. I
have had similar issues with Bluecoat and kerberos authentication.

HTH...

On Tuesday 07 October 2008 23:11:48 Tanveer Chowdhury wrote:
> Hi all,
>
> I have setup NTLM authentication with squid-2.6.STABLE20, samba-3.0.10
> and winbind. My purpose is to find the username in both squid and DG
> access log which I am getting fine. But the problem is sometimes not
> frequest IE prompts a pop up window for authentication and if not
> given i.e., pressed cancel then it gives a message like " Cache access
> denied". But if you then press Refresh button then it loads again
> fine.
>
> But if you provide the username and password at the login prompt it
> also works though. My question is how to STOP this password prompting
> pop up window.
>
> Below is the output of /var/log/squid/cache.log when the password window
> prompts
>
> [2008/09/29 13:39:11, 3] utils/ntlm_auth.c:winbind_pw_check(427)
> Login for user [XYZ][testuser]@[PC21] failed due to [Reading winbind
> reply failed!]
> 2008/09/29 13:39:11| The request GET
> http://search.live.com/LS/GLinkPing.aspx?/_1_9SE......
>
> Below is my NTLM part of squid.conf file
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> .....
> .......
> acl manager proto cache_object
> acl authenticated_users proxy_auth REQUIRED
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> ...
> .....
> #Recommended minimum configuration:
> #
> # Only allow cachemgr access from localhost
>
> ##http_access deny !Safe_ports
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> #http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> http_access allow authenticated_users
>
> # cat /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns wins
> networks: files dns
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
>
> # cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.COM
>
> [realms]
> DOMAIN.COM = {
> default_domain = DOMAIN.COM
> kdc = abc.domain.com
> kdc = efg.domain.com
> kdc = xx.xx.xx.xx
> kdc = xx.xx.xx.xx
> }
>
> [domain_realm]
> .kerberos.server = DOMAIN.COM

-- 
Jeff Gerard
Received on Wed Oct 08 2008 - 23:26:20 MDT

This archive was generated by hypermail 2.2.0 : Sun Oct 12 2008 - 12:00:02 MDT