Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

From: nairb rotsak <ipguru99_at_yahoo.com>
Date: Thu, 30 Oct 2008 09:34:16 -0700 (PDT)

I am actually flabbergasted at all the people saying this doesn't work. I haven't tried Squid 3 yet.. so I can't comment on it. The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today). I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one)

When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business. As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something. I would go into firefox, change the proxy setting, get the file, then put the proxy setting back. THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back.

I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years.. I know it is catching them, because it blocks files and I use SARG to report their activities..

But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy. Just to make sure..

----- Original Message ----
From: matlor <bfrobu_at_tin.it>
To: squid-users_at_squid-cache.org
Sent: Thursday, October 30, 2008 9:15:55 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

I have tried your configuration... but I have the same problem.
squid version is 3.0.5

in attachment there is one of my tested squid.conf.
only IE7 is working properly

thanks in advance....

nairb rotsak wrote:
>
> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
> below is what I sent Chris:
>
> Below is for w2k3 AD and Ubuntu 6.06.1:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> #auth_param ntlm use_ntlm_negotiate off
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl NTLMUsers proxy_auth REQUIRED
> acl our_networks src 192.168.0.0/16
> http_access allow all NTLMUsers
> http_access allow our_networks
>
> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
> acl our_networks src 192.168.0.0/16
> acl NTLMUsers proxy_auth REQUIRED
> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
> acl NOINTERNET external ntgroup no-internet
> http_access deny NOINTERNET
> http_access allow all NTLMUsers
> http_access allow our_networks
> http_access allow localhost
>
>
> We
> have a group policy do the IE browser, but with Firefox, we have to set
> it manually. Once it is set, there is no prompt... I use SARG to get
> the results.. Been doing it for almost three years.. I would get
> evangelical on people using iPrism/Barracuda/Websense.. but now I
> figure I will just let them spend the money.. ;-)
>
>
> ----- Original Message ----
> From: Chris Nighswonger <cnighswonger_at_foundations.edu>
> To: nairb rotsak <ipguru99_at_yahoo.com>
> Cc: matlor <bfrobu_at_tin.it>; squid-users_at_squid-cache.org
> Sent: Wednesday, October 29, 2008 9:31:32 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99_at_yahoo.com> wrote:
>> I am totally confused by this statement?.. as I have 300 people using
>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>> one gets a user/pass prompt? I am not using it as a transparent proxy,
>> it is listed in firefox under proxy settings (8080 because it goes to DG
>> first.. but I have tested just Squid at 3128 and it works as well).. and
>> I haven't touched anything else in firefox
>
>
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.
>
>
>>
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <cnighswonger_at_foundations.edu>
>> To: matlor <bfrobu_at_tin.it>
>> Cc: squid-users_at_squid-cache.org
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu_at_tin.it> wrote:
>>>
>>> I have configured squid with winbind integrated in the active directory
>>> of a
>>> windows 2003 domain.
>>> If I browse internet trough IE 7 everething is ok, no user and password
>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>> version), it prompts for user and password.
>>
>> One other note: While FF does support NTLM, it does not do transparent
>> auth as IE does. Hence the prompting for username/password.
>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>> at times repeatedly prompt ad infinitum. There is an open bug on this
>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>> action on it is understandably slow. You can mess with FF's NTLM
>> related settings under 'about:config' to gain some respite. You can
>> also run a basic auth that authenticates against NTLM which for some
>> reason seems to avoid the multi-prompt issue. Something like:
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 2
>> auth_param basic realm somerealm
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> Regards,
>> Chris
>>
>>
>>
>>
>>
>
>
>
>
>
>
http://www.nabble.com/file/p20247889/squid.conf squid.conf

-- 
View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20247889.html
Sent from the Squid - Users mailing list archive at Nabble.com.
      
Received on Thu Oct 30 2008 - 16:34:53 MDT

This archive was generated by hypermail 2.2.0 : Sat Nov 01 2008 - 12:00:04 MDT