Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Sat, Nov 1, 2008 at 12:37 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Um, I'm not so sure the people having trouble are using the right helper.
>
> There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and
> Squid-2 releases that is incapable of doing full NTLM for modern windows
> domains.
>
> There is also something calling itself 'ntlm_auth' bundled with Samba, which
> provides full working NTLM functionality.
>
> We have fixed this mixup in 3.1, but please check the helper you are using.
> Please prefer to use the one by Samba.

We're using the Samba flavor. To be exact

[root_at_masada1 ~]# /usr/bin/ntlm_auth -V
Version 3.0.23c-2

>
> IE7 is more advanced than the ealier IE and seems to be actually capable of
> proper negotiate auth. But can be expected fail with the limits imposed by
> Squid's 'ntlm_auth' thing.

The issues we are having are with FF (see Mozilla bug referenced
earlier in this thread). IE7 works fine on computers which are domain
members.

I'd still love to know what Nairb's config has that makes it work.

Regards,
Chris

>> ----- Original Message ----
>> From: matlor <bfrobu_at_tin.it>
>> To: squid-users_at_squid-cache.org
>> Sent: Thursday, October 30, 2008 9:15:55 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>>
>> I have tried your configuration... but I have the same problem.
>> squid version is 3.0.5
>>
>> in attachment there is one of my tested squid.conf.
>> only IE7 is working properly
>>
>> thanks in advance....
>>
>>
>>
>>
>> nairb rotsak wrote:
>>>
>>> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
>>> below is what I sent Chris:
>>>
>>> Below is for w2k3 AD and Ubuntu 6.06.1:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
>>> auth_param ntlm max_challenge_reuses 0
>>> auth_param ntlm max_challenge_lifetime 2 minutes
>>> #auth_param ntlm use_ntlm_negotiate off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 5
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> auth_param basic casesensitive off
>>> acl NTLMUsers proxy_auth REQUIRED
>>> acl our_networks src 192.168.0.0/16
>>> http_access allow all NTLMUsers
>>> http_access allow our_networks
>>>
>>> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
>>> auth_param ntlm keep_alive on
>>> acl our_networks src 192.168.0.0/16
>>> acl NTLMUsers proxy_auth REQUIRED
>>> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
>>> acl NOINTERNET external ntgroup no-internet
>>> http_access deny NOINTERNET
>>> http_access allow all NTLMUsers
>>> http_access allow our_networks
>>> http_access allow localhost
>>>
>>>
>>> We
>>> have a group policy do the IE browser, but with Firefox, we have to set
>>> it manually. Once it is set, there is no prompt... I use SARG to get
>>> the results.. Been doing it for almost three years.. I would get
>>> evangelical on people using iPrism/Barracuda/Websense.. but now I
>>> figure I will just let them spend the money.. ;-)
>>>
>>>
>>> ----- Original Message ----
>>> From: Chris Nighswonger <cnighswonger_at_foundations.edu>
>>> To: nairb rotsak <ipguru99_at_yahoo.com>
>>> Cc: matlor <bfrobu_at_tin.it>; squid-users_at_squid-cache.org
>>> Sent: Wednesday, October 29, 2008 9:31:32 AM
>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>>
>>> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99_at_yahoo.com>
>>> wrote:
>>>>
>>>> I am totally confused by this statement?.. as I have 300 people using
>>>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>>>> one gets a user/pass prompt? I am not using it as a transparent proxy,
>>>> it is listed in firefox under proxy settings (8080 because it goes to DG
>>>> first.. but I have tested just Squid at 3128 and it works as well).. and
>>>> I haven't touched anything else in firefox
>>>
>>> I'd be very interested in knowing what is different about your setup.
>>> I have fought this problem for several years now.
>>>
>>>
>>>>
>>>>
>>>> ----- Original Message ----
>>>> From: Chris Nighswonger <cnighswonger_at_foundations.edu>
>>>> To: matlor <bfrobu_at_tin.it>
>>>> Cc: squid-users_at_squid-cache.org
>>>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>>>
>>>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu_at_tin.it> wrote:
>>>>>
>>>>> I have configured squid with winbind integrated in the active directory
>>>>> of a
>>>>> windows 2003 domain.
>>>>> If I browse internet trough IE 7 everething is ok, no user and password
>>>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>>>> version), it prompts for user and password.
>>>>
>>>> One other note: While FF does support NTLM, it does not do transparent
>>>> auth as IE does. Hence the prompting for username/password.
>>>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>>>> at times repeatedly prompt ad infinitum. There is an open bug on this
>>>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>>>> action on it is understandably slow. You can mess with FF's NTLM
>>>> related settings under 'about:config' to gain some respite. You can
>>>> also run a basic auth that authenticates against NTLM which for some
>>>> reason seems to avoid the multi-prompt issue. Something like:
>>>>
>>>> auth_param basic program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-basic
>>>> auth_param basic children 2
>>>> auth_param basic realm somerealm
>>>> auth_param basic credentialsttl 2 hours
>>>> auth_param basic casesensitive off
>>>>
>>>> Regards,
>>>> Chris
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>> http://www.nabble.com/file/p20247889/squid.conf squid.conf
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
> Current Beta Squid 3.1.0.1
>
Received on Sat Nov 01 2008 - 21:47:30 MDT