Re: [squid-users] ntlmauthenticator errors from Amos Jeffries on 2011-03-23 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 23 Mar 2011 21:56:56 +1300

On 23/03/11 18:14, Steve-Mustafa Ismail Mustafa wrote:
> Hi,
>
> I've been trying to setup squid to limit the accessibility to the
> internet at the local Red Cross hospital because of over usage. As such,
> I've setup a security group on our AD, InternetUsers where only those
> members of that group are capable of connecting to the web, otherwise,
> all their traffic is within our local network.
>
> I've joined Debian Squeeze to the domain without much hassle. This is on
> a VM Debian Squeeze, Squid 2.7 stable 9.
>
> My squid.conf is:
>
> auth_param ntlm program /usr/lib/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of="RCH\InternetUsers"
> auth_param basic program /usr/lib/squid/ntlm_auth
> --helper-protocol=squid-2.5-basic
> --require-membership-of="RCH\InternetUsers"
> auth_param ntlm children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours external acl type nt group ttl=0
> concurrency=5 %LOGIN
> /usr/lib/squid/wbinfo_group.pl
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 2 minutes
>
>
> http_port 3128
> acl all src 192.168.10.0/24

A future problem will be this 'all'. There are a lot of security
defaults in Squid which rely on it meaning the entire Internet.
It should be defined as "acl all src all" in Squid-2.7 and omitted
entirely in Squid-3.

Please use "acl localnet src 192.168.10.0/24" for your local networks.

> acl InternetUsers proxy_auth REQUIRED
> http_access allow InternetUsers
> http_access deny all
>
>
> You can see that it needs cleaning up a bit because of the
> experimentation that went on trying to get it to work.
> max_challenge_reuses and max_challenge_lifetime are a carryover from
> when I followed the suggested config on the site (outdated I guess).
>
> Firing up squid through "/etc/init.d/squid start" gives me unrecognized
> '/usr/lib/squid/wbinfo_group.pl'

The external_acl_type config line appears to be mangled into one of the
auth_basic ones. I thought that was a typo on your email cut-n-paste,
but maybe not.

> Starting it with "/usr/sbin/squid -NCdl" comes back with
> WARNING: ntlmauthenticator #2 (FD 9) exited
> WARNING: ntlmauthenticator #2 (FD 10) exited
> WARNING: ntlmauthenticator #2 (FD 11) exited
> Too few ntlmauthenticator processes are running
> Aborted
>

Popular helpers dying like this is usually incorrect access privileges.
They are run as the same low-privilege user as Squid.

> checking the log messages yields:
>
> Squid Parent: child process 24182 started
> Squid Parent: child process 24182 exited due to signal 6
>
> Any clues? I'm completely stumped and I've been at this a few days now
> and I'd like to move on.

This may help:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Wed Mar 23 2011 - 08:57:03 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 23 2011 - 12:00:02 MDT