Re: [squid-users] AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'NTLM..' from Amos Jeffries on 2012-08-16 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Aug 2012 14:25:42 +1200

On 17/08/2012 1:20 p.m., Julie Xu wrote:
> Hi Amos
>
> Great thanks for the reply.
>
> I have two servers and one has not this error messages and one has. Both configuration is same:
>
> Server1# grep ntlm squid.conf
> # protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
> # authenticator is ntlm_auth from Samba-3.X, but a number of other
> # ntlm authenticators is available.
> # By default, the ntlm authentication scheme is not used unless a
> # auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> # auth_param ntlm children 5
> # auth_param ntlm keep_alive on
> # client and reads commands according to the Squid ntlmssp helper
> # protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
> # authenticator is ntlm_auth from Samba-4.X.
> # auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
> #auth_param ntlm program <uncomment and complete this line to activate>
> #auth_param ntlm children 5
> #auth_param ntlm keep_alive on
> #
>
> Server2# grep ntlm squid.conf
> # protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
> # authenticator is ntlm_auth from Samba-3.X, but a number of other
> # ntlm authenticators is available.
> # By default, the ntlm authentication scheme is not used unless a
> # auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> # auth_param ntlm children 5
> # auth_param ntlm keep_alive on
> # client and reads commands according to the Squid ntlmssp helper
> # protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
> # authenticator is ntlm_auth from Samba-4.X.
> # auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
> #auth_param ntlm program <uncomment and complete this line to activate>
> #auth_param ntlm children 5
> #auth_param ntlm keep_alive on
> #
>
> I guess there must be something else need configure. Please advice

Please read that text above. All lines beginning with # are
documentation, so I see there are nothing actually configured.

But for some reason your clients of one server are sending their NTLM
credentials without being told by the proxy that the NTLM protocol is in
use. That is bad security on their part. Check for "single sign on"
setting in the clients.

Amos
Received on Fri Aug 17 2012 - 02:25:55 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 17 2012 - 12:00:09 MDT