nairb rotsak wrote:
> I am actually flabbergasted at all the people saying this doesn't work. I haven't tried Squid 3 yet.. so I can't comment on it. The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today). I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one)
>
> When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business. As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something. I would go into firefox, change the proxy setting, get the file, then put the proxy setting back. THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back.
>
> I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years.. I know it is catching them, because it blocks files and I use SARG to report their activities..
>
> But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy. Just to make sure..
>
Um, I'm not so sure the people having trouble are using the right helper.
There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and
Squid-2 releases that is incapable of doing full NTLM for modern windows
domains.
There is also something calling itself 'ntlm_auth' bundled with Samba,
which provides full working NTLM functionality.
We have fixed this mixup in 3.1, but please check the helper you are
using. Please prefer to use the one by Samba.
IE7 is more advanced than the ealier IE and seems to be actually capable
of proper negotiate auth. But can be expected fail with the limits
imposed by Squid's 'ntlm_auth' thing.
Amos
>
> ----- Original Message ----
> From: matlor <bfrobu_at_tin.it>
> To: squid-users_at_squid-cache.org
> Sent: Thursday, October 30, 2008 9:15:55 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
>
> I have tried your configuration... but I have the same problem.
> squid version is 3.0.5
>
> in attachment there is one of my tested squid.conf.
> only IE7 is working properly
>
> thanks in advance....
>
>
>
>
> nairb rotsak wrote:
>> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
>> below is what I sent Chris:
>>
>> Below is for w2k3 AD and Ubuntu 6.06.1:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 15
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>> #auth_param ntlm use_ntlm_negotiate off
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>> acl NTLMUsers proxy_auth REQUIRED
>> acl our_networks src 192.168.0.0/16
>> http_access allow all NTLMUsers
>> http_access allow our_networks
>>
>> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 15
>> auth_param ntlm keep_alive on
>> acl our_networks src 192.168.0.0/16
>> acl NTLMUsers proxy_auth REQUIRED
>> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
>> acl NOINTERNET external ntgroup no-internet
>> http_access deny NOINTERNET
>> http_access allow all NTLMUsers
>> http_access allow our_networks
>> http_access allow localhost
>>
>>
>> We
>> have a group policy do the IE browser, but with Firefox, we have to set
>> it manually. Once it is set, there is no prompt... I use SARG to get
>> the results.. Been doing it for almost three years.. I would get
>> evangelical on people using iPrism/Barracuda/Websense.. but now I
>> figure I will just let them spend the money.. ;-)
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <cnighswonger_at_foundations.edu>
>> To: nairb rotsak <ipguru99_at_yahoo.com>
>> Cc: matlor <bfrobu_at_tin.it>; squid-users_at_squid-cache.org
>> Sent: Wednesday, October 29, 2008 9:31:32 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99_at_yahoo.com> wrote:
>>> I am totally confused by this statement?.. as I have 300 people using
>>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>>> one gets a user/pass prompt? I am not using it as a transparent proxy,
>>> it is listed in firefox under proxy settings (8080 because it goes to DG
>>> first.. but I have tested just Squid at 3128 and it works as well).. and
>>> I haven't touched anything else in firefox
>>
>> I'd be very interested in knowing what is different about your setup.
>> I have fought this problem for several years now.
>>
>>
>>>
>>>
>>> ----- Original Message ----
>>> From: Chris Nighswonger <cnighswonger_at_foundations.edu>
>>> To: matlor <bfrobu_at_tin.it>
>>> Cc: squid-users_at_squid-cache.org
>>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>>
>>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu_at_tin.it> wrote:
>>>> I have configured squid with winbind integrated in the active directory
>>>> of a
>>>> windows 2003 domain.
>>>> If I browse internet trough IE 7 everething is ok, no user and password
>>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>>> version), it prompts for user and password.
>>> One other note: While FF does support NTLM, it does not do transparent
>>> auth as IE does. Hence the prompting for username/password.
>>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>>> at times repeatedly prompt ad infinitum. There is an open bug on this
>>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>>> action on it is understandably slow. You can mess with FF's NTLM
>>> related settings under 'about:config' to gain some respite. You can
>>> also run a basic auth that authenticates against NTLM which for some
>>> reason seems to avoid the multi-prompt issue. Something like:
>>>
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 2
>>> auth_param basic realm somerealm
>>> auth_param basic credentialsttl 2 hours
>>> auth_param basic casesensitive off
>>>
>>> Regards,
>>> Chris
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
> http://www.nabble.com/file/p20247889/squid.conf squid.conf
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1Received on Sat Nov 01 2008 - 04:37:38 MDT
This archive was generated by hypermail 2.2.0 : Sat Nov 01 2008 - 12:00:04 MDT