Re: [squid-users] Squid3 reverse proxy ntlm authentication

From: E.S. Rosenberg <esr+squid_at_g.jct.ac.il>
Date: Thu, 4 Oct 2012 19:28:19 +0200

2012/10/4 muno <muno_at_uninet.com.br>:
>
> Thanks Amos, but it doesn't work yet.
>
>>
>> You need an authentiction test around about here somewhere
>> (with any ACL tests for non-auth'd visitors above it).
>>
>> acl authenticated proxy_auth REQUIRED
>>
>> http_access deny !authenticated
>
>
>
> Now I get a "Cache Access Denied" message.
That means you're probably not authenticating.
Have you looked at cache.log?
Access.log?
Are you getting HTTP/417 Proxy auth requiered?
Is your client responding properly (you can use wireshark to figure that out)?
Is winbind working properly (does wbinfo -g or -u show all the AD
groups/users)?
Did you configure windbind/samba right? What happens when you try to
use ntlm_auth from CLI?
Do you succeed in authenticating (ntlm_auth --username=x --domain=y
--diagnostics)?

And don't revert to basic over the internet, though NTLM is leaky as
anything these days it's still less leaky then cleartext passwords on
the wire (although as far as I understand it it's close to cleartext
these days).

Hope that helps,
Eli
>
> Any other clue?
>
> tks
>
> ----- Original Message -----
> De: Amos Jeffries <squid3_at_treenet.co.nz>
> Para: squid-users_at_squid-cache.org
> Assunto: Re: [squid-users] Squid3 reverse proxy ntlm
> authentication
> Data: Fri, 05 Oct 2012 01:17:15 +1300
>
>> On 5/10/2012 12:59 a.m., muno wrote:
>> > Thanks Amos,
>> >
>> > I understand the problems and i will analyze the
>> > alternative, but for while I need to configure the
>> > reverse NTLM.
>> >
>> >
>> > My squid version is: squid 3.2.1
>> >
>> >
>> > The configuration file have a http_access allow. Sorry,
>> > but i forget to copy!
>> >
>> >
>> > Any suggestion?
>> >
>> > tks
>> > ________________________________________________________
>> >
>> > root_at_proxy:/usr/local/squid/etc# more squid.conf
>> >
>> <snip>
>> >
>> > http_access allow manager localhost
>> > http_access deny manager
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>>
>> You need an authentiction test around about here somewhere
>> (with any ACL tests for non-auth'd visitors above it).
>>
>> acl authenticated proxy_auth REQUIRED
>>
>> http_access deny !authenticated
>>
>> > http_access allow localhost
>> > http_access allow admin
>> > http_access allow warp
>> > http_access allow uninet
>> > http_access allow xymon
>> > http_access deny all
>> >
>>
>> HTH
>> Amos
Received on Thu Oct 04 2012 - 17:28:26 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 05 2012 - 12:00:03 MDT