Re: [squid-users] Squid with auth NTLM
Thank, I am going to compile again, but this parameter
--enable-external-acl-helpers=wbinfo_group' with
'--enable-auth=ntlm,basic'
Sincerely,
Leandro Ferrari
2007/12/18, Nick Duda <[EMAIL PROTECTED]>:
> Wow lots of options...I cant speak for your external helper but i use
> '--enable-external-acl-helpers=wbinfo_group' with '--enable-auth=ntlm,basic'
> and it runs peachy
>
> - Nick
>
>
>
> From: Leandro Ferrrari [mailto:[EMAIL PROTECTED]
> Sent: Tue 12/18/2007 7:07 AM
> To: Nick Duda
> Cc: Amos Jeffries; squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid with auth NTLM
>
>
>
> Squid -v:
>
> Squid Cache: Version 3.0.STABLE1
> configure options: '-prefix=/usr/local/squid'
> '-exec-prefix=/usr/local/squid' '-enable-delay-pools'
> '-enable-cache-digests' '-enable-poll' '-disable-ident-lookups'
> '-enable-truncate' '-enable-removal-policies'
> '--enable-follow-x-forwarded-for' '--enable-ssl'
> '--enable-large-cache-file' '--enable-snmp' '--enable-auth=basic,ntlm'
> '--enable-basic-auth-helpers=LDAP,MSNT,multi-domain-NTLM'
> '--enable-digest-auth-helpers=password'
> '--enable-external-acl-helpers=ip_user,ldap_group'
> '--enable-removal-policies=heap,lru' '--enable-x-accelerator-vary'
> '--enable-err-languages=Spanish'
> 'LDFLAGS=-L/usr/local/BerkeleyDB.4.2/lib'
>
> 2007/12/18, Nick Duda <[EMAIL PROTECTED]>:
> > Whats your "squid -v"
> >
> >
> >
> > From: Leandro Ferrrari [mailto:[EMAIL PROTECTED]
> > Sent: Tue 12/18/2007 5:43 AM
> > To: Nick Duda
> > Cc: Amos Jeffries; squid-users@squid-cache.org
> > Subject: Re: [squid-users] Squid with auth NTLM
> >
> >
> >
> > Hi, yes the command wbinfo -g and -u working perfectly. My configuration is:
> >
> > krb5.conf:
> > ...
> > [libdefaults]
> > default_realm = NEXTIT.LOCAL
> > dns_lookup_realm = yes
> > dns_lookup_kdc = yes
> >
> > [realms]
> > NEXTIT.LOCAL = {
> > kdc = vm-ws2003.nextit.local:88
> > admin_server = vm-ws2003.nextit.local:749
> > default_domain = NEXTIT
> > }
> >
> > [domain_realm]
> > .nextit.local = NEXTIT.LOCAL
> > nextit.local = NEXTIT.LOCAL
> > ...
> >
> > SMB.conf:
> >
> > [global]
> > workgroup = NEXTIT
> > server string = Samba Server
> > password server = NameOfServer
> > encrypt passwords = yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > realm = NEXTIT.LOCAL
> >idmap uid = 1-2
> >idmap gid = 1-2
> >template shell = /bin/false
> >winbind enum users = yes
> >winbind enum groups = yes
> >winbind use default domain = yes
> >client ntlmv2 auth = yes
> >
> >
> > Server Windows Active Directory is Windows 2003 Server
> > Client Windows is Windows XP
> >
> > Sincerely
> > Leandro Ferrari
> >
> >
> >
> >
> > 2007/12/17, Nick Duda <[EMAIL PROTECTED]>:
> > > Have you joined your box to the domain? What is your krb5.conf file? What
> > > is your smb.conf file? What is the status of something like wbinfo -g or
> > > -u ?
> > >
> > > I would troubleshoot your domain connectivity before you worry about
> > > squid.
> > >
> > >
> > > -Original Message-
> > > From: Amos Jeffries [mailto:[EMAIL PROTECTED]
> > > Sent: Mon 12/17/2007 7:33 PM
> > > To: Leandro Ferrrari
> > > Cc: squid-users@squid-cache.org
> > > Subject: Re: [squid-users] Squid with auth NTLM
> > >
> > > > I have configured squid 3.0 with NTLM, and this configuration in
> > > > squid.conf is:
> > > >
> > > > auth_param ntlm program /usr/local/bin/ntlm_auth
> > > > --helper-protocol=squid-2.5-ntlmssp
> > > > auth_param ntlm children 30
> > > > auth_param ntlm max_challenge_lifetime 2 minutes
> > > >
> > > > auth_param basic program /usr/local/bin/ntlm_auth
> > > > --helper-protocol=squid-2.5-basic
> > > > auth_param basic children 5
> > > > auth_param basic realm Squid proxy-caching web server
> > > > auth_param basic credentialsttl 2 hours
> > > >
> > > > When a test the ntlm auth, in the Explorer client with a user
> > > > authenticate in Domain Controller Windows 2003, the explorer or
> > > > firefox show popup of the basic auth.
> > > > How to use the ntlm auth with an user of the domain group without auth
> > > > basic?
> > >
> > > Remove the basic configuration to not use it.
> > > You NTLM is broken by the sound of it if its always falling back on basic.
> > > Although the login box does not necessarily mean basic is being used. It
> > > could just be that the browser has no working credentials for the user to
> > > login NTLM with.
> > >
> > >
> > > Amos
> > >
> > >
> > >
> >
> >
> >
>
>
>
RE: [squid-users] Squid with auth NTLM
Wow lots of options...I cant speak for your external helper but i use
'--enable-external-acl-helpers=wbinfo_group' with '--enable-auth=ntlm,basic'
and it runs peachy
- Nick
From: Leandro Ferrrari [mailto:[EMAIL PROTECTED]
Sent: Tue 12/18/2007 7:07 AM
To: Nick Duda
Cc: Amos Jeffries; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid with auth NTLM
Squid -v:
Squid Cache: Version 3.0.STABLE1
configure options: '-prefix=/usr/local/squid'
'-exec-prefix=/usr/local/squid' '-enable-delay-pools'
'-enable-cache-digests' '-enable-poll' '-disable-ident-lookups'
'-enable-truncate' '-enable-removal-policies'
'--enable-follow-x-forwarded-for' '--enable-ssl'
'--enable-large-cache-file' '--enable-snmp' '--enable-auth=basic,ntlm'
'--enable-basic-auth-helpers=LDAP,MSNT,multi-domain-NTLM'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user,ldap_group'
'--enable-removal-policies=heap,lru' '--enable-x-accelerator-vary'
'--enable-err-languages=Spanish'
'LDFLAGS=-L/usr/local/BerkeleyDB.4.2/lib'
2007/12/18, Nick Duda <[EMAIL PROTECTED]>:
> Whats your "squid -v"
>
>
>
> From: Leandro Ferrrari [mailto:[EMAIL PROTECTED]
> Sent: Tue 12/18/2007 5:43 AM
> To: Nick Duda
> Cc: Amos Jeffries; squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid with auth NTLM
>
>
>
> Hi, yes the command wbinfo -g and -u working perfectly. My configuration is:
>
> krb5.conf:
> ...
> [libdefaults]
> default_realm = NEXTIT.LOCAL
> dns_lookup_realm = yes
> dns_lookup_kdc = yes
>
> [realms]
> NEXTIT.LOCAL = {
> kdc = vm-ws2003.nextit.local:88
> admin_server = vm-ws2003.nextit.local:749
> default_domain = NEXTIT
> }
>
> [domain_realm]
> .nextit.local = NEXTIT.LOCAL
> nextit.local = NEXTIT.LOCAL
> ...
>
> SMB.conf:
>
> [global]
> workgroup = NEXTIT
> server string = Samba Server
> password server = NameOfServer
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> realm = NEXTIT.LOCAL
>idmap uid = 1-2
>idmap gid = 1-2
>template shell = /bin/false
>winbind enum users = yes
>winbind enum groups = yes
>winbind use default domain = yes
>client ntlmv2 auth = yes
>
>
> Server Windows Active Directory is Windows 2003 Server
> Client Windows is Windows XP
>
> Sincerely
> Leandro Ferrari
>
>
>
>
> 2007/12/17, Nick Duda <[EMAIL PROTECTED]>:
> > Have you joined your box to the domain? What is your krb5.conf file? What
> > is your smb.conf file? What is the status of something like wbinfo -g or -u
> > ?
> >
> > I would troubleshoot your domain connectivity before you worry about squid.
> >
> >
> > -Original Message-
> > From: Amos Jeffries [mailto:[EMAIL PROTECTED]
> > Sent: Mon 12/17/2007 7:33 PM
> > To: Leandro Ferrrari
> > Cc: squid-users@squid-cache.org
> > Subject: Re: [squid-users] Squid with auth NTLM
> >
> > > I have configured squid 3.0 with NTLM, and this configuration in
> > > squid.conf is:
> > >
> > > auth_param ntlm program /usr/local/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 30
> > > auth_param ntlm max_challenge_lifetime 2 minutes
> > >
> > > auth_param basic program /usr/local/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-basic
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hours
> > >
> > > When a test the ntlm auth, in the Explorer client with a user
> > > authenticate in Domain Controller Windows 2003, the explorer or
> > > firefox show popup of the basic auth.
> > > How to use the ntlm auth with an user of the domain group without auth
> > > basic?
> >
> > Remove the basic configuration to not use it.
> > You NTLM is broken by the sound of it if its always falling back on basic.
> > Although the login box does not necessarily mean basic is being used. It
> > could just be that the browser has no working credentials for the user to
> > login NTLM with.
> >
> >
> > Amos
> >
> >
> >
>
>
>
Re: [squid-users] Squid with auth NTLM
Squid -v:
Squid Cache: Version 3.0.STABLE1
configure options: '-prefix=/usr/local/squid'
'-exec-prefix=/usr/local/squid' '-enable-delay-pools'
'-enable-cache-digests' '-enable-poll' '-disable-ident-lookups'
'-enable-truncate' '-enable-removal-policies'
'--enable-follow-x-forwarded-for' '--enable-ssl'
'--enable-large-cache-file' '--enable-snmp' '--enable-auth=basic,ntlm'
'--enable-basic-auth-helpers=LDAP,MSNT,multi-domain-NTLM'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user,ldap_group'
'--enable-removal-policies=heap,lru' '--enable-x-accelerator-vary'
'--enable-err-languages=Spanish'
'LDFLAGS=-L/usr/local/BerkeleyDB.4.2/lib'
2007/12/18, Nick Duda <[EMAIL PROTECTED]>:
> Whats your "squid -v"
>
> ____
>
> From: Leandro Ferrrari [mailto:[EMAIL PROTECTED]
> Sent: Tue 12/18/2007 5:43 AM
> To: Nick Duda
> Cc: Amos Jeffries; squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid with auth NTLM
>
>
>
> Hi, yes the command wbinfo -g and -u working perfectly. My configuration is:
>
> krb5.conf:
> ...
> [libdefaults]
> default_realm = NEXTIT.LOCAL
> dns_lookup_realm = yes
> dns_lookup_kdc = yes
>
> [realms]
> NEXTIT.LOCAL = {
> kdc = vm-ws2003.nextit.local:88
> admin_server = vm-ws2003.nextit.local:749
> default_domain = NEXTIT
> }
>
> [domain_realm]
> .nextit.local = NEXTIT.LOCAL
> nextit.local = NEXTIT.LOCAL
> ...
>
> SMB.conf:
>
> [global]
> workgroup = NEXTIT
> server string = Samba Server
> password server = NameOfServer
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> realm = NEXTIT.LOCAL
>idmap uid = 1-2
>idmap gid = 1-2
>template shell = /bin/false
>winbind enum users = yes
>winbind enum groups = yes
>winbind use default domain = yes
>client ntlmv2 auth = yes
>
>
> Server Windows Active Directory is Windows 2003 Server
> Client Windows is Windows XP
>
> Sincerely
> Leandro Ferrari
>
>
>
>
> 2007/12/17, Nick Duda <[EMAIL PROTECTED]>:
> > Have you joined your box to the domain? What is your krb5.conf file? What
> > is your smb.conf file? What is the status of something like wbinfo -g or -u
> > ?
> >
> > I would troubleshoot your domain connectivity before you worry about squid.
> >
> >
> > -Original Message-
> > From: Amos Jeffries [mailto:[EMAIL PROTECTED]
> > Sent: Mon 12/17/2007 7:33 PM
> > To: Leandro Ferrrari
> > Cc: squid-users@squid-cache.org
> > Subject: Re: [squid-users] Squid with auth NTLM
> >
> > > I have configured squid 3.0 with NTLM, and this configuration in
> > > squid.conf is:
> > >
> > > auth_param ntlm program /usr/local/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 30
> > > auth_param ntlm max_challenge_lifetime 2 minutes
> > >
> > > auth_param basic program /usr/local/bin/ntlm_auth
> > > --helper-protocol=squid-2.5-basic
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hours
> > >
> > > When a test the ntlm auth, in the Explorer client with a user
> > > authenticate in Domain Controller Windows 2003, the explorer or
> > > firefox show popup of the basic auth.
> > > How to use the ntlm auth with an user of the domain group without auth
> > > basic?
> >
> > Remove the basic configuration to not use it.
> > You NTLM is broken by the sound of it if its always falling back on basic.
> > Although the login box does not necessarily mean basic is being used. It
> > could just be that the browser has no working credentials for the user to
> > login NTLM with.
> >
> >
> > Amos
> >
> >
> >
>
>
>
RE: [squid-users] Squid with auth NTLM
Whats your "squid -v"
From: Leandro Ferrrari [mailto:[EMAIL PROTECTED]
Sent: Tue 12/18/2007 5:43 AM
To: Nick Duda
Cc: Amos Jeffries; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid with auth NTLM
Hi, yes the command wbinfo -g and -u working perfectly. My configuration is:
krb5.conf:
...
[libdefaults]
default_realm = NEXTIT.LOCAL
dns_lookup_realm = yes
dns_lookup_kdc = yes
[realms]
NEXTIT.LOCAL = {
kdc = vm-ws2003.nextit.local:88
admin_server = vm-ws2003.nextit.local:749
default_domain = NEXTIT
}
[domain_realm]
.nextit.local = NEXTIT.LOCAL
nextit.local = NEXTIT.LOCAL
...
SMB.conf:
[global]
workgroup = NEXTIT
server string = Samba Server
password server = NameOfServer
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
realm = NEXTIT.LOCAL
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/false
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client ntlmv2 auth = yes
Server Windows Active Directory is Windows 2003 Server
Client Windows is Windows XP
Sincerely
Leandro Ferrari
2007/12/17, Nick Duda <[EMAIL PROTECTED]>:
> Have you joined your box to the domain? What is your krb5.conf file? What is
> your smb.conf file? What is the status of something like wbinfo -g or -u ?
>
> I would troubleshoot your domain connectivity before you worry about squid.
>
>
> -Original Message-
> From: Amos Jeffries [mailto:[EMAIL PROTECTED]
> Sent: Mon 12/17/2007 7:33 PM
> To: Leandro Ferrrari
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid with auth NTLM
>
> > I have configured squid 3.0 with NTLM, and this configuration in
> > squid.conf is:
> >
> > auth_param ntlm program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > When a test the ntlm auth, in the Explorer client with a user
> > authenticate in Domain Controller Windows 2003, the explorer or
> > firefox show popup of the basic auth.
> > How to use the ntlm auth with an user of the domain group without auth
> > basic?
>
> Remove the basic configuration to not use it.
> You NTLM is broken by the sound of it if its always falling back on basic.
> Although the login box does not necessarily mean basic is being used. It
> could just be that the browser has no working credentials for the user to
> login NTLM with.
>
>
> Amos
>
>
>
Re: [squid-users] Squid with auth NTLM
Hi, yes the command wbinfo -g and -u working perfectly. My configuration is:
krb5.conf:
...
[libdefaults]
default_realm = NEXTIT.LOCAL
dns_lookup_realm = yes
dns_lookup_kdc = yes
[realms]
NEXTIT.LOCAL = {
kdc = vm-ws2003.nextit.local:88
admin_server = vm-ws2003.nextit.local:749
default_domain = NEXTIT
}
[domain_realm]
.nextit.local = NEXTIT.LOCAL
nextit.local = NEXTIT.LOCAL
...
SMB.conf:
[global]
workgroup = NEXTIT
server string = Samba Server
password server = NameOfServer
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
realm = NEXTIT.LOCAL
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/false
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client ntlmv2 auth = yes
Server Windows Active Directory is Windows 2003 Server
Client Windows is Windows XP
Sincerely
Leandro Ferrari
2007/12/17, Nick Duda <[EMAIL PROTECTED]>:
> Have you joined your box to the domain? What is your krb5.conf file? What is
> your smb.conf file? What is the status of something like wbinfo -g or -u ?
>
> I would troubleshoot your domain connectivity before you worry about squid.
>
>
> -Original Message-
> From: Amos Jeffries [mailto:[EMAIL PROTECTED]
> Sent: Mon 12/17/2007 7:33 PM
> To: Leandro Ferrrari
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid with auth NTLM
>
> > I have configured squid 3.0 with NTLM, and this configuration in
> > squid.conf is:
> >
> > auth_param ntlm program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > When a test the ntlm auth, in the Explorer client with a user
> > authenticate in Domain Controller Windows 2003, the explorer or
> > firefox show popup of the basic auth.
> > How to use the ntlm auth with an user of the domain group without auth
> > basic?
>
> Remove the basic configuration to not use it.
> You NTLM is broken by the sound of it if its always falling back on basic.
> Although the login box does not necessarily mean basic is being used. It
> could just be that the browser has no working credentials for the user to
> login NTLM with.
>
>
> Amos
>
>
>
RE: [squid-users] Squid with auth NTLM
Have you joined your box to the domain? What is your krb5.conf file? What is your smb.conf file? What is the status of something like wbinfo -g or -u ? I would troubleshoot your domain connectivity before you worry about squid. -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Mon 12/17/2007 7:33 PM To: Leandro Ferrrari Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid with auth NTLM > I have configured squid 3.0 with NTLM, and this configuration in > squid.conf is: > > auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param ntlm max_challenge_lifetime 2 minutes > > auth_param basic program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > > When a test the ntlm auth, in the Explorer client with a user > authenticate in Domain Controller Windows 2003, the explorer or > firefox show popup of the basic auth. > How to use the ntlm auth with an user of the domain group without auth > basic? Remove the basic configuration to not use it. You NTLM is broken by the sound of it if its always falling back on basic. Although the login box does not necessarily mean basic is being used. It could just be that the browser has no working credentials for the user to login NTLM with. Amos
Re: [squid-users] Squid with auth NTLM
> I have configured squid 3.0 with NTLM, and this configuration in > squid.conf is: > > auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param ntlm max_challenge_lifetime 2 minutes > > auth_param basic program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > > When a test the ntlm auth, in the Explorer client with a user > authenticate in Domain Controller Windows 2003, the explorer or > firefox show popup of the basic auth. > How to use the ntlm auth with an user of the domain group without auth > basic? Remove the basic configuration to not use it. You NTLM is broken by the sound of it if its always falling back on basic. Although the login box does not necessarily mean basic is being used. It could just be that the browser has no working credentials for the user to login NTLM with. Amos
