Re: [squid-users] Authentication Override
fre 2007-05-04 klockan 14:44 -0400 skrev Chris Nighswonger: I never have been real clear on the difference between realm and domain. What is it? realm is the identification of the protection space on the server (or possibly servers, if using Digest) The Windows Domain is a division of users for administrative purposes, not related to the server other than that there must at least be an administrative trust between the administrative domain of the server and the administrative domain of the user. Quote from RFC2617 The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realms. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authentication Override
tor 2007-05-03 klockan 17:34 -0400 skrev Brian Kirk: Ok I have been trying various configurations in my squid.conf, I am sure that I was over complicating the issue. Here is a stripped down version that I would like to use basic if NTLM fails, but it never drops down to the basic authentication. It should not. If the browser is NTLM capable it should drop down to an NTLM authentication dialog when the logged in user is denied access, not basic (Basic only gets used if the browser is not NTLM capable, or not willing to speak NTLM with the proxy). This said, NTLM is a bit different.. Which version of Squid? If 2.5 make sure to test with 2.6. The NTLM support between the two version is substantially different and not going to look at a problem unless it's confirmed in 2.6. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authentication Override
Squid 2.6 Stable 9. Ok so if I understand you correctly, it will not drop down to basic ever with IE since it is NTLM capable, it will just prompt you for your credentials if the credentials that were provided weren't a member of the specific require-membership-of group. And that would explain why I never get prompted with the realm provided in the basic authentication potion. Thank you, Brian On 5/4/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: It should not. If the browser is NTLM capable it should drop down to an NTLM authentication dialog when the logged in user is denied access, not basic (Basic only gets used if the browser is not NTLM capable, or not willing to speak NTLM with the proxy). This said, NTLM is a bit different.. Which version of Squid? If 2.5 make sure to test with 2.6. The NTLM support between the two version is substantially different and not going to look at a problem unless it's confirmed in 2.6. Regards Henrik
Re: [squid-users] Authentication Override
On 5/4/07, Brian Kirk [EMAIL PROTECTED] wrote: Squid 2.6 Stable 9. Ok so if I understand you correctly, it will not drop down to basic ever with IE since it is NTLM capable, it will just prompt you for your credentials if the credentials that were provided weren't a member of the specific require-membership-of group. And that would explain why I never get prompted with the realm provided in the basic authentication potion. Brian, FWIW, you can pass *realm* off on IE's NTLM prompt by 'domain\username' in the 'username' field ([EMAIL PROTECTED] may work as well). I run two separate domains through a single squid. All internet access accounts are on domain A. Thus, users on domain B have to use 'domainA\username' when prompted (which is every time they open a browser for the first time). Watch out for the 'Save my password' checkbox. Chris
Re: [squid-users] Authentication Override
fre 2007-05-04 klockan 13:47 -0400 skrev Chris Nighswonger: FWIW, you can pass *realm* off on IE's NTLM prompt by 'domain\username' in the 'username' field ([EMAIL PROTECTED] may work as well). That's the domain, not the realm. NTLM (and Negotiate) does not have a realm.. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authentication Override
On 5/4/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: fre 2007-05-04 klockan 13:47 -0400 skrev Chris Nighswonger: FWIW, you can pass *realm* off on IE's NTLM prompt by 'domain\username' in the 'username' field ([EMAIL PROTECTED] may work as well). That's the domain, not the realm. NTLM (and Negotiate) does not have a realm.. Henrik, I never have been real clear on the difference between realm and domain. What is it? Thanks, Chris
Re: [squid-users] Authentication Override
ons 2007-05-02 klockan 18:41 -0400 skrev Brian Kirk: We have a need for an authentication override for NTLM The following should work: acl generic_user proxy_auth genericusername http_access deny genericuser placed after where you allow access Note: http_access is sensitive on ordering. The first matchng rule is used, the rest ignored. So your rules (both allowing and denying) should go after the CONNECT and Safe_Ports stuff, just before the deny all. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Authentication Override
Ok I have been trying various configurations in my squid.conf, I am
sure that I was over complicating the issue. Here is a stripped down
version that I would like to use basic if NTLM fails, but it never
drops down to the basic authentication. I think that I am putting
probably alot more in this than I need to get my point across, but if
I log into a machine locally, an try to get to the Internet it prompts
me, but doesn't seem to have the realm correct or use the basic
authentication, we have multiple domains and when we use auth_param
basic program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic users have to know there domain, and
some of our users aren't that bright:
cache_peer firewall.domain.com parent 8080 0 no-query default
emulate_httpd_log on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --require-membership-of={SID of
our Internet Group}
auth_param ntlm children 5
#auth_param basic program /opt/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic program /opt/squid/libexec/squid_ldap_auth -R -b
DC=domain,DC=com -D cn=Squid,OU=Service
Accounts,DC=hdq,DC=domain,DC=com -w xx -f sAMAccountName=%s -h
directory.hdq.domain.com -p 3268
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl authenticated_users proxy_auth REQUIRED
never_direct allow all
http_access allow authenticated_users
http_access deny all
http_reply_access allow all
icp_access allow all
[squid-users] Authentication Override
We have a need for an authentication override for NTLM, for example there are users that share a computer for access, but the systems is logged with a generic account to Active Directory. We would like to know who is going where so the generic account doesn't have Internet access, but the users have another AD account for Internet only, and would like to give them the ability to get to the Internet without having to log out and log back into windows. We have smartfilter installed so users actually all have access but the default access is very restricted (fbi.gov, weather.com, etc.), If the users are in our Standard Internet group then they can get to more, and of course we have users that have unrestricted that can get to almost everything. So can we provide a weblink or a form that would allow them to override the NTLM authentication, or change the credentials from the browser. relevant parts of squid.conf: smartfilter_state on smartfilter_config /opt/squid/etc/config.txt smartfilter_userinfo_program /opt/squid/libexec/sf_userinfo -f /opt/squid/etc/config.txt smartfilter_userinfo_children 15 auth_param ntlm program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param basic program /opt/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl all src 0.0.0.0/0.0.0.0 never_direct allow all acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 443 563 # https, snews acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED no_cache deny QUERY http_access allow all AuthorizedUsers http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all Thank you, Brian
