On 22/10/2015 8:21 a.m., Keith White wrote: > > I have squid running on Centos 7 and am trying to setup AD > authentication. I have samba/winbindd installed and the system was added > to the domain with authconfig. I have tested authentication with > auth_ntlm and that works. I have also tested group membership with > auth_ntlm and that works as well. When attempting to access squid with > either IE or Firefox I am presented with the authentication dialog box.
If you have cache_effective_user or cache_effective_group directives in your config file remove them. They break the Winbind helpers group permissions. Were your successful tests made using the Squid low-privileged user account ? If no, then your test results are not relevant. Re-test as the Squid user. Which will need membership of the winbindd_priv group. What Windows version are the IE and Firefox being run on? If it is newer than Windows 2000, then you should be moving to Negotiate/Kerberos authentication instead of NTLM. Does the client machine have Windows Integrated Authentication enabled? and is it on-domain? Off-domain machines have no chance of NTLM working. Disable their integrated authentication settings. Note that without the integrated auth Firefox has no access to NTLM credentials and MSIE has a tendency to use the machine credentials instead of the users. > Manually entering credentials does not work. What debugging can I enable > to see what is going on? Squid is built with the following <http://wiki.squid-cache.org/KnowledgeBase/DebugSections> At least these: debug_options ALL,0 11,2 28,5 29,5 > > Squid Cache: Version 3.5.9-20150917-r13917 > Service Name: squid > configure options: '--prefix=/usr' '--includedir=/usr/include' > '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' > '--localstatedir=/varsquid' '--sysconfdir=/etc/squid' '--enable-auth' > '--enable-auth-ntlm' '--enable-external-acl-helpers' > '--enable-auth-negotiate' '--enable-auth-basic' '--enable-auth-digest' > > > relevant section from squid.conf > > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > auth_param ntlm keep_alive on > auth_param basic program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours You should list Basic as first choice since it is the more secure of those two protocols. Sounds like a joke, but it is true NTLM is less secure these days than Basic auth. Namely because clients that accept NTLM can be auto-downgraded by attackers to using LanMan protocols that broadcast the username and password just like Basic - BUT most network software treats Basic auth as the insecure one and do a lot more to protect its weak credentials. > > acl AuthorizedUsers proxy_auth REQUIRED > http_access allow localnet > http_access allow AuthorizedUsers > http_access allow localhost The above implies that the authenticated users will be outside the LAN (localnet). The 'L' in NTLM is "LAN" and old 1980-1990's style flat LAN networks are where it was designed for use. It does *not* work properly over Internet connections or even in many of todays complex LAN environments. You need Negotiate/Kerberos auth for Internet clients to even have half a chance of authenticating securely. Then you also need to get the whole on/off domain thing sorted out and working. PS. you will probably need a few hundred helpers for NTLM. It is an *extremely* inefficient protocol. I've not seen even a home network operate with less than 50, usual minimum is 100. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
