On 14/01/2016 4:36 a.m., dol...@ihcrc.org wrote: > Is there a way to test the following lines from my squid.conf file to make > sure the connections are working correctly? > > ### negotiate kerberos and ntlm authentication > auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm > /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos > /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME > auth_param negotiate children 10 > auth_param negotiate keep_alive off > > ### pure ntlm authentication > auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC > auth_param ntlm children 10 > auth_param ntlm keep_alive off > > ### provide basic authentication via ldap for clients not authenticated via > kerberos/ntlm > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b > "dc=ihcrc,dc=org" -D sq...@ihcrc.org -W /etc/squid3/ldappass.txt -f > sAMAccountName=%s -h srv-dataserver2.ihcrc.org > auth_param basic children 10 > auth_param basic realm Internet Proxy > auth_param basic credentialsttl 1 minute > > When I run them at the command lines, minus the statements from Children > down, I just get a huge print out of some man pages. I'm trying to identify > why I can't get AD authentication to work correctly on my Squid server, so > I'm trying to test each area of the squid.conf file independently. >
They do not work. The --* parameters you are passing to ntlm_smb_lm_auth are actually parameters for the Samba ntlm_auth helper. If you need NTLM then you should install that Samba helper and use it instead. FYI: ntlm_smb_lm_auth is the Squid bundled helepr for doing SMB LanMan authentication. Thats a form of auth for Microsoft Network (circa 1970-1980's) with terrible encryption. SMB LM crypto is so weak/bad that the Squid helper is actually decrypting it in realtime to extract the user:password and translating them into Basic auth queries against your AD servers. Ironically Basic auth is more secure. *** Any software which works with this helper is *very* insecure. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
