≡ Menu

Squid NTLM authentication configuration using ntlm_auth

Q. How do I configure squid for NTLM authentication?

A. You need to use squid ntlm_auth helper tool. It o allow external access to Winbind's NTLM authentication function. ntlm_auth uses winbind to access the user and authentication data for a domain.

Make sure winbindd is working

winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitary applications via PAM and ntlm_auth and to Samba itself. If you are not sure about winbindd, refer to official Samba documentation for configuration.

Configure squid for NTLM authentication

Open squid configuration file - squid.conf, enter:
# vi squid.conf
Append following configuration directive:
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

To setup ntlm_auth for use by squid 2.5 with group limitation, add:
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="WORKGROUP\Domain Users"
auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="WORKGROUP\Domain Users"
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

OR You can also pass DOMAIN/PDC name:
auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAINNAME/PDC
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

Now add ACL configuration for ntlm_auth helper
acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
http_access deny all

Save and close the file. Restart Squid:
# /etc/init.d/squid restart
For more information:

Updated for accuracy.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 19 comments… add one }

  • Tapan Shah April 9, 2007, 9:30 am

    I am getting an error while configuring this the error is

    FATAL: authparam basic program /usr/bin/ntml_auth: (2) No such file or directory
    Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
    CPU Usage: 0.007 seconds = 0.002 user + 0.005 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0
    Aborted. so do reply me about this
    Thank you.

  • nixCraft April 11, 2007, 6:20 pm

    Set correct path for /usr/lib/squid/ntml_auth file

  • jayaram July 27, 2007, 11:09 am

    How can l block one Active directory user to access internet through squid ( or blank password users)

  • dark_harmonics September 11, 2007, 12:32 am

    If you are getting error its because the author messed up his script. Check for where he substitues ntml instead of ntlm. Fix that and you are good to go!

  • nixCraft September 12, 2007, 5:01 am

    dark_harmonics,

    The FAQ has been updated. I appreciate your feedback.

  • deepak ray September 20, 2007, 6:28 am

    Good work
    and we have to share our experiences and idea

    to all Linux worker

  • samerk October 25, 2007, 1:35 pm

    thank you guys for this documentation it’s quite helpful when configuring Squid with NTLM.
    However i have a couple of questions regarding clients that are not joined to the Active directory DC:

    1- a NON-joined client using IE will have to log on using realm/username and passwd. Is there a way to make him authenticate with only his username and passwd ?
    NB:It works fine with other browsers such as Firefox.

    2- If you use IE with this NTLM auth (on an NON-joined pc) and select the ’save password’ checkbox the password gets stored in the registry as if it was for a network location. To delete the record you will have to run
    “rundll32.exe keymgr.dll, KRShowKeyMgr”
    This is causing real problems to users. Have you encountered this? and were you able to figure a way out?

    Thanks again,
    Samerk

  • newbie June 11, 2008, 1:15 pm

    i have two groups one group has only access to whitelist and another group have full access to internet. how can i setup squid to autorizate groups

  • matu August 13, 2008, 1:11 pm

    For squid 2.6, see the following Wiki page.
    I was able to start squid only after configuring squid.conf as described there.
    http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM?highlig%20ht=%28ConfigExamples%29

  • matu August 13, 2008, 1:30 pm

    one more thing, on the above wiki page there is a ownership fix by using “cache_effective_group root” in squid,conf. It worked for me only after removing this line from squid.conf. so do not add it to squid.conf.

  • James Johnston October 30, 2008, 4:54 am

    To deal with winbind permissions problems:
    (1) add proxy user to winbindd_priv group. (2) comment the “cache_effective_group” line in squid.conf so that secondary groups for the proxy user aren’t ignored.

    Once I did that NTLM worked fine.

  • sameer kale April 5, 2009, 8:22 am

    I want to authenticate the user by his username , password and MAC address.. Is it possible by ntlm_auth??? How?

  • bala May 31, 2009, 8:42 am

    Hi I am able to configure NTLM with squid.It works great.
    But i use Dansguardian for content filtering.With this setup (DG+SQUID+NTLM) ,things works fine for a user logged in to the domain.But for a local user it does not fall back to the basic program and i get a access denied page (as unauthenticated user fall to filter group 1 in DG)
    Any help

  • Avinash.Rao August 18, 2009, 2:49 pm

    Hi all,
    Ubuntu 8.04 Server 64-bit Edition/Samba 3.0.28a/Squid 2.6 stable18
    Samba is configured as PDC and i have winxp clients logging to the domain. I want to restrict these users from accessing the internet the whole day, i just want to give them access to internet only during 6:00-8:00PM everyday. How can i achieve this?

    I read the documentation and have configured squid for NTLM and tested.. but below is the error i am getting when i restart squid.

    /etc/init.d/squid restart
    * Restarting Squid HTTP proxy squid
    2009/08/18 14:04:15| Invalid Proxy Auth ACL ‘acl
    AuthorizedUsers proxy_auth REQUIRED’ because no authentication schemes
    are fully configured.
    FATAL: Bungled squid.conf line 39: acl AuthorizedUsers proxy_auth REQUIRED
    Squid Cache (Version 2.6.STABLE1: Terminated abnormally.
    [fail]

    squid.conf
    visible_hostname sunbox
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    hosts_file /etc/hosts
    http_port 100.100.100.50:3128
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 631 # cups
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 901 # SWAT
    acl Safe_ports port 993 # IMAP
    acl Safe_ports port 587 # SMTP
    acl Safe_ports port 22 # SSH
    acl purge method PURGE
    acl special_urls url_regex “/etc/squid/squid-noblock.acl”
    acl extndeny url_regex -i “/etc/squid/blocks.files.acl”
    acl malware_block_list url_regex -i “/etc/squid/malware_block_list.txt”
    acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
    acl lan src 192.168.1.0 100.100.100.0/24
    acl stud ident_regex babu
    acl download method GET
    acl CONNECT method CONNECT
    acl AuthorizedUsers proxy_auth REQUIRED
    cache_mem 100 MB
    #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
    ident_lookup_access allow all
    http_access deny all
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access allow special_urls
    http_access deny extndeny download
    http_access deny extndeny
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny badurl
    http_access deny malware_block_list
    deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
    http_access allow localhost
    http_access allow lan
    http_reply_access allow all
    http_access allow AuthorizedUsers
    http_access deny all
    icp_access allow all
    coredump_dir /var/spool/squid

    auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 30
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 2 minutes
    # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
    auth_param ntlm use_ntlm_negotiate on

    # warning: basic authentication sends passwords plaintext
    # a network sniffer can and will discover passwords
    auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

  • Chris August 28, 2009, 6:01 pm

    Does anyone know if I will break this if I disable LM on my domain controllers and also possible NTLM v1 so that NTLM V2 is the only thing on my network?We’ve had ntlm_auth running successfully on our network for 8-10 years and love it. But we need to ditch LM and probably NTLM v1. Thanks,
    Chris

  • Anonymous June 16, 2010, 6:25 pm

    Changing “WORKGROUP\Domain Users” to “workgroup+domain users” worked for me in line below:

    auth_param ntlm program /usr/lib/squid/ntlm_auth –helper-protocol=squid-2.5-ntlmssp –require-membership-of=”WORKGROUP\Domain Users”

    auth_param basic program /usr/lib/squid/ntlm_auth –helper-protocol=squid-2.5-basic –require-membership-of=”WORKGROUP\Domain Users”

  • Emmanuel December 26, 2014, 3:09 am

    Hello I made it work on Centos 7

    I found that Active Directory groups performing authenticaton should be GLOBAL

    also each time a group membership CHANGE is performed, on the squid machine
    the winbind and squid MUST be restarted.
    I suspect winbind by somewho caches the entries it gots, so after a change on the Domain Controller, squid keeps blind at that change.

    so perform
    service winbind restart
    service squid restart

    I leave a copy of my squid.conf

    #
    # Recommended minimum configuration:
    #
    visible_hostname testing
    dns_v4_first on
    tcp_outgoing_address 10.10.10.20
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    #http_access allow localnet
    http_access allow localhost
    # And finally deny all other access to this proxy
    #http_access allow all
    # Squid normally listens to port 3128
    http_port 0.0.0.0:3128
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir diskd /var/spool/squid 100 16 256
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    # Ram Asiganada para mantener en Cache
    #cache_mem 128 MB
    #
    # Add any of your own refresh_pattern entries above these.
    #
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    # Authenticacion via NTLM con los Domain Controllers
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 30
    # warning: basic authentication sends passwords plaintext
    # a network sniffer can and will discover passwords
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Autentication
    auth_param basic credentialsttl 2 hours
    external_acl_type wbinfo_check %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
    acl allowed_group external wbinfo_check test
    http_access allow allowed_group
    external_acl_type wbinfo_check %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
    acl allowed_group1 external wbinfo_check full
    http_access allow allowed_group1
    http_access deny all
    
  • Anil January 6, 2015, 11:40 am

    Hi !

    II am using email services by using google apps services for my company. we want to provide proxy server access to our users by using their gmail id authentication.
    Can somebody help ! how i can use it by using imap authentication helper in squid or any other method.
    Thanks in advance !

Leave a Comment