Squid NTLM authentication configuration using ntlm_auth
Q. How do I configure squid for NTLM authentication?
A. You need to use squid ntlm_auth helper tool. It o allow external access to Winbind's NTLM authentication function. ntlm_auth uses winbind to access the user and authentication data for a domain.
Make sure winbindd is working
winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitary applications via PAM and ntlm_auth and to Samba itself. If you are not sure about winbindd, refer to official Samba documentation for configuration.
Configure squid for NTLM authentication
Open squid configuration file - squid.conf, enter:
# vi squid.conf
Append following configuration directive:
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
To setup ntlm_auth for use by squid 2.5 with group limitation, add:
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="WORKGROUP\Domain Users"
auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="WORKGROUP\Domain Users"
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
OR You can also pass DOMAIN/PDC name:
auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAINNAME/PDC
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
Now add ACL configuration for ntlm_auth helper
acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
http_access deny all
Save and close the file. Restart Squid:
# /etc/init.d/squid restart
For more information:
- Read ntlm_auth man page
- Samba winbindd - Use of Domain Accounts
Updated for accuracy.
Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
Related Linux / UNIX FAQ:
- How to: Linux / UNIX setup Squid Proxy authentication
- Squid proxy authentication in transparent mode
- Squid Proxy Server Mac Address based filtering
- Squid proxy How to filter or block a particular port
- Squid deny users accessing a website
Discussion on This FAQ
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Please do not use the comment form to ask for help / question. Ask your question on the excellent Linux tech support forum. Thank you very much for stopping by our site!
Tags: configuration_file, daemon, ntlm_authentication, pam, squid-conf_file, squid_authentication, squid_configuration, squid_ntlm ~ Last updated on: September 12, 2007
April 9th, 2007 at 9:30 am
I am getting an error while configuring this the error is
FATAL: authparam basic program /usr/bin/ntml_auth: (2) No such file or directory
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.007 seconds = 0.002 user + 0.005 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Aborted. so do reply me about this
Thank you.
April 11th, 2007 at 6:20 pm
Set correct path for /usr/lib/squid/ntml_auth file
July 27th, 2007 at 11:09 am
How can l block one Active directory user to access internet through squid ( or blank password users)
September 11th, 2007 at 12:32 am
If you are getting error its because the author messed up his script. Check for where he substitues ntml instead of ntlm. Fix that and you are good to go!
September 12th, 2007 at 5:01 am
dark_harmonics,
The FAQ has been updated. I appreciate your feedback.
September 20th, 2007 at 6:28 am
Good work
and we have to share our experiences and idea
to all Linux worker
October 25th, 2007 at 1:35 pm
thank you guys for this documentation it’s quite helpful when configuring Squid with NTLM.
However i have a couple of questions regarding clients that are not joined to the Active directory DC:
1- a NON-joined client using IE will have to log on using realm/username and passwd. Is there a way to make him authenticate with only his username and passwd ?
NB:It works fine with other browsers such as Firefox.
2- If you use IE with this NTLM auth (on an NON-joined pc) and select the ’save password’ checkbox the password gets stored in the registry as if it was for a network location. To delete the record you will have to run
“rundll32.exe keymgr.dll, KRShowKeyMgr”
This is causing real problems to users. Have you encountered this? and were you able to figure a way out?
Thanks again,
Samerk