Comments on: Squid NTLM authentication configuration using ntlm_auth

By: Anonymous

Anonymous — Wed, 16 Jun 2010 18:25:14 +0000

Changing “WORKGROUP\Domain Users” to “workgroup+domain users” worked for me in line below:

auth_param ntlm program /usr/lib/squid/ntlm_auth –helper-protocol=squid-2.5-ntlmssp –require-membership-of=”WORKGROUP\Domain Users”

auth_param basic program /usr/lib/squid/ntlm_auth –helper-protocol=squid-2.5-basic –require-membership-of=”WORKGROUP\Domain Users”

By: Chris

Chris — Fri, 28 Aug 2009 18:01:37 +0000

Does anyone know if I will break this if I disable LM on my domain controllers and also possible NTLM v1 so that NTLM V2 is the only thing on my network?We’ve had ntlm_auth running successfully on our network for 8-10 years and love it. But we need to ditch LM and probably NTLM v1. Thanks,
Chris

By: Avinash.Rao

Avinash.Rao — Tue, 18 Aug 2009 14:49:43 +0000

Hi all,
Ubuntu 8.04 Server 64-bit Edition/Samba 3.0.28a/Squid 2.6 stable18
Samba is configured as PDC and i have winxp clients logging to the domain. I want to restrict these users from accessing the internet the whole day, i just want to give them access to internet only during 6:00-8:00PM everyday. How can i achieve this?

I read the documentation and have configured squid for NTLM and tested.. but below is the error i am getting when i restart squid.

/etc/init.d/squid restart
* Restarting Squid HTTP proxy squid
2009/08/18 14:04:15| Invalid Proxy Auth ACL ‘acl
AuthorizedUsers proxy_auth REQUIRED’ because no authentication schemes
are fully configured.
FATAL: Bungled squid.conf line 39: acl AuthorizedUsers proxy_auth REQUIRED
Squid Cache (Version 2.6.STABLE1: Terminated abnormally.
[fail]

squid.conf
visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
http_port 100.100.100.50:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 993 # IMAP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 22 # SSH
acl purge method PURGE
acl special_urls url_regex “/etc/squid/squid-noblock.acl”
acl extndeny url_regex -i “/etc/squid/blocks.files.acl”
acl malware_block_list url_regex -i “/etc/squid/malware_block_list.txt”
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
acl lan src 192.168.1.0 100.100.100.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_reply_access allow all
http_access allow AuthorizedUsers
http_access deny all
icp_access allow all
coredump_dir /var/spool/squid

auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

By: bala

bala — Sun, 31 May 2009 08:42:40 +0000

Hi I am able to configure NTLM with squid.It works great.
But i use Dansguardian for content filtering.With this setup (DG+SQUID+NTLM) ,things works fine for a user logged in to the domain.But for a local user it does not fall back to the basic program and i get a access denied page (as unauthenticated user fall to filter group 1 in DG)
Any help

By: sameer kale

sameer kale — Sun, 05 Apr 2009 08:22:30 +0000

I want to authenticate the user by his username , password and MAC address.. Is it possible by ntlm_auth??? How?

By: James Johnston

James Johnston — Thu, 30 Oct 2008 04:54:34 +0000

To deal with winbind permissions problems:
(1) add proxy user to winbindd_priv group. (2) comment the “cache_effective_group” line in squid.conf so that secondary groups for the proxy user aren’t ignored.

Once I did that NTLM worked fine.

By: matu

matu — Wed, 13 Aug 2008 13:30:59 +0000

one more thing, on the above wiki page there is a ownership fix by using “cache_effective_group root” in squid,conf. It worked for me only after removing this line from squid.conf. so do not add it to squid.conf.

By: matu

matu — Wed, 13 Aug 2008 13:11:43 +0000

For squid 2.6, see the following Wiki page.
I was able to start squid only after configuring squid.conf as described there.
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM?highlig%20ht=%28ConfigExamples%29

By: newbie

newbie — Wed, 11 Jun 2008 13:15:09 +0000

i have two groups one group has only access to whitelist and another group have full access to internet. how can i setup squid to autorizate groups

By: samerk

samerk — Thu, 25 Oct 2007 13:35:09 +0000

thank you guys for this documentation it’s quite helpful when configuring Squid with NTLM.
However i have a couple of questions regarding clients that are not joined to the Active directory DC:

1- a NON-joined client using IE will have to log on using realm/username and passwd. Is there a way to make him authenticate with only his username and passwd ?
NB:It works fine with other browsers such as Firefox.

2- If you use IE with this NTLM auth (on an NON-joined pc) and select the ’save password’ checkbox the password gets stored in the registry as if it was for a network location. To delete the record you will have to run
“rundll32.exe keymgr.dll, KRShowKeyMgr”
This is causing real problems to users. Have you encountered this? and were you able to figure a way out?

Thanks again,
Samerk

By: deepak ray

deepak ray — Thu, 20 Sep 2007 06:28:56 +0000

Good work
and we have to share our experiences and idea

to all Linux worker

By: vivek

vivek — Wed, 12 Sep 2007 05:01:15 +0000

dark_harmonics,

The FAQ has been updated. I appreciate your feedback.

By: dark_harmonics

dark_harmonics — Tue, 11 Sep 2007 00:32:12 +0000

If you are getting error its because the author messed up his script. Check for where he substitues ntml instead of ntlm. Fix that and you are good to go!

By: jayaram

jayaram — Fri, 27 Jul 2007 11:09:49 +0000

How can l block one Active directory user to access internet through squid ( or blank password users)

By: nixcraft

nixcraft — Wed, 11 Apr 2007 18:20:02 +0000

Set correct path for /usr/lib/squid/ntml_auth file

By: Tapan Shah

Tapan Shah — Mon, 09 Apr 2007 09:30:34 +0000

I am getting an error while configuring this the error is

FATAL: authparam basic program /usr/bin/ntml_auth: (2) No such file or directory
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.007 seconds = 0.002 user + 0.005 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Aborted. so do reply me about this
Thank you.