[squid-users] NTLM and everyone has access

From: Van Bossche Koen <Koen.VanBossche@dont-contact.us>
Date: Thu, 4 Oct 2001 10:37:47 +0200

Hi all,

I just checked if I could access the internet with NTLM through proxy if I
put myself out of the group 'Internet Users' from my NT server.
And it seems I can access everything. What's wrong, I do not understand. I
thought NTLM was the stongest method of authentication and nevertheless I
can access everything.
Can anyone please explain?

This is part of my squid.conf:

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#
----------------------------------------------------------------------------
-
redirect_program /opt/squidGuard/bin/squidGuard -c
/etc/squidguard/squidguard.conf
redirect_children 8
auth_param ntlm program /opt/squid/libexec/squid/ntlm_auth KONE.COM\kcoeq01
KONE.COM\kco
be6 KONE.COM\kcobe6a
auth_param ntlm children 8
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# KONE Modification: Authenticate from KONE.COM
#authenticate_program /opt/squid/libexec/squid/smb_auth -W KONE.COM
#authenticate_children 8
#authenticate_ttl 36000
#proxy_auth_realm KONE Europe Parent WWW Proxy2

# ACCESS CONTROLS
#
----------------------------------------------------------------------------
-
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl snmppublic snmp_community public
acl SSL_ports port 443 563
acl Safe_ports port 80 81 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl konecom dstdomain kone.com
acl koneip dst 138.249.0.0/255.255.0.0
acl mkonecom dstdomain montgomery-kone.com
acl intranet-KUS dstdomain .mkone.com
acl telefinder dstdomain tm.tele.fi
acl internetacl proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Allow everybody to certain sites
http_access allow mkonecom
http_access allow intranet-KUS
http_access allow konecom
http_access allow koneip
http_access allow telefinder

# This forces the authentication upon everything that is not allowed earlier
http_access allow internetacl
http_access deny all

icp_access allow all
miss_access allow all

# MISCELLANEOUS
#
----------------------------------------------------------------------------
-
logfile_rotate 1
query_icmp off
reload_into_ims off
always_direct allow koneip
#never_direct allow all

snmp_port 3401
snmp_access allow snmppublic localhost
snmp_access deny all

# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
#
----------------------------------------------------------------------------
-
#delay_pools 0
cache_mgr proxy@kone.com
visible_hostname kcoeuproxy2.nt.kone.com
uri_whitespace strip

Koen Van Bossche

KONE International SA
KCO Telecom
Ave E. Van Nieuwenhuyse, 6
B - 1160 Brussels, Belgium
Tel : +32 (0)2 676.93.81
Fax : +32 (0)2 676.93.91
Received on Thu Oct 04 2001 - 02:37:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:36 MST