Re: [squid-users] SQUID configure with NTLM prompts users password window

From: Tanveer Chowdhury <tanveer.chowdhury_at_gmail.com>
Date: Sun, 12 Oct 2008 08:57:01 +0600

Hi, Thanks for your reply.
I will definitely give it a try today and let you all know.

On Thu, Oct 9, 2008 at 5:26 AM, Jeff Gerard <mysubscriptions_at_shaw.ca> wrote:
> In IE internet options/security, try resetting "Local Intranet" to default
> settings. There is also an option at the bottom of those custom settings
> regarding username/passwords. I don't have IE in front of me at the moment
> so can't say exactly what it says but give the default settings a try. I
> have had similar issues with Bluecoat and kerberos authentication.
>
> HTH...
>
> On Tuesday 07 October 2008 23:11:48 Tanveer Chowdhury wrote:
>> Hi all,
>>
>> I have setup NTLM authentication with squid-2.6.STABLE20, samba-3.0.10
>> and winbind. My purpose is to find the username in both squid and DG
>> access log which I am getting fine. But the problem is sometimes not
>> frequest IE prompts a pop up window for authentication and if not
>> given i.e., pressed cancel then it gives a message like " Cache access
>> denied". But if you then press Refresh button then it loads again
>> fine.
>>
>> But if you provide the username and password at the login prompt it
>> also works though. My question is how to STOP this password prompting
>> pop up window.
>>
>> Below is the output of /var/log/squid/cache.log when the password window
>> prompts
>>
>> [2008/09/29 13:39:11, 3] utils/ntlm_auth.c:winbind_pw_check(427)
>> Login for user [XYZ][testuser]@[PC21] failed due to [Reading winbind
>> reply failed!]
>> 2008/09/29 13:39:11| The request GET
>> http://search.live.com/LS/GLinkPing.aspx?/_1_9SE......
>>
>> Below is my NTLM part of squid.conf file
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>> .....
>> .......
>> acl manager proto cache_object
>> acl authenticated_users proxy_auth REQUIRED
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>>
>> ...
>> .....
>> #Recommended minimum configuration:
>> #
>> # Only allow cachemgr access from localhost
>>
>> ##http_access deny !Safe_ports
>> http_access allow manager localhost
>> http_access deny manager
>> # Deny requests to unknown ports
>> #http_access deny !Safe_ports
>> # Deny CONNECT to other than SSL ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow authenticated_users
>>
>> # cat /etc/nsswitch.conf
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>>
>> hosts: files dns wins
>> networks: files dns
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>>
>> # cat /etc/krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = DOMAIN.COM
>>
>> [realms]
>> DOMAIN.COM = {
>> default_domain = DOMAIN.COM
>> kdc = abc.domain.com
>> kdc = efg.domain.com
>> kdc = xx.xx.xx.xx
>> kdc = xx.xx.xx.xx
>> }
>>
>> [domain_realm]
>> .kerberos.server = DOMAIN.COM
>
>
>
> --
>
> Jeff Gerard
>
Received on Sun Oct 12 2008 - 02:57:05 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 14 2008 - 12:00:03 MDT