Squid proxy - NTLM auth

oldBastard

oldBastard

Expert Member
Joined
Jul 28, 2006
Messages
4,751
Reaction score
1,234
Location
Somewhere near your mom
Ello peeps.

I have an ubuntu 9.04 server running as the proxy server. It is hooked on the domain. Testing wbinfo -u & wbinfo -g I get all the domain users & groups fine. Currrently everybody can access the internet through the proxy.

Now management want only certain groups/users to access all internet sites and the rest only specific sites.

I have never done NTLM auth. I have read on the internet on it but cannot find anything usefull. So my questions are:

1. How to NTLM auth?
2. After setting up NTLM auth get certain domain groups & users to access all sites, obviously using ACL's. (ACL's have been created just need to create the rules on domain groups and users through NTLM auth).

Would be great to use webmin, but happy to vi
 
NTLM auth works fine. I must mention that I use URL Filter to block certain sites etc, and haven't taken a look at ACL's so far as Advanced Proxy and URL Filter works fine for me.

A couple of questions - do you use dynamic or static passwords for your users? Dynamic passwords is a great security feature, because the users are forced to change their passwords at regular intervals - HOWEVER - if you use Active Domain then, when password change is enforced, and the NTLM auth mechanism doesn't refresh the cached password, then it results in an locked-out account. (i've found that a reboot of the PC after password change have more success of getting enforced more successfully).

Static passwords won't have this problem, unless the user change his/her password.

Now, that being said and done, you can have a look at Advanced Proxy - it supports NTLM authentication.

It is for Smoothwall and IPCop, but since it is Open Source, you can adapt it easily to your Linux distro.

Good luck with that ;) :)
 
Do some googling on squid and winbind. Should point you at the configs you need for squid to talk to AD. There are a few key steps with winbind.
1) Configure Samba and join the machine to the domain
2) Configure squid to use the winbind auth helper to authenticate users.

I generally find that the stale password or users that have moved to different groups issue is solved with a refresh of squids running config.
 
morkhans said:
Do some googling on squid and winbind. Should point you at the configs you need for squid to talk to AD. There are a few key steps with winbind.
1) Configure Samba and join the machine to the domain
Like I said the server is hooked on the w2k3 domain.
2) Configure squid to use the winbind auth helper to authenticate users.
My stumbling block.

I generally find that the stale password or users that have moved to different groups issue is solved with a refresh of squids running config.
Click to expand...

Coming back to point 2. I need to set it up as the the people who will run it can have a nice web interface and so forth to edit/add or change things.
 
Is linux box running dansguardian or how are managing the site filtering? You are ganna need to setup filter groups afaik.
 
If you have an Active Directory domain, why not use ldap authentication rather than NTLM?
 
thisgeek said:
If you have an Active Directory domain, why not use ldap authentication rather than NTLM?
Click to expand...

My view as also. It's a one-liner in squid.conf that tells squid how to authenticate against active directory. You'll need an account with administrator username/password to retrieve the list of users.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X