Quantcast

SQUID + FIREFOX + ACTIVE DIRECTORY

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SQUID + FIREFOX + ACTIVE DIRECTORY

matlor
I have configured squid with winbind integrated in the active directory of a windows 2003 domain.
If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password.
I have also notioced that if I clic on cancel twice, than I can see tha internet page.... someon can help me?!?! thanks in advance

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Josh Haft
Firefox can't grab NTLM creds like IE does.



On 10/28/08, matlor <[hidden email]> wrote:

>
> I have configured squid with winbind integrated in the active directory of a
> windows 2003 domain.
> If I browse internet trough IE 7 everething is ok, no user and password
> prompted, because of the common login. While, if I open Firefox (2 or 3
> version), it prompts for user and password.
> I have also notioced that if I clic on cancel twice, than I can see tha
> internet page.... someon can help me?!?! thanks in advance
>
>
> --
> View this message in context:
> http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20204501.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chris Robertson-2
In reply to this post by matlor
matlor wrote:
> I have configured squid with winbind integrated in the active directory of a
> windows 2003 domain.
> If I browse internet trough IE 7 everething is ok, no user and password
> prompted, because of the common login. While, if I open Firefox (2 or 3
> version), it prompts for user and password.
> I have also notioced that if I clic on cancel twice, than I can see tha
> internet page.... someon can help me?!?! thanks in advance
>  

http://www.security-forums.com/viewtopic.php?t=33159

But it sounds like your ACLs are allowing non-authenticated access.  No
one can really help you with that without some more information (Squid
version and config file stripped of comments would be a good start).

Chris

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Guido Serassio
In reply to this post by Josh Haft
Hi,

At 14.00 28/10/2008, Josh Haft wrote:
>Firefox can't grab NTLM creds like IE does.

This is really a VERY wrong assertion.

Firefox supports all Squid authentication schema (Basic, Digest NTLM
and Negotiate) starting from version 1.5, while this is true for
Internet Explorer starting from 7.0 version ....

Regards

Guido



>On 10/28/08, matlor <[hidden email]> wrote:
> >
> > I have configured squid with winbind integrated in the active
> directory of a
> > windows 2003 domain.
> > If I browse internet trough IE 7 everething is ok, no user and password
> > prompted, because of the common login. While, if I open Firefox (2 or 3
> > version), it prompts for user and password.
> > I have also notioced that if I clic on cancel twice, than I can see tha
> > internet page.... someon can help me?!?! thanks in advance
> >


-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1           10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: [hidden email]
WWW: http://www.acmeconsulting.it/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

matlor
How can I solve my problem?
what's wrong?
Have I to post my squid.conf?

thanks

Guido Serassio wrote
Hi,

At 14.00 28/10/2008, Josh Haft wrote:
>Firefox can't grab NTLM creds like IE does.

This is really a VERY wrong assertion.

Firefox supports all Squid authentication schema (Basic, Digest NTLM
and Negotiate) starting from version 1.5, while this is true for
Internet Explorer starting from 7.0 version ....

Regards

Guido



>On 10/28/08, matlor <bfrobu@tin.it> wrote:
> >
> > I have configured squid with winbind integrated in the active
> directory of a
> > windows 2003 domain.
> > If I browse internet trough IE 7 everething is ok, no user and password
> > prompted, because of the common login. While, if I open Firefox (2 or 3
> > version), it prompts for user and password.
> > I have also notioced that if I clic on cancel twice, than I can see tha
> > internet page.... someon can help me?!?! thanks in advance
> >


-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1           10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chris Nighswonger
In reply to this post by matlor
On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>
> I have configured squid with winbind integrated in the active directory of a
> windows 2003 domain.
> If I browse internet trough IE 7 everething is ok, no user and password
> prompted, because of the common login. While, if I open Firefox (2 or 3
> version), it prompts for user and password.

One other note: While FF does support NTLM, it does not do transparent
auth as IE does. Hence the prompting for username/password.
Furthermore, due to M$ having a broken implementation of NTLM, FF will
at times repeatedly prompt ad infinitum. There is an open bug on this
at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
action on it is understandably slow. You can mess with FF's NTLM
related settings under 'about:config' to gain some respite. You can
also run a basic auth that authenticates against NTLM which for some
reason seems to avoid the multi-prompt issue. Something like:

 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
 auth_param basic children 2
 auth_param basic realm somerealm
 auth_param basic credentialsttl 2 hours
 auth_param basic casesensitive off

Regards,
Chris
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

nairb rotsak
I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox.



----- Original Message ----
From: Chris Nighswonger <[hidden email]>
To: matlor <[hidden email]>
Cc: [hidden email]
Sent: Wednesday, October 29, 2008 8:48:39 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>
> I have configured squid with winbind integrated in the active directory of a
> windows 2003 domain.
> If I browse internet trough IE 7 everething is ok, no user and password
> prompted, because of the common login. While, if I open Firefox (2 or 3
> version), it prompts for user and password.

One other note: While FF does support NTLM, it does not do transparent
auth as IE does. Hence the prompting for username/password.
Furthermore, due to M$ having a broken implementation of NTLM, FF will
at times repeatedly prompt ad infinitum. There is an open bug on this
at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
action on it is understandably slow. You can mess with FF's NTLM
related settings under 'about:config' to gain some respite. You can
also run a basic auth that authenticates against NTLM which for some
reason seems to avoid the multi-prompt issue. Something like:

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm somerealm
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Regards,
Chris



     
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chris Nighswonger
On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
> I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox


I'd be very interested in knowing what is different about your setup.
I have fought this problem for several years now.


>
>
>
> ----- Original Message ----
> From: Chris Nighswonger <[hidden email]>
> To: matlor <[hidden email]>
> Cc: [hidden email]
> Sent: Wednesday, October 29, 2008 8:48:39 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>
>> I have configured squid with winbind integrated in the active directory of a
>> windows 2003 domain.
>> If I browse internet trough IE 7 everething is ok, no user and password
>> prompted, because of the common login. While, if I open Firefox (2 or 3
>> version), it prompts for user and password.
>
> One other note: While FF does support NTLM, it does not do transparent
> auth as IE does. Hence the prompting for username/password.
> Furthermore, due to M$ having a broken implementation of NTLM, FF will
> at times repeatedly prompt ad infinitum. There is an open bug on this
> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
> action on it is understandably slow. You can mess with FF's NTLM
> related settings under 'about:config' to gain some respite. You can
> also run a basic auth that authenticates against NTLM which for some
> reason seems to avoid the multi-prompt issue. Something like:
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 2
> auth_param basic realm somerealm
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> Regards,
> Chris
>
>
>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Stefan Adams-3
On Wed, Oct 29, 2008 at 9:31 AM, Chris Nighswonger
<[hidden email]> wrote:
> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
>> I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox
>
>
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.

I second that and would welcome any configs you'd care to share!  :)

>>
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <[hidden email]>
>> To: matlor <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>>
>>> I have configured squid with winbind integrated in the active directory of a
>>> windows 2003 domain.
>>> If I browse internet trough IE 7 everething is ok, no user and password
>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>> version), it prompts for user and password.
>>
>> One other note: While FF does support NTLM, it does not do transparent
>> auth as IE does. Hence the prompting for username/password.
>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>> at times repeatedly prompt ad infinitum. There is an open bug on this
>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>> action on it is understandably slow. You can mess with FF's NTLM
>> related settings under 'about:config' to gain some respite. You can
>> also run a basic auth that authenticates against NTLM which for some
>> reason seems to avoid the multi-prompt issue. Something like:
>>
>> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> auth_param basic children 2
>> auth_param basic realm somerealm
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> Regards,
>> Chris
>>
>>
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Josh Haft
In reply to this post by Chris Nighswonger
Are you using any type of auth with your squid setup? I don't see it
mentioned in your post. I too would be interested in knowing how you
got integrated NTLM auth through firefox, if indeed you have.


On Wed, Oct 29, 2008 at 9:31 AM, Chris Nighswonger
<[hidden email]> wrote:

> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
>> I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox
>
>
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.
>
>
>>
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <[hidden email]>
>> To: matlor <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>>
>>> I have configured squid with winbind integrated in the active directory of a
>>> windows 2003 domain.
>>> If I browse internet trough IE 7 everething is ok, no user and password
>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>> version), it prompts for user and password.
>>
>> One other note: While FF does support NTLM, it does not do transparent
>> auth as IE does. Hence the prompting for username/password.
>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>> at times repeatedly prompt ad infinitum. There is an open bug on this
>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>> action on it is understandably slow. You can mess with FF's NTLM
>> related settings under 'about:config' to gain some respite. You can
>> also run a basic auth that authenticates against NTLM which for some
>> reason seems to avoid the multi-prompt issue. Something like:
>>
>> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> auth_param basic children 2
>> auth_param basic realm somerealm
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> Regards,
>> Chris
>>
>>
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

nairb rotsak
In reply to this post by Chris Nighswonger
Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris:

Below is for w2k3 AD and Ubuntu 6.06.1:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl NTLMUsers proxy_auth REQUIRED
acl our_networks src 192.168.0.0/16
http_access allow all NTLMUsers
http_access allow our_networks

Here is our current setup (w2k8 and Ubuntu 8.04.1):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl NTLMUsers proxy_auth REQUIRED
external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
acl NOINTERNET external ntgroup no-internet
http_access deny NOINTERNET
http_access allow all NTLMUsers
http_access allow our_networks
http_access allow localhost


We
have a group policy do the IE browser, but with Firefox, we have to set
it manually.  Once it is set, there is no prompt... I use SARG to get
the results.. Been doing it for almost three years.. I would get
evangelical on people using iPrism/Barracuda/Websense.. but now I
figure I will just let them spend the money.. ;-)


----- Original Message ----
From: Chris Nighswonger <[hidden email]>
To: nairb rotsak <[hidden email]>
Cc: matlor <[hidden email]>; [hidden email]
Sent: Wednesday, October 29, 2008 9:31:32 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
> I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox


I'd be very interested in knowing what is different about your setup.
I have fought this problem for several years now.


>
>
>
> ----- Original Message ----
> From: Chris Nighswonger <[hidden email]>
> To: matlor <[hidden email]>
> Cc: [hidden email]
> Sent: Wednesday, October 29, 2008 8:48:39 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>
>> I have configured squid with winbind integrated in the active directory of a
>> windows 2003 domain.
>> If I browse internet trough IE 7 everething is ok, no user and password
>> prompted, because of the common login. While, if I open Firefox (2 or 3
>> version), it prompts for user and password.
>
> One other note: While FF does support NTLM, it does not do transparent
> auth as IE does. Hence the prompting for username/password.
> Furthermore, due to M$ having a broken implementation of NTLM, FF will
> at times repeatedly prompt ad infinitum. There is an open bug on this
> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
> action on it is understandably slow. You can mess with FF's NTLM
> related settings under 'about:config' to gain some respite. You can
> also run a basic auth that authenticates against NTLM which for some
> reason seems to avoid the multi-prompt issue. Something like:
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 2
> auth_param basic realm somerealm
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> Regards,
> Chris
>
>
>
>
>



     
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chris Nighswonger
On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak <[hidden email]> wrote:
> http_access allow all NTLMUsers

Does the 'all' trump the 'NTLMUsers' acl here?

Chris




>
> ----- Original Message ----
> From: Chris Nighswonger <[hidden email]>
> To: nairb rotsak <[hidden email]>
> Cc: matlor <[hidden email]>; [hidden email]
> Sent: Wednesday, October 29, 2008 9:31:32 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
>> I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox
>
>
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.
>
>
>>
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <[hidden email]>
>> To: matlor <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>>
>>> I have configured squid with winbind integrated in the active directory of a
>>> windows 2003 domain.
>>> If I browse internet trough IE 7 everething is ok, no user and password
>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>> version), it prompts for user and password.
>>
>> One other note: While FF does support NTLM, it does not do transparent
>> auth as IE does. Hence the prompting for username/password.
>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>> at times repeatedly prompt ad infinitum. There is an open bug on this
>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>> action on it is understandably slow. You can mess with FF's NTLM
>> related settings under 'about:config' to gain some respite. You can
>> also run a basic auth that authenticates against NTLM which for some
>> reason seems to avoid the multi-prompt issue. Something like:
>>
>> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>> auth_param basic children 2
>> auth_param basic realm somerealm
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> Regards,
>> Chris
>>
>>
>>
>>
>>
>
>
>
>
>



--
Christopher Nighswonger
Faculty Member
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
www.fbcradio.org
-------------
NOTICE: The information contained in this electronic mail message is
intended only for the use of the intended recipient, and may also be
protected by the Electronic Communications Privacy Act, 18 USC
Sections 2510-2521. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please reply to the
sender, and delete the original message. Thank you.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chris Robertson-2
Chris Nighswonger wrote:
> On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak <[hidden email]> wrote:
>  
>> http_access allow all NTLMUsers
>>    
>
> Does the 'all' trump the 'NTLMUsers' acl here?
>
> Chris

The "all" is redundant.  The "all" ACL will always match, so the test
next falls to checking the "NTLMUsers" ACL.  See
http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-af2c190759b099a7986221cd12a4066eb146a1c4 
for more details.

Chris
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Amos Jeffries-2
Chris Robertson wrote:

> Chris Nighswonger wrote:
>> On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak <[hidden email]> wrote:
>>  
>>> http_access allow all NTLMUsers
>>>    
>>
>> Does the 'all' trump the 'NTLMUsers' acl here?
>>
>> Chris
>
> The "all" is redundant.  The "all" ACL will always match, so the test
> next falls to checking the "NTLMUsers" ACL.  See
> http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-af2c190759b099a7986221cd12a4066eb146a1c4 
> for more details.
>
> Chris

May have been trying the 'all' hack and got it backwards:

   http_access allow NTLMUsers all

Is to prevent squid requesting auth if the auth test fails.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Henrik Nordström
In reply to this post by nairb rotsak
On ons, 2008-10-29 at 14:16 -0700, nairb rotsak wrote:

> http_access allow all NTLMUsers
> http_access allow our_networks

The our_networks line can not be reached.

This should probably be

http_access allow our_networks NTLMUsers
http_access deny all


Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chuck Kollars-2
In reply to this post by matlor
> > If I browse internet trough IE 7 everething is ok, no user and
> > password prompted, because of the common login. While, if I open
> > Firefox (2 or 3  version), it prompts for user and password.

> Firefox can't grab NTLM creds like IE does.

Yep, as FireFox is not a Microsoft product and as it tries to be platform-agnostic, by default it doesn't handle Windows-specific functions such as automatically fetching NTLM credentials.

But it may be possible to get FireFox to behave the way you want anyway.

Type "about:config" in the FireFox address bar, then try changing the settings of one or both of:
network.automatic-ntlm-auth.allow-proxies true
network.automatic-ntlm-auth.trusted-uris http://<proxy-address>

-Chuck Kollars


     
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

matlor
In reply to this post by nairb rotsak
I have tried your configuration... but I have the same problem.
squid version is 3.0.5

in attachment there is one of my tested squid.conf.
only IE7 is working properly

thanks in advance....



nairb rotsak wrote
Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris:

Below is for w2k3 AD and Ubuntu 6.06.1:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl NTLMUsers proxy_auth REQUIRED
acl our_networks src 192.168.0.0/16
http_access allow all NTLMUsers
http_access allow our_networks

Here is our current setup (w2k8 and Ubuntu 8.04.1):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl NTLMUsers proxy_auth REQUIRED
external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
acl NOINTERNET external ntgroup no-internet
http_access deny NOINTERNET
http_access allow all NTLMUsers
http_access allow our_networks
http_access allow localhost


We
have a group policy do the IE browser, but with Firefox, we have to set
it manually.  Once it is set, there is no prompt... I use SARG to get
the results.. Been doing it for almost three years.. I would get
evangelical on people using iPrism/Barracuda/Websense.. but now I
figure I will just let them spend the money.. ;-)


----- Original Message ----
From: Chris Nighswonger <cnighswonger@foundations.edu>
To: nairb rotsak <ipguru99@yahoo.com>
Cc: matlor <bfrobu@tin.it>; squid-users@squid-cache.org
Sent: Wednesday, October 29, 2008 9:31:32 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <ipguru99@yahoo.com> wrote:
> I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt?  I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox


I'd be very interested in knowing what is different about your setup.
I have fought this problem for several years now.


>
>
>
> ----- Original Message ----
> From: Chris Nighswonger <cnighswonger@foundations.edu>
> To: matlor <bfrobu@tin.it>
> Cc: squid-users@squid-cache.org
> Sent: Wednesday, October 29, 2008 8:48:39 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Tue, Oct 28, 2008 at 6:18 AM, matlor <bfrobu@tin.it> wrote:
>>
>> I have configured squid with winbind integrated in the active directory of a
>> windows 2003 domain.
>> If I browse internet trough IE 7 everething is ok, no user and password
>> prompted, because of the common login. While, if I open Firefox (2 or 3
>> version), it prompts for user and password.
>
> One other note: While FF does support NTLM, it does not do transparent
> auth as IE does. Hence the prompting for username/password.
> Furthermore, due to M$ having a broken implementation of NTLM, FF will
> at times repeatedly prompt ad infinitum. There is an open bug on this
> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
> action on it is understandably slow. You can mess with FF's NTLM
> related settings under 'about:config' to gain some respite. You can
> also run a basic auth that authenticates against NTLM which for some
> reason seems to avoid the multi-prompt issue. Something like:
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 2
> auth_param basic realm somerealm
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> Regards,
> Chris
>
>
>
>
>



     
squid.conf
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

nairb rotsak
I am actually flabbergasted at all the people saying this doesn't work.  I haven't tried Squid 3 yet.. so I can't comment on it.  The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today).  I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one)

When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business.  As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something.  I would go into firefox, change the proxy setting, get the file, then put the proxy setting back.  THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back.

I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years..  I know it is catching them, because it blocks files and I use SARG to report their activities..

But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy.  Just to make sure..



----- Original Message ----
From: matlor <[hidden email]>
To: [hidden email]
Sent: Thursday, October 30, 2008 9:15:55 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY


I have tried your configuration... but I have the same problem.
squid version is 3.0.5

in attachment there is one of my tested squid.conf.
only IE7 is working properly

thanks in advance....




nairb rotsak wrote:

>
> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
> below is what I sent Chris:
>
> Below is for w2k3 AD and Ubuntu 6.06.1:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> #auth_param ntlm use_ntlm_negotiate off
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl NTLMUsers proxy_auth REQUIRED
> acl our_networks src 192.168.0.0/16
> http_access allow all NTLMUsers
> http_access allow our_networks
>
> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
> acl our_networks src 192.168.0.0/16
> acl NTLMUsers proxy_auth REQUIRED
> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
> acl NOINTERNET external ntgroup no-internet
> http_access deny NOINTERNET
> http_access allow all NTLMUsers
> http_access allow our_networks
> http_access allow localhost
>
>
> We
> have a group policy do the IE browser, but with Firefox, we have to set
> it manually.  Once it is set, there is no prompt... I use SARG to get
> the results.. Been doing it for almost three years.. I would get
> evangelical on people using iPrism/Barracuda/Websense.. but now I
> figure I will just let them spend the money.. ;-)
>
>
> ----- Original Message ----
> From: Chris Nighswonger <[hidden email]>
> To: nairb rotsak <[hidden email]>
> Cc: matlor <[hidden email]>; [hidden email]
> Sent: Wednesday, October 29, 2008 9:31:32 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
>> I am totally confused by this statement?.. as I have 300 people using
>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>> one gets a user/pass prompt?  I am not using it as a transparent proxy,
>> it is listed in firefox under proxy settings (8080 because it goes to DG
>> first.. but I have tested just Squid at 3128 and it works as well).. and
>> I haven't touched anything else in firefox
>
>
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.
>
>
>>
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <[hidden email]>
>> To: matlor <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>>
>>> I have configured squid with winbind integrated in the active directory
>>> of a
>>> windows 2003 domain.
>>> If I browse internet trough IE 7 everething is ok, no user and password
>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>> version), it prompts for user and password.
>>
>> One other note: While FF does support NTLM, it does not do transparent
>> auth as IE does. Hence the prompting for username/password.
>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>> at times repeatedly prompt ad infinitum. There is an open bug on this
>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>> action on it is understandably slow. You can mess with FF's NTLM
>> related settings under 'about:config' to gain some respite. You can
>> also run a basic auth that authenticates against NTLM which for some
>> reason seems to avoid the multi-prompt issue. Something like:
>>
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 2
>> auth_param basic realm somerealm
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>> Regards,
>> Chris
>>
>>
>>
>>
>>
>
>
>
>      
>
>
http://www.nabble.com/file/p20247889/squid.conf squid.conf
--
View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20247889.html
Sent from the Squid - Users mailing list archive at Nabble.com.


     
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Amos Jeffries-2
nairb rotsak wrote:
> I am actually flabbergasted at all the people saying this doesn't work.  I haven't tried Squid 3 yet.. so I can't comment on it.  The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today).  I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one)
>
> When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business.  As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something.  I would go into firefox, change the proxy setting, get the file, then put the proxy setting back.  THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back.
>
> I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years..  I know it is catching them, because it blocks files and I use SARG to report their activities..
>
> But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy.  Just to make sure..
>

Um, I'm not so sure the people having trouble are using the right helper.

There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and
Squid-2 releases that is incapable of doing full NTLM for modern windows
domains.

There is also something calling itself 'ntlm_auth' bundled with Samba,
which provides full working NTLM functionality.

We have fixed this mixup in 3.1, but please check the helper you are
using. Please prefer to use the one by Samba.

IE7 is more advanced than the ealier IE and seems to be actually capable
of proper negotiate auth. But can be expected fail with the limits
imposed by Squid's 'ntlm_auth' thing.

Amos

>
> ----- Original Message ----
> From: matlor <[hidden email]>
> To: [hidden email]
> Sent: Thursday, October 30, 2008 9:15:55 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
>
> I have tried your configuration... but I have the same problem.
> squid version is 3.0.5
>
> in attachment there is one of my tested squid.conf.
> only IE7 is working properly
>
> thanks in advance....
>
>
>
>
> nairb rotsak wrote:
>> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
>> below is what I sent Chris:
>>
>> Below is for w2k3 AD and Ubuntu 6.06.1:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 15
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>> #auth_param ntlm use_ntlm_negotiate off
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>> acl NTLMUsers proxy_auth REQUIRED
>> acl our_networks src 192.168.0.0/16
>> http_access allow all NTLMUsers
>> http_access allow our_networks
>>
>> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 15
>> auth_param ntlm keep_alive on
>> acl our_networks src 192.168.0.0/16
>> acl NTLMUsers proxy_auth REQUIRED
>> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
>> acl NOINTERNET external ntgroup no-internet
>> http_access deny NOINTERNET
>> http_access allow all NTLMUsers
>> http_access allow our_networks
>> http_access allow localhost
>>
>>
>> We
>> have a group policy do the IE browser, but with Firefox, we have to set
>> it manually.  Once it is set, there is no prompt... I use SARG to get
>> the results.. Been doing it for almost three years.. I would get
>> evangelical on people using iPrism/Barracuda/Websense.. but now I
>> figure I will just let them spend the money.. ;-)
>>
>>
>> ----- Original Message ----
>> From: Chris Nighswonger <[hidden email]>
>> To: nairb rotsak <[hidden email]>
>> Cc: matlor <[hidden email]>; [hidden email]
>> Sent: Wednesday, October 29, 2008 9:31:32 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]> wrote:
>>> I am totally confused by this statement?.. as I have 300 people using
>>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>>> one gets a user/pass prompt?  I am not using it as a transparent proxy,
>>> it is listed in firefox under proxy settings (8080 because it goes to DG
>>> first.. but I have tested just Squid at 3128 and it works as well).. and
>>> I haven't touched anything else in firefox
>>
>> I'd be very interested in knowing what is different about your setup.
>> I have fought this problem for several years now.
>>
>>
>>>
>>>
>>> ----- Original Message ----
>>> From: Chris Nighswonger <[hidden email]>
>>> To: matlor <[hidden email]>
>>> Cc: [hidden email]
>>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>>
>>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>>> I have configured squid with winbind integrated in the active directory
>>>> of a
>>>> windows 2003 domain.
>>>> If I browse internet trough IE 7 everething is ok, no user and password
>>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>>> version), it prompts for user and password.
>>> One other note: While FF does support NTLM, it does not do transparent
>>> auth as IE does. Hence the prompting for username/password.
>>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>>> at times repeatedly prompt ad infinitum. There is an open bug on this
>>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>>> action on it is understandably slow. You can mess with FF's NTLM
>>> related settings under 'about:config' to gain some respite. You can
>>> also run a basic auth that authenticates against NTLM which for some
>>> reason seems to avoid the multi-prompt issue. Something like:
>>>
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 2
>>> auth_param basic realm somerealm
>>> auth_param basic credentialsttl 2 hours
>>> auth_param basic casesensitive off
>>>
>>> Regards,
>>> Chris
>>>
>>>
>>>
>>>
>>>
>>
>>
>>      
>>
>>
> http://www.nabble.com/file/p20247889/squid.conf squid.conf


--
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SQUID + FIREFOX + ACTIVE DIRECTORY

Chris Nighswonger
On Sat, Nov 1, 2008 at 12:37 AM, Amos Jeffries <[hidden email]> wrote:

> Um, I'm not so sure the people having trouble are using the right helper.
>
> There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and
> Squid-2 releases that is incapable of doing full NTLM for modern windows
> domains.
>
> There is also something calling itself 'ntlm_auth' bundled with Samba, which
> provides full working NTLM functionality.
>
> We have fixed this mixup in 3.1, but please check the helper you are using.
> Please prefer to use the one by Samba.

We're using the Samba flavor. To be exact

[root@masada1 ~]# /usr/bin/ntlm_auth -V
Version 3.0.23c-2

>
> IE7 is more advanced than the ealier IE and seems to be actually capable of
> proper negotiate auth. But can be expected fail with the limits imposed by
> Squid's 'ntlm_auth' thing.

The issues we are having are with FF (see Mozilla bug referenced
earlier in this thread). IE7 works fine on computers which are domain
members.

I'd still love to know what Nairb's config has that makes it work.

Regards,
Chris

>> ----- Original Message ----
>> From: matlor <[hidden email]>
>> To: [hidden email]
>> Sent: Thursday, October 30, 2008 9:15:55 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>>
>> I have tried your configuration... but I have the same problem.
>> squid version is 3.0.5
>>
>> in attachment there is one of my tested squid.conf.
>> only IE7 is working properly
>>
>> thanks in advance....
>>
>>
>>
>>
>> nairb rotsak wrote:
>>>
>>> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
>>> below is what I sent Chris:
>>>
>>> Below is for w2k3 AD and Ubuntu 6.06.1:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
>>> auth_param ntlm max_challenge_reuses 0
>>> auth_param ntlm max_challenge_lifetime 2 minutes
>>> #auth_param ntlm use_ntlm_negotiate off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 5
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> auth_param basic casesensitive off
>>> acl NTLMUsers proxy_auth REQUIRED
>>> acl our_networks src 192.168.0.0/16
>>> http_access allow all NTLMUsers
>>> http_access allow our_networks
>>>
>>> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
>>> auth_param ntlm keep_alive on
>>> acl our_networks src 192.168.0.0/16
>>> acl NTLMUsers proxy_auth REQUIRED
>>> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
>>> acl NOINTERNET external ntgroup no-internet
>>> http_access deny NOINTERNET
>>> http_access allow all NTLMUsers
>>> http_access allow our_networks
>>> http_access allow localhost
>>>
>>>
>>> We
>>> have a group policy do the IE browser, but with Firefox, we have to set
>>> it manually.  Once it is set, there is no prompt... I use SARG to get
>>> the results.. Been doing it for almost three years.. I would get
>>> evangelical on people using iPrism/Barracuda/Websense.. but now I
>>> figure I will just let them spend the money.. ;-)
>>>
>>>
>>> ----- Original Message ----
>>> From: Chris Nighswonger <[hidden email]>
>>> To: nairb rotsak <[hidden email]>
>>> Cc: matlor <[hidden email]>; [hidden email]
>>> Sent: Wednesday, October 29, 2008 9:31:32 AM
>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>>
>>> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[hidden email]>
>>> wrote:
>>>>
>>>> I am totally confused by this statement?.. as I have 300 people using
>>>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>>>> one gets a user/pass prompt?  I am not using it as a transparent proxy,
>>>> it is listed in firefox under proxy settings (8080 because it goes to DG
>>>> first.. but I have tested just Squid at 3128 and it works as well).. and
>>>> I haven't touched anything else in firefox
>>>
>>> I'd be very interested in knowing what is different about your setup.
>>> I have fought this problem for several years now.
>>>
>>>
>>>>
>>>>
>>>> ----- Original Message ----
>>>> From: Chris Nighswonger <[hidden email]>
>>>> To: matlor <[hidden email]>
>>>> Cc: [hidden email]
>>>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>>>
>>>> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[hidden email]> wrote:
>>>>>
>>>>> I have configured squid with winbind integrated in the active directory
>>>>> of a
>>>>> windows 2003 domain.
>>>>> If I browse internet trough IE 7 everething is ok, no user and password
>>>>> prompted, because of the common login. While, if I open Firefox (2 or 3
>>>>> version), it prompts for user and password.
>>>>
>>>> One other note: While FF does support NTLM, it does not do transparent
>>>> auth as IE does. Hence the prompting for username/password.
>>>> Furthermore, due to M$ having a broken implementation of NTLM, FF will
>>>> at times repeatedly prompt ad infinitum. There is an open bug on this
>>>> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
>>>> action on it is understandably slow. You can mess with FF's NTLM
>>>> related settings under 'about:config' to gain some respite. You can
>>>> also run a basic auth that authenticates against NTLM which for some
>>>> reason seems to avoid the multi-prompt issue. Something like:
>>>>
>>>> auth_param basic program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-basic
>>>> auth_param basic children 2
>>>> auth_param basic realm somerealm
>>>> auth_param basic credentialsttl 2 hours
>>>> auth_param basic casesensitive off
>>>>
>>>> Regards,
>>>> Chris
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>> http://www.nabble.com/file/p20247889/squid.conf squid.conf
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
>  Current Beta Squid 3.1.0.1
>
12
Loading...