Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Sat, Nov 1, 2008 at 12:37 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Um, I'm not so sure the people having trouble are using the right helper. There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and Squid-2 releases that is incapable of doing full NTLM for modern windows domains. There is also something calling itself 'ntlm_auth' bundled with Samba, which provides full working NTLM functionality. We have fixed this mixup in 3.1, but please check the helper you are using. Please prefer to use the one by Samba. We're using the Samba flavor. To be exact [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth -V Version 3.0.23c-2 IE7 is more advanced than the ealier IE and seems to be actually capable of proper negotiate auth. But can be expected fail with the limits imposed by Squid's 'ntlm_auth' thing. The issues we are having are with FF (see Mozilla bug referenced earlier in this thread). IE7 works fine on computers which are domain members. I'd still love to know what Nairb's config has that makes it work. Regards, Chris - Original Message From: matlor [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Thursday, October 30, 2008 9:15:55 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY I have tried your configuration... but I have the same problem. squid version is 3.0.5 in attachment there is one of my tested squid.conf. only IE7 is working properly thanks in advance nairb rotsak wrote: Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
If there is anything else I can post, please let me know.. I never even knew this was an issue.. The one client I started with a couple of years ago loves it, but they never would have let me go forward if some people had to log in and other didn't (half the users are on a TS farm.. and they all get IE).. so I can see how this would be an issue. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: Amos Jeffries [EMAIL PROTECTED] Cc: nairb rotsak [EMAIL PROTECTED]; matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Saturday, November 1, 2008 4:47:24 PM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Sat, Nov 1, 2008 at 12:37 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Um, I'm not so sure the people having trouble are using the right helper. There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and Squid-2 releases that is incapable of doing full NTLM for modern windows domains. There is also something calling itself 'ntlm_auth' bundled with Samba, which provides full working NTLM functionality. We have fixed this mixup in 3.1, but please check the helper you are using. Please prefer to use the one by Samba. We're using the Samba flavor. To be exact [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth -V Version 3.0.23c-2 IE7 is more advanced than the ealier IE and seems to be actually capable of proper negotiate auth. But can be expected fail with the limits imposed by Squid's 'ntlm_auth' thing. The issues we are having are with FF (see Mozilla bug referenced earlier in this thread). IE7 works fine on computers which are domain members. I'd still love to know what Nairb's config has that makes it work. Regards, Chris - Original Message From: matlor [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Thursday, October 30, 2008 9:15:55 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY I have tried your configuration... but I have the same problem. squid version is 3.0.5 in attachment there is one of my tested squid.conf. only IE7 is working properly thanks in advance nairb rotsak wrote: Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
nairb rotsak wrote: I am actually flabbergasted at all the people saying this doesn't work. I haven't tried Squid 3 yet.. so I can't comment on it. The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today). I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one) When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business. As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something. I would go into firefox, change the proxy setting, get the file, then put the proxy setting back. THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back. I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years.. I know it is catching them, because it blocks files and I use SARG to report their activities.. But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy. Just to make sure.. Um, I'm not so sure the people having trouble are using the right helper. There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and Squid-2 releases that is incapable of doing full NTLM for modern windows domains. There is also something calling itself 'ntlm_auth' bundled with Samba, which provides full working NTLM functionality. We have fixed this mixup in 3.1, but please check the helper you are using. Please prefer to use the one by Samba. IE7 is more advanced than the ealier IE and seems to be actually capable of proper negotiate auth. But can be expected fail with the limits imposed by Squid's 'ntlm_auth' thing. Amos - Original Message From: matlor [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Thursday, October 30, 2008 9:15:55 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY I have tried your configuration... but I have the same problem. squid version is 3.0.5 in attachment there is one of my tested squid.conf. only IE7 is working properly thanks in advance nairb rotsak wrote: Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
I have tried your configuration... but I have the same problem. squid version is 3.0.5 in attachment there is one of my tested squid.conf. only IE7 is working properly thanks in advance nairb rotsak wrote: Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris http://www.nabble.com/file/p20247889/squid.conf squid.conf -- View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20247889.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
I am actually flabbergasted at all the people saying this doesn't work. I haven't tried Squid 3 yet.. so I can't comment on it. The squid that comes with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 (again, just going from what I remember.. I am not at that client today). I never compiled anything (just apt-get install squid).. and I never set anything in FF about:config (although I would like to try that one) When I am at this client on my linux desktop, I have to put my credentials into FF, but when I am on a pc that is joined to the domain, I just open FF and go about my business. As a matter of fact, I block a bunch of extensions.. and sometimes I would forget I was going through it, until I tried to download something. I would go into firefox, change the proxy setting, get the file, then put the proxy setting back. THEN I would have to authenticate.. unless I shut the browser down after changing the proxy back. I am by no means an expert, but I have set 10 or so customers up the exact same way over the last 2 or 3 years.. I know it is catching them, because it blocks files and I use SARG to report their activities.. But now I am spooked (I just moved this customer into a new building.. and it is all W2k8 servers), so I am installing FF onto my new servers over there and pointing FF at our new proxy. Just to make sure.. - Original Message From: matlor [EMAIL PROTECTED] To: squid-users@squid-cache.org Sent: Thursday, October 30, 2008 9:15:55 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY I have tried your configuration... but I have the same problem. squid version is 3.0.5 in attachment there is one of my tested squid.conf. only IE7 is working properly thanks in advance nairb rotsak wrote: Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Hi, At 14.00 28/10/2008, Josh Haft wrote: Firefox can't grab NTLM creds like IE does. This is really a VERY wrong assertion. Firefox supports all Squid authentication schema (Basic, Digest NTLM and Negotiate) starting from version 1.5, while this is true for Internet Explorer starting from 7.0 version Regards Guido On 10/28/08, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
How can I solve my problem? what's wrong? Have I to post my squid.conf? thanks Guido Serassio wrote: Hi, At 14.00 28/10/2008, Josh Haft wrote: Firefox can't grab NTLM creds like IE does. This is really a VERY wrong assertion. Firefox supports all Squid authentication schema (Basic, Digest NTLM and Negotiate) starting from version 1.5, while this is true for Internet Explorer starting from 7.0 version Regards Guido On 10/28/08, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/ -- View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20226556.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Wed, Oct 29, 2008 at 9:31 AM, Chris Nighswonger [EMAIL PROTECTED] wrote: On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. I second that and would welcome any configs you'd care to share! :) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Are you using any type of auth with your squid setup? I don't see it mentioned in your post. I too would be interested in knowing how you got integrated NTLM auth through firefox, if indeed you have. On Wed, Oct 29, 2008 at 9:31 AM, Chris Nighswonger [EMAIL PROTECTED] wrote: On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below is what I sent Chris: Below is for w2k3 AD and Ubuntu 6.06.1: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl NTLMUsers proxy_auth REQUIRED acl our_networks src 192.168.0.0/16 http_access allow all NTLMUsers http_access allow our_networks Here is our current setup (w2k8 and Ubuntu 8.04.1): auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on acl our_networks src 192.168.0.0/16 acl NTLMUsers proxy_auth REQUIRED external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl acl NOINTERNET external ntgroup no-internet http_access deny NOINTERNET http_access allow all NTLMUsers http_access allow our_networks http_access allow localhost We have a group policy do the IE browser, but with Firefox, we have to set it manually. Once it is set, there is no prompt... I use SARG to get the results.. Been doing it for almost three years.. I would get evangelical on people using iPrism/Barracuda/Websense.. but now I figure I will just let them spend the money.. ;-) - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak [EMAIL PROTECTED] wrote: http_access allow all NTLMUsers Does the 'all' trump the 'NTLMUsers' acl here? Chris - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: nairb rotsak [EMAIL PROTECTED] Cc: matlor [EMAIL PROTECTED]; squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 9:31:32 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak [EMAIL PROTECTED] wrote: I am totally confused by this statement?.. as I have 300 people using firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a user/pass prompt? I am not using it as a transparent proxy, it is listed in firefox under proxy settings (8080 because it goes to DG first.. but I have tested just Squid at 3128 and it works as well).. and I haven't touched anything else in firefox I'd be very interested in knowing what is different about your setup. I have fought this problem for several years now. - Original Message From: Chris Nighswonger [EMAIL PROTECTED] To: matlor [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Sent: Wednesday, October 29, 2008 8:48:39 AM Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY On Tue, Oct 28, 2008 at 6:18 AM, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. One other note: While FF does support NTLM, it does not do transparent auth as IE does. Hence the prompting for username/password. Furthermore, due to M$ having a broken implementation of NTLM, FF will at times repeatedly prompt ad infinitum. There is an open bug on this at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but action on it is understandably slow. You can mess with FF's NTLM related settings under 'about:config' to gain some respite. You can also run a basic auth that authenticates against NTLM which for some reason seems to avoid the multi-prompt issue. Something like: auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm somerealm auth_param basic credentialsttl 2 hours auth_param basic casesensitive off Regards, Chris -- Christopher Nighswonger Faculty Member Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org - NOTICE: The information contained in this electronic mail message is intended only for the use of the intended recipient, and may also be protected by the Electronic Communications Privacy Act, 18 USC Sections 2510-2521. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please reply to the sender, and delete the original message. Thank you.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Chris Nighswonger wrote: On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak [EMAIL PROTECTED] wrote: http_access allow all NTLMUsers Does the 'all' trump the 'NTLMUsers' acl here? Chris The all is redundant. The all ACL will always match, so the test next falls to checking the NTLMUsers ACL. See http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-af2c190759b099a7986221cd12a4066eb146a1c4 for more details. Chris
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Chris Robertson wrote: Chris Nighswonger wrote: On Wed, Oct 29, 2008 at 5:16 PM, nairb rotsak [EMAIL PROTECTED] wrote: http_access allow all NTLMUsers Does the 'all' trump the 'NTLMUsers' acl here? Chris The all is redundant. The all ACL will always match, so the test next falls to checking the NTLMUsers ACL. See http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-af2c190759b099a7986221cd12a4066eb146a1c4 for more details. Chris May have been trying the 'all' hack and got it backwards: http_access allow NTLMUsers all Is to prevent squid requesting auth if the auth test fails. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
On ons, 2008-10-29 at 14:16 -0700, nairb rotsak wrote: http_access allow all NTLMUsers http_access allow our_networks The our_networks line can not be reached. This should probably be http_access allow our_networks NTLMUsers http_access deny all Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. Firefox can't grab NTLM creds like IE does. Yep, as FireFox is not a Microsoft product and as it tries to be platform-agnostic, by default it doesn't handle Windows-specific functions such as automatically fetching NTLM credentials. But it may be possible to get FireFox to behave the way you want anyway. Type about:config in the FireFox address bar, then try changing the settings of one or both of: network.automatic-ntlm-auth.allow-proxies true network.automatic-ntlm-auth.trusted-uris http://proxy-address -Chuck Kollars
[squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance -- View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20204501.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
Firefox can't grab NTLM creds like IE does. On 10/28/08, matlor [EMAIL PROTECTED] wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance -- View this message in context: http://www.nabble.com/SQUID-%2B-FIREFOX-%2B-ACTIVE-DIRECTORY-tp20204501p20204501.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
matlor wrote: I have configured squid with winbind integrated in the active directory of a windows 2003 domain. If I browse internet trough IE 7 everething is ok, no user and password prompted, because of the common login. While, if I open Firefox (2 or 3 version), it prompts for user and password. I have also notioced that if I clic on cancel twice, than I can see tha internet page someon can help me?!?! thanks in advance http://www.security-forums.com/viewtopic.php?t=33159 But it sounds like your ACLs are allowing non-authenticated access. No one can really help you with that without some more information (Squid version and config file stripped of comments would be a good start). Chris