Topic: automatic proxy authorization

[Andrew Gray]

Hi folks,

I was wondering if anyone had any comments to make with regard to automatic proxy authorization.  ie NTLM via squid on my linux box.

I use squid as a proxy server in a school, currently using smb_auth to authenticate the user using the web from squid to a win2k domain, and then there is an accounting package which runs on the win2k box monitoring the internet usage per user.  Problem is, the user has to authenticate to the squid server with a username a password but rumor has it that you can automate this task using NTLM authentication on the squid end.  I would like more information on this and whether anyone has successfully attempted this.

Any comments/help/suggestions would be much appreciated.  Thanks folks.

- Andrew Gray

[Craig Foster]

Using smb_auth isn't enough. You'll need to join the domain, and use winbind to check NTLM username/passwords

Squid (in general and in RedHat packages) does *NOT* include NTLM support turned on. It's going to be recompile time

Mandrake may be a better move as 9.1 has NTLM already compiled into the squid.
I'd suggest looking through google.com for more info, as this is still cutting edge for squid. There are sometimes issues with 65535 NTLM queries, and other wierdness, but you'll definitely need 2.5STABLE2 or 2.5STABLE3 squid.

All said and done, it does work *very* nicely

[Jim Danvers]

Hi guys...

I just started searching through the postings as I'm looking to start using / learning about proxy usage in a small'ish network environment myself.

Scenario:

Small public library.  The director would like to be able to have ~some~ level of control over web surfing by library patrons.  I mentioned to her that I could likely come up with a method of forcing user web surfing to be quasi-controlled by presenting them with a name and password dialogue.  I built a litte sme 5.6u4 test server over the weekend (p1 133 w/48 mg ram....  pretty pokey but sorta ok for testing!) and installed one of the contribs into it that gives you a 'proxy users' panel @server-manager.  While that did the trick (forced me to authenticate against the proxy) I'm left with one question:

How does one go about ~forcing~ client machines to use the proxy server??  Whats to stop some kid from just coming up to a machine and re-setting IE (or whatever web browser) and telling it to just simply connect to the internet (ie; bypass the proxy)  How could I setup the network so that client machines CANNOT get to the web w/out having to go through the gateway/proxy?  I plan on testing / playing further (going to use a better/faster machine though!) and investigating this further - but until then, I'm really quite curious on how to go about forcing the issue.  I'm thinking that we don't want the proxy to be a choice...  we want it to be the only means of getting out to the world.

TIA folks...

-=- jd -=-

[Andrew Gray]

Hmm, sounds like a lot of work.

Is there a quick and easy way to configure e-smith/samba to join a domain?  I'm not too familar with this.

Also, re-compiling ins't too big an issue...is it?  Recompiling squid I mean.  I shouldn't think that would be too hard.  

What's your thoughts, people?

- Andy Gray