Weblog entry #17 for e5z8652
See all weblog entries made by e5z8652.
#17
Squid NTLM proxy for WinXP + Win7 on Lenny
Posted by e5z8652 on Wed 30 Sep 2009 at 00:02
Somewhat by accident I fell on a squid configuration that will seamlessly proxy Windows XP workstations and Windows 7 workstations (both RC and gold) using NTLM negotiation.
Previously I had tried different combinations of auth_param negotiate and auth_param ntlm. The NTLM negotiation would work for Windows XP, but not Windows 7 (unless you edited the registry in Win7, which I did not want to do in production.) Negotiation wouldn't work for anyone.
Then I failed to complete an edit and hit the magic combo that works. I think this is technically a broken configuration as far as Squid goes, but it gets the job done.
1) update samba to 3.3.6 from backports. We're still using winbind, so the samba setup is the same as for proxying Windows XP with NTLM.
2) Set your auth_param lines in squid to look like this:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param negotiate children 15
auth_param negotiate keep_alive on
It looks funny with the ntlm program line and negotiate children and keep alive lines, but it does work. Both Windows XP and unmodified Windows 7 happily authenticate with IE or Firefox.
After spending lots of time playing with stuff like kerberos authentication and not having much success, this little broken config made for a happy day.
Previously I had tried different combinations of auth_param negotiate and auth_param ntlm. The NTLM negotiation would work for Windows XP, but not Windows 7 (unless you edited the registry in Win7, which I did not want to do in production.) Negotiation wouldn't work for anyone.
Then I failed to complete an edit and hit the magic combo that works. I think this is technically a broken configuration as far as Squid goes, but it gets the job done.
1) update samba to 3.3.6 from backports. We're still using winbind, so the samba setup is the same as for proxying Windows XP with NTLM.
2) Set your auth_param lines in squid to look like this:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param negotiate children 15
auth_param negotiate keep_alive on
It looks funny with the ntlm program line and negotiate children and keep alive lines, but it does work. Both Windows XP and unmodified Windows 7 happily authenticate with IE or Firefox.
After spending lots of time playing with stuff like kerberos authentication and not having much success, this little broken config made for a happy day.
Comments on this Entry
Thank you! This worked for me.
[ Parent | Reply to this comment ]
I'm glad it worked out!
The comment is dated though -- since then Samba on backports is 3.4.7, and Squid on backports is 2.7STABLE7.
This workaround stopped working for me (it is, after all broken) and now I have the more correct:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
Which works very well for XP and Win7 clients.
The comment is dated though -- since then Samba on backports is 3.4.7, and Squid on backports is 2.7STABLE7.
This workaround stopped working for me (it is, after all broken) and now I have the more correct:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
Which works very well for XP and Win7 clients.
[ Parent | Reply to this comment ]