single sign on with squid

I want to configure the squid for single sign on and to authenticate only the users which are not on Active directory domain(Server 2003).
if the user is already log in to the domain then a domain name\password pop up should not appear for accessing the internet but for all non domain user there must be a username\password pop up to access the internet.

in my scenario i have
suse enterprise 11.2
windows server 2003 domain

I have configured samba and krb5.conf and in squid.conf i have made following change

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds

but after this all the users domain or workgroup accessing the internet.There is no log in prompt for non domain users.
Please tell me where i am wrong
kastro AbbasiIT consultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You would need to use two auth_param
Then you will have two http_access rules

The difficulty I see is a system on the domain will auto transmit the credentials of the user logged into the system.

The first part will allow NTLM authenticated users, the second will call a separate helper app.

Does your NTLM based authentication work?

What is the basis on your secondary login? Are these going to be users in mysql/flat file?
Chris WongCommented:
Squid Proxy integration with Active Directory – The quick and simple way
kastro AbbasiIT consultantAuthor Commented:
The NTLM authentication works fine i have checked it by executing the NTLM command individually in treminal.
I want to configure only one log in prompt for non domain users only so there should be only one reason for first and last log in.
if there is any other logic except this can be implemented so let me know how i mean if i put all the internet users in one group and allow this group to access without login and others all should log in but how could i implement this ????
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

What is the basis on which the non domain users authenticate?
Do you have a separate credentials list?
You would have two
http_access require ntlm_auth
http_access require non-domain_users

You can use a perl to create a program to which squid will pass the username/password the user provides and decide on whether to grant access.  Part of the logic is to set a time limit as well as renew/adjust the time limit with every request seen.
kastro AbbasiIT consultantAuthor Commented:
i am not aware of perl scripts and what do u mean by http_access require non-domain_users

i have created a group named" internet users"  in active directory domain.but i think using ntlm_ auth i cant use the group based access.

Please guide me in more details
You have two criteria.
1) domain user using domain workstations
2) non domain workstations, non domain users.

How are you recording the group that fits the number 2 scenario?

Perl or other programs are configured in a similar way to ntlm_auth
Squid passes the collected information to this program and then waits for the response from the helper allow/deny.

Searching for squid perl helper program will generate some results.
kastro AbbasiIT consultantAuthor Commented:
Non domain workstations i mean to say if some of the non domain user want to access the internet then he have to provide his domain account and password
I think in single sign on this is the basic requirement
Oh, in this case, your smb.conf is the one that would dictate whether the user provides the

See whether the smb.conf set to default to using AD which means all the user has to provide is their username/password
otherwise depending on the separator selected there,

The difficulty you may face with non-domain systems is that the user will be reprompted for credentials every so often (not sure the 2hr window you specify will be the rule).
kastro AbbasiIT consultantAuthor Commented:
This is the config for my smb.conf what to change in ithis
 workgroup = XXXX
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = HOLDING.LOC
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        #usershare max shares = 100
        winbind refresh tickets = yes
        #winbind use default domain=yes
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
If you look at the squid log, tail /var/log/squid/access.log
Uncomment the line
#winbind use default domain=yes
to be
winbind use default domain=yes

Are users who use a non domain system configured to use the proxy having authentication issues?
The non-domain users, do you have an http_access deny as the last option?
post the squid.conf

grep -v '^#' /etc/squid/squid.conf

Does your firewall block outgoing port 80 requets?
kastro AbbasiIT consultantAuthor Commented:
I dont have any http_access for non-domain users.

NO i have open the port for 8080 trafic in my firewall.

attached is the squid.conf
You are not enforcing anything.
You do not have any acls that deal with ntlm or basic user authentication

You have  
http_access allow localnet

You need to replace it with
acl ntlm_users proxy_auth REQUIRED
http_access require ntlm_users #ntlm user authentication
http_access allow ntlm_users #this should cover both helper applications.  you may not need both.
http_access deny all
kastro AbbasiIT consultantAuthor Commented:
Thanks for your reply

But i have checked all the options u suggested.still there is no log in prompt for non domain users.all of the users are accessing the internet without any log in prompt

acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
http_access deny all
You need to comment out the http_access allow localnet entry if it appears above the lines you added.
kastro AbbasiIT consultantAuthor Commented:
Thanx for ur suggestion

now userid/passwd prmpt appear and did not accept the credentials,and after trying many time it give no access,on both domain and non domain users...
Now i am getting fed up from this .........
Comment out the basic auth_param.

You should only have one.
Please review the squid.conf file which includes the details and explanations.

I'll reupload a modified squid.conf that should work.
kastro AbbasiIT consultantAuthor Commented:
thanx Arnold


I ll review it and wait for ur squid.conf and hope it ll work
I am uncertain whether you can use the ntlm_auth with a group specification as you have done.
It might be in this type of setup you have to use an LDAP query with related helper applications.

you had the http_access allow AuthorizedUsers, but it was below the explicit deny http_access deny all which means the AuthorizedUsers was not being processed.
Your also had the allow based on IP localnet which defeats the purpose.
kastro AbbasiIT consultantAuthor Commented:
thanks ..and I realy appreciate ur efforts.As I was near to forgive up this but u keep me on the track
I have replaced the complete squid.conf file as with yours but result is the same...I mean at least the domain users should not get the log in prommpt...this is the firs step to troubleshoo
then I ll check the authentication why the users are not authenticated
When the user on non-domain systems are prompted for a login, what do they enter?

In your smb.conf, you have an entry that is commented out
#winbind use default domain=yes
Uncomment it and see if it changes the login behavior.

You could try then uncommenting the auth_param basic to see whether that helps.
Do one thing at a time so if something changes for the worst, you'll know why and how to correct it.
kastro AbbasiIT consultantAuthor Commented:

I have comment ntlm_auth and uncomment ntlm_auth basic then i found that userid and password is working wid both domain users and non domian users.

for non domain users  username\passwd
for domain users   username\ passwd

now please do the last thing for domain users direct access to internet without username\passwd
I was trying to get you to only uncomment the ntlm_auth basic to see whether the two at the same time will work.
ntlm_auth ntlm is needed for transparent authentication of domain users on domain systems.
the ntlm_auth basic is the one used for plain text authentication and prompting.

You likely followed this guide
Your placement of the http_access allow AuthorizedUsers was the issue.

I've attached the altered squid.conf (only change was uncommenting the auth_param basic)
kastro AbbasiIT consultantAuthor Commented:

But when i use both auth_param ntlm and auth_param basic as u set in ur attached file

Then i can't even able to authenticate with or without domain.
Ran into a similar thing as well, but non domain auth was not an issue that had to be.

one option is to setup two instances of squid.
The existing one, comment out the basic parameter.
Then copy the /etc/squid to /etc/squid2
change this one to listen on a port other then 3128.
In this configuration only use the basic method.
you'll have to copy the start script and make a duplicate so that its data is stored in the /var/log/squid2 and /var/run/ etc.

Non domain computers will then use the proxy as proxyserver:newport.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kastro AbbasiIT consultantAuthor Commented:
its not the exact soloution of my question but i realy appreciate the efforts done by arnold
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.