# Squid 2.6 passing NTLM username to Dansguardian

## Cheesegoduk

Hi folks.

I'm having a problem with squid 2.6 and dansguardian 2.9

Currently I have Samba setup with winbind(NTLM) which allows squid to access the windows username of the person requesting access on squid.

This is working fine, and squid is pulling the username correctly

cache.log

```
2007/03/19 10:05:06| authenticateNTLMHandleReply: Successfully validated user via NTLM. Username 'KSCS/lee'
```

access.log

```
1173970593.747    282 10.112.189.14 TCP_MISS/200 4303 GET http://www.google.co.uk/ KSCS/lee FIRST_UP_PARENT/127.0.0.1 text/h$
```

However the problem comes when I set the cache_peer directive to pass the login credentials to dansguardian. This is rather annoying because this worked fine in Squid 2.5 but upgrading to squid 2.6 seems to result in this appearing:-

```
2007.3.19 10:03:25 - 127.0.0.1 http://www.google.com *SCANNED*  GET 221 0  1 302 -
```

It should say "KSCS\Lee 10.112.189.14 where it currently says - 127.0.0.1

i'm not sure what I'm missing because I don't see any massive changes in squid 2.6 from squid 2.5 about the cache_peer directive so I'm a loss what to do. As far as I know its not dansguardian causing the problem

Below is my cache peer/acl part of my squid.conf. Its a bit of a mess but this is currently a test server so I can iron out the bugs before I upgrade my squid 2.5 and dansguardian 2.8 machine.

Extra info...

Squid is on port 3128 that connects back to dansguardian on port 8080 that then connects out to our Internet providers proxy on 8084.

```

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 30

auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 5 hours

acl AuthorizedUsers proxy_auth REQUIRED

http_access allow AuthorizedUsers

cache_peer 127.0.0.1 parent 8080 7 no-query default no-digest no-netdb-exchange login=*:password connection-auth=on

visible_hostname banana.kscs.org.uk

unique_hostname banana.kscs.org.uk

acl NTLMUsers proxy_auth REQUIRED

http_access allow all NTLMUsers

acl QUERY urlpath_regex cgi-bin \?

acl purge method PURGE

acl CONNECT method CONNECT

acl NTLMUsers proxy_auth REQUIRED

acl winupdate dstdomain .microsoft.com .windowsupdate.com

acl ftp proto FTP

no_cache deny winupdate

http_access allow all NTLMUsers

http_access allow winupdate

always_direct allow ftp

always_direct allow winupdate

no_cache deny QUERY

http_access allow all

http_reply_access allow all

icp_access deny all 

client_persistent_connections on

server_persistent_connections on

persistent_connection_after_error on

detect_broken_pconn on

```

----------

## Cheesegoduk

whoops.....

it was actually dansguardian causing the issue...

I didn't have an auth method specified in the dansguardian.conf so it was basically ignoring the login data.

Even when I had NTLM auth switched on in dansguardian it appears it ignores that as well

So for future reference you need to have the "Auth_Basic" conf unhashed like so...

```

authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'

```

If I had read the dansguardian.conf a bit more I would have noticed this >.>

Tis always the way after writing out a bit long post hah.

Feel like a fool now ;p

----------

