# squid ntlm authentication with dansguardian

## plut0

I'm trying to setup squid and dansguardian to authenticate to the Active Directory Domain Controller.  To do this I believe I need to authenticate to squid first, forward the request to dansguardian, then forward it back to squid for caching.

What I have been able to do is setup squid alone, setup dansguardian and squid together without authentication and also setup squid to authenticate without dansguardian.  I cannot put all this together however.  When I tried I get a login prompt box everytime I try to load a page and it fails with:

```
"Sorry, you are not currently allowed to request: <website> from this cache until you have authenticated yourself."
```

In squid access.log (username and ip purposely renamed):

```
1115300165.478     47 192.168.x.x TCP_DENIED/407 1715 GET http://www.msn.com/ - NONE/- text/html

1115300166.258     26 192.168.x.x TCP_DENIED/407 1719 GET http://www.msn.com/ - NONE/- text/html

1115300166.272      3 127.0.0.1 TCP_DENIED/407 1715 GET http://www.msn.com/ - NONE/- text/html

1115300166.282     23 192.168.x.x TCP_MISS/407 1760 GET http://www.msn.com/ <username> FIRST_UP_PARENT/127.0.0.1 text/html

1115300168.086      3 127.0.0.1 TCP_DENIED/407 1748 GET http://www.msn.com/favicon.ico - NONE/- text/html

1115300168.096    517 192.168.x.x TCP_MISS/407 1793 GET http://www.msn.com/favicon.ico <username> FIRST_UP_PARENT/127.0.0.1 text/html
```

In dansguardian.conf:

```
filterip = 127.0.0.1

filterport = 3128

proxyip = 127.0.0.1

proxyport = 8081
```

In squid.conf:

```
http_port 192.168.x.x:8080

http_port 127.0.0.1:8081

cache_peer 127.0.0.1 parent 3128 0 proxy-only no-query

cache_peer_access 127.0.0.1 allow FRONT

cache_peer_access 127.0.0.1 deny all

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 30

auth_param ntlm max_challenge_reuses 0

auth_param ntlm max_challenge_lifetime 10 minutes

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 20 minutes

acl AuthorizedUsers proxy_auth REQUIRED

http_access allow all AuthorizedUsers

acl FRONT myport 8080

acl BACK myport 8081

no_cache deny FRONT

http_access allow BACK

http_access allow FRONT

http_access allow localhost
```

Any idea what is wrong with my configs?

----------

## plut0

Well after reading a bit I noticed that dansguardian doesn't support NTLM yet so I guess I have to change authentication to basic using smb_auth.  If anyone knows of a better way of doing this I'm interested in hearing this.

----------

