Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple domain controllers

Andrew Bartlett abartlet at
Wed Dec 31 06:47:37 GMT 2003

On Wed, Dec 31, 2003 at 11:08:30AM -0600, Ed Plese wrote:
> > We are using Squid in a transparent proxy fashion for logging. This
> > setup works great in every fashion except its transparency. (yuck!!)
> > 
> > Problem: Occasionally (like once every 4 hours), a Windows client user
> > will call help desk saying "Internet Explorer" is asking for my
> > username/password/domain to access a web page.
> I'll say right away that I've never tried transparent proxying with squid
> along with NTLM authentication.  The reason for this is that everything I've
> read sternly indicates that transparent proxying with squid does not work
> with proxy_auth.
> >From the squid FAQ:
> (
> 17.15 Can I use proxy_auth with interception?
> No, you cannot. With interception proxying, the client thinks it is talking
> to an origin server and would never send the Proxy-authorization request
> header. 
> >From squid.conf:
> # WARNING: proxy_auth can't be used in a transparent proxy. It
> # collides with any authentication done by origin servers. It may
> # seem like it works at first, but it doesn't.
> Unless somehow ntlm_auth doesn't count as proxy_auth then what you're trying
> to do is not possible with squid.  Someone please correct me if I'm wrong
> here because squid and samba work great together and I'd love to see this work
> transparently.

You are 100% correct.  I was thinking about 'transparent'
authentication, ie see no boxes stuff.  The only way to get close to
'transparnet proxying' is to setup WPAD and automatic proxy
configuration scripts.  This allows users to select 'automaticly
detect' proxy settings, which alongside a good firewall, or even a
redirection to an 'instructions' page should do the trick.

Andrew Bartlett

More information about the samba-technical mailing list