[squid-users] Antwort: [squid-users] NTLM username logging problem

In your acl-config the "authorizedusers" acl is maybe not evaluated since
the others (allowed_hosts, our_networks) match first (see below)?

http_access allow allowed_hosts
http_access allow our_networks
http_access allow all authorizedusers

What are you trying to achieve with thes acls? Do you want to enforce
authentication for user that are NOT from your network ?
Or do you want to restrict access to users that are on your network AND
have authenticated? In that case you ned to combine the acls in a single
line, i.e.
http_access allow our_networks authorizedusers

Regards

Horst

                                                                                                                  
                    lukas.fuchs@ri
                    eter.com An: squid-users@squid-cache.org
                                         Kopie:
                    11.05.2004 Thema: [squid-users] NTLM username logging problem
                    11:30
                                                                                                                  
                                                                                                                  

hi!
I've Squid 2.5 with NTLM, Samba 3 with Winbind, and Mandrake 9.2 running.
My problem is, that I want to log the usernames and their visited websites.
I want to do this with NTLM / Winbind. The user ID's are stored on a
WinNT-PDC.
And I don't want that the user must enter his key everytime, he connects to
the interet.
I think my Winbind works properly, so it must be something wrong with my
squid.conf...

squid.conf:
...
log_ip_on_direct off # off=hostname, on=ip ?
debug_options ALL,1
client_db on

auth_param ntlm program /usr/bin/ntlm_auth3 \
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth3 \
--helper-protocol=squid-2.5-basic
auth_param basic realm basic-squid-cache
auth_param basic children 5
auth_param basic credentialsttl 2 hours

acl authorizedusers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl our_networks src 82.29.1.0/24
acl localhost src 82.29.1.26/255.255.255.255
acl safe_ports port 80 # http
acl safe_ports port 21 # ftp
acl safe_ports port 443 # https
acl safe_ports port 563 # https
acl safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl allowed_hosts src 82.29.1.0/255.255.255.0
http_access allow localhost
http_access deny !safe_ports
http_access deny CONNECT !safe_ports
http_access allow allowed_hosts
http_access allow our_networks
http_access allow all authorizedusers
http_access deny all
http_reply_access allow all

I think its probably something with the ACL's... Can you help me please?
Tanks!!!

Lukas

Disclaimer

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen
enthalten. Wenn Sie nicht der beabsichtigte Empfänger sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender tele-
fonisch oder per E-Mail und löschen Sie diese E-Mail aus Ihrem System. Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet. Wir haften nicht für die Unversehrtheit von E-Mails, nachdem sie
unseren Einflussbereich verlassen haben.

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error) please
notify the sender immediately by call or e-mail and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. We are not responsible for the integrity of
e-mails after they have left our sphere of control.
Received on Tue May 11 2004 - 06:16:24 MDT