Re: [squid-users] Can't see usernames in logs after enabling NTLM

From: Oliver Hookins <ohookins@dont-contact.us>
Date: Mon, 21 Feb 2005 10:16:29 +1100

Chris Robertson wrote:
>>-----Original Message-----
>>From: Oliver Hookins [mailto:ohookins@gmail.com]
>>Sent: Thursday, February 10, 2005 1:15 PM
>>To: Henrik Nordstrom
>>Cc: squid-users@squid-cache.org; Chris Robertson
>>Subject: Re: [squid-users] Can't see usernames in logs after enabling
>>NTLM
>>
>>
>>Henrik Nordstrom wrote:
>>
>>>>After that we have someone who IS in the LDAP group, is in the SURFING
>>>>IP range and is access a site that is also not in allowedsites. The
>>>>connection is denied and the username is not logged.
>>>
>>>
>>>Here the browser did not agree on logging in to the proxy and hence the
>>>request is denied as you require authentication (even if faked
>>>verification).
>>
>>This could be a problem. So any program that chooses not to
>>authenticate, or for some reason cannot authenticate (for example, it's
>>not built-in) will be denied access?
>>
>>If we reversed the rules like this:
>>
>>http_access allow SURFING
>>http_access allow allowedsites mynetwork
>>http_access allow AuthGroup mynetwork
>>http_access deny all
>>
>>that would force authentication for non-SURFING && non-allowedsites
>>requests, right? I'm just thinking of server programs that download
>>stuff but don't authenticate (in which case we would put them in the
>>SURFING acl).
>>
>>Regards,
>>Oliver
>
>
> That would allow unauthenticated surfing for computers in the SURFING IP
> range and for any computers on "mynetwork" accessing "allowedsites". Once
> someone not in the SURFING IP range (but in "mynetwork") tries to access a
> site that is not on the allowedsites list, authentication will be requested,
> and the AuthGroup will be checked. Dependant on the outcome of *that* test,
> either the request will be allowed or denied.
>
> In short, I think you've nailed it.

Sorry to drag this issue out so long but it still isn't working 100%.
I've got some more access.log examples of what is happening now. I
understand that when a client is requested authentication, there are a
couple of TCP_DENIED entries in the logs and that it is normal.

However we are getting a couple of TCP_DENIED messages without the user
credentials, then further TCP_DENIED messages with the user credentials.
I have double- and triple-checked and this user is definitely in the
authorised group. If I do a manual check with the squid_ldap_group on
the command line, I get an OK.

1108612447.271 459 192.168.0.61 TCP_REFRESH_HIT/200 905 GET
http://www.microsoft.com/h/en-us/r/for_developers.gif -
DIRECT/207.46.144.188 image/gif
1108612447.379 482 192.168.0.61 TCP_REFRESH_HIT/200 1036 GET
http://www.microsoft.com/h/en-us/r/company_info.gif - DIRECT/207.46.144.188
image/gif
1108612447.622 478 192.168.0.61 TCP_MISS/200 628 GET
http://c.microsoft.com/trans_pixel.asp? - DIRECT/207.46.197.85 image/gif
1108612447.711 490 192.168.0.61 TCP_MISS/200 438 GET
http://c1.microsoft.com/c.gif? - DIRECT/207.68.177.126 image/gif
1108612510.253 0 192.168.0.61 TCP_DENIED/407 1684 GET
http://www.ninemsn.com.au/ - NONE/- text/html
1108612510.260 0 192.168.0.61 TCP_DENIED/407 1770 GET
http://www.ninemsn.com.au/ - NONE/- text/html
1108612510.356 95 192.168.0.61 TCP_DENIED/403 1379 GET
http://www.ninemsn.com.au/ epa\aderooy NONE/- text/html
1108612527.261 4 192.168.0.61 TCP_IMS_HIT/304 221 GET
http://www.acrlimited.com.au/ - NONE/- text/html
1108612527.306 23 192.168.0.61 TCP_IMS_HIT/304 225 GET
http://www.acrlimited.com.au/images/header-top-pic.jpg - NONE/- image/jpeg
1108612527.332 25 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/header-top-r.gif - NONE/- image/gif
1108612527.351 18 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/header-bottom-slogan.gif - NONE/-
image/gif
1108612527.418 67 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/header-bottom-r.gif - NONE/- image/gif
1108612527.458 17 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/home-on.gif - NONE/- image/gif
1108612527.477 0 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/rates-off.gif - NONE/- image/gif
1108612527.506 28 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/privacy-off.gif - NONE/- image/gif
1108612527.530 24 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/contact-off.gif - NONE/- image/gif
1108612527.548 17 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/blank.gif - NONE/- image/gif
1108612527.565 16 192.168.0.61 TCP_IMS_HIT/304 223 GET
http://www.acrlimited.com.au/images/rates.jpg - NONE/- image/jpeg
1108612527.599 34 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/acr_bar-home.gif - NONE/- image/gif
1108612527.631 31 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/w.gif - NONE/- image/gif
1108612527.654 22 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/footer_home-top.gif - NONE/- image/gif
1108612527.683 28 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/footer-logo.gif - NONE/- image/gif
1108612527.697 13 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/footer_home-bottom.gif - NONE/-
image/gif
1108612539.031 156 192.168.0.61 TCP_DENIED/403 1377 GET
http://www.google.com.au/ epa\aderooy NONE/- text/html

www.acrlimited.com.au is in the allowedsites ACL as is microsoft.com.
192.168.0.61 is NOT in the SURFING ACL. How can I diagnose what is going
on between squid and squid_ldap_group? Obviously I am getting a username
here but somewhere in between something is getting mucked up.

I'd appreciate any help on the issue as it is getting rather urgent.

Regards,
Oliver
Received on Sun Feb 20 2005 - 16:16:36 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST