Re: [squid-users] NTLM

Hi,

my squid.conf can be seen at http://www.magnarapa.com/squid/squid.conf
my cache.log can be seen at http://www.magnarapa.com/squid/cache.log

the strange bit is the following:

>>>

 2005/06/02 16:08:34| parseHttpRequest: Complete request received
 2005/06/02 16:08:34| conn->in.offset = 0
 2005/06/02 16:08:34| clientSetKeepaliveFlag: http_ver = 1.1
 2005/06/02 16:08:34| clientSetKeepaliveFlag: method = GET
 [2005/06/02 16:08:34, 1] utils/ntlm_auth.c:check_plaintext_auth(286)
  Reading winbind reply failed! (0x01)
 2005/06/02 16:08:34| The request GET http://officescan-p.activeupdate.trendmicro.com:80/activeupdate/server.ini is DENIED, because it matched 'Authenticated'
 2005/06/02 16:08:34| Access Denied: http://officescan-p.activeupdate.trendmicro.com:80/activeupdate/server.ini
 2005/06/02 16:08:34| AclMatchedName = Authenticated
 2005/06/02 16:08:34| Proxy Auth Message = <null>
<<<

First of all, I find strange that the request is "DENIED because it matched Authenticated".
Authenticated users, as per the squid.conf file, should be allowed, not denied.

But the strangest thing is the "Reading winbind reply failed". Wbinfo works:

 # wbinfo -p
 Ping to winbindd succeeded on fd 4

The squid user (squid:squid) has group access to the privileged pipe.
Besides, I temporarily assigned a bash shell to the squid user and, logging as squid user, I have tried to manually run ntlm_auth.
It works, it authenticates correctly with the Windows domain.
When I authenticate with kinit, I find my ticket with klist :

 # klist -e
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: administrator@MYDOMAIN.LOCAL

 Valid starting Expires Service principal
 06/02/05 16:26:54 06/03/05 02:26:57 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
        renew until 06/03/05 16:26:54, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

 Kerberos 4 ticket cache: /tmp/tkt0
 klist: You have no tickets cached

I even joined the domain as follows:

 # net ads join -U administrator@MYDOMAIN.LOCAL
 administrator@MYDOMAIN.LOCAL's password:
 [2005/06/02 16:29:49, 0] libads/ldap.c:ads_add_machine_acct(1368)
 ads_add_machine_acct: Host account for scx1 already exists - modifying old account
 Using short domain name -- MYDOMAIN
 Joined 'SCX1' to realm 'MYDOMAIN.LOCAL'

In short, it looks like domain authentications is setup correctly, ntlm_auth works, everything works, BUT squid. I'm sure I am doing something wrong, but after much research and investigation, I am rather stuck.

What can I do?

Marcantonio

James Gray wrote:

>On Wed, 25 May 2005 04:10 am, marcantonio wrote:
>
>
>>Hi,
>>
>>How can I troubleshoot Squid with ntlm_auth?
>>
>>Using FC3 and latest samba+squid.
>>
>>Marcantonio
>>
>>
>
>What's in the squid logs? How have you configured your ACL's?
>
>Cheers,
>
>James
>
>
>
Received on Thu Jun 02 2005 - 08:32:23 MDT