[squid-users] squid logging ntlm_auth synchronisation from Andrew McGill on 2006-08-10 (squid-users)

From: Andrew McGill <andrewm@dont-contact.us>
Date: Thu, 10 Aug 2006 18:22:43 +0200 (SAST)

Greetings squid users,

I have squid set up to authenticate against an NT domain. It
works just fine -- however the logging is very strange. The
following log snippet is (almost) typical of what is going on --
the user at 10.0.0.165 is making three requests, and this is
being logged as three different users:

1155218476.213 194 10.0.0.165 TCP_MISS/200 1996 GET http://www.news24.com/Images/News24v2/Newsletter/Central/Images/subicon_travel_bg.gif TlRMTVNTUAACAAAADgAOADAAAAAFgomi5U3CdcWj1sQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAA DIRECT/196.14.52.227 image/gif

1155218476.254 150 10.0.0.165 TCP_MISS/200 1181 GET http://www.news24.com/Images/News24v2/Newsletter/Central/Images/subicon_competition_bg.gif DOMAIN\sruiter DIRECT/196.14.52.227 image/gif

1155218476.396 240 10.0.0.165 TCP_MISS/200 1039 GET http://www.news24.com/Images/News24v2/Newsletter/Central/Images/subicon_lotto_bg.gif DOMAIN\rothstein DIRECT/196.14.52.227 image/gif

The interesting one is TlRMTVNTUAACAAAADgAOADAAAAAFgomi5U3Cdc...
which is base64 encoded for "NTLMSSP0" followed by binary soup.
It suggests that some of the output of or input to ntlm-auth is
being replacing the user name -- perhaps a flush() is missing in
reading or writing to the authenticator process...

The versions are:
squid: squid-beta-3.0-260 (packaged with OpenSuSE 10.1)
ntlm-auth: samba-winbind-3.0.23a-0.1.34 (from samba.org)

The configuration file says:
     auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAIN\\internetaccess
     auth_param ntlm children 60
     auth_param ntlm keep_alive on
     auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=DOMAIN\\internetaccess

Any suggestions on where to start debugging this -- e.g. debugging flags for
ntlm_auth or for squid?

&:-)

-- 
Linux - the finest selection of binary digits available

Received on Thu Aug 10 2006 - 10:26:24 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Sep 01 2006 - 12:00:02 MDT