Re: [squid-users] User failing to authenticate over NTLM from Henrik Nordstrom on 2007-09-25 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Tue, 25 Sep 2007 17:04:59 +0200

On tis, 2007-09-25 at 11:34 +0100, Paul Cocker wrote:

> I've checked the access log and see a lot of lines which look like
>
> 1190708486.534 0 191.9.222.107 TCP_DENIED/407 1840 GET
> http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
> 1190708486.565 0 191.9.222.107 TCP_DENIED/407 2086 GET
> http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
> 1190708486.752 187 191.9.222.107 TCP_DENIED/403 1510 GET
> http://www.microsoft.com/isapi/redir.dll? domain\user NONE/- text/html

Authentication successful, but user id not granted access. So it's most
likely a group membership problem of some kind.

Group membership details is cached both by Squid and by winbind, so you
may need to wait a bit before changes become active.

See the external_acl_type directive for the Squid side of the caching.
You can control both positive (is member) and negative (not member)
cache intervals. Default unless you have configured it differently is
one hour.

Not sure how the cache in Samba windbind works.

Regards
Henrik

application/pgp-signature attachment: This is a digitally signed message part

Received on Tue Sep 25 2007 - 09:05:06 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:03 MDT