[squid-users] NTLMSSP works with CONNECT but not with GET

From: Aleksander F. Honma <aleks@dont-contact.us>
Date: Thu, 01 May 2008 19:32:05 -0300

Hello List,

    I'm having a quite strange problem that I just can't figure it out.
    Using NTLM_AUTH with NTLMSSP helper, my browser (IE and Firefox)
can't connect to HTTP but it can connect to HTTPS site.
    As an example, I can connect to "https://www.gmail.com" but cannot
connect to "http://www.gmail.com".

    Checking my logs and sniffing packets, it became clear that CONNECT
requests do full successful authentication, but GET commands won't.
    Could any good soul point me a direction? I've tried pretty much
everything I could in last 10 hours trying to isolate the problem, but
no matter what log level I use I just can't get a hint.

FACTS
# wbinfo -t

checking the trust secret via RPC calls succeeded

# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
challenge/response password authentication succeeded

MY SETUP
x86 box
Fedora 6 ( 2.6.18-1.2798.fc6)
Samba version 3.0.26a (RPM)
OPENLDAP as passdb backend
squid-2.6.STABLE20.tar.gz (compiled with ntlm,basic)

SQUID is running on a BDC, with slave LDAP all sitting in a different
subnet from the PDC.

PIECE OF LOG
2008/05/01 19:28:32| The request GET http://www.gmail.com/ is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:32| The reply for GET http://www.gmail.com/ is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:32| authenticateNTLMAuthenticateUser: need to challenge
client
'TlRMTVNTUAACAAAAFAAUADAAAAAFgomitLh/n3nYBEkAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'!
2008/05/01 19:28:32| The request GET http://www.gmail.com/ is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:32| The reply for GET http://www.gmail.com/ is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:32| clientReadRequest: FD 17: no data to process ((11)
Resource temporarily unavailable)
2008/05/01 19:28:36| The request CONNECT www.gmail.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:36| The reply for CONNECT www.gmail.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:36| authenticateNTLMAuthenticateUser: need to challenge
client
'TlRMTVNTUAACAAAAFAAUADAAAAAFgomi2eV4B/2CiVAAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'!
2008/05/01 19:28:36| The request CONNECT www.gmail.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:36| The reply for CONNECT www.gmail.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:36| clientReadRequest: FD 17: no data to process ((11)
Resource temporarily unavailable)
2008/05/01 19:28:37| authenticateAuthUserRequestSetIp: user 'aleks' has
been seen at a new IP address (192.168.1.235)
2008/05/01 19:28:37| The request CONNECT www.gmail.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:41| The reply for CONNECT mail.google.com:443 is
ALLOWED, because it matched 'autenticados'
2008/05/01 19:28:41| authenticateNTLMAuthenticateUser: need to challenge
client
'TlRMTVNTUAACAAAAFAAUADAAAAAFgomib/Z8EcbV8moAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'!
2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:41| The reply for CONNECT mail.google.com:443 is
ALLOWED, because it matched 'autenticados'
2008/05/01 19:28:41| clientReadRequest: FD 21: no data to process ((11)
Resource temporarily unavailable)
2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:44| The request CONNECT www.google.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:44| The reply for CONNECT www.google.com:443 is
ALLOWED, because it matched 'autenticados'

    Any piece of useful information is more than welcome.

Many thanks,
Aleksander França Honma
Received on Thu May 01 2008 - 22:32:08 MDT

This archive was generated by hypermail 2.2.0 : Tue May 13 2008 - 12:00:02 MDT