Re: [squid-users] Strange Squid problem. from Amos Jeffries on 2008-05-30 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 30 May 2008 21:06:11 +1200

Henti Smith wrote:
> Hi all.
>
> I'm having a weirdness at a client.
>
> Squid auth using ntlm on samba thats connected to ADS.
>
> Setup was working until they replaced the ads server with new one. I have
> updated configs with the new ADS and re added samba. however squid auth is
> still not working.
>
> wbinfo -g and -u works wbinfo -t succeeds.
> ntlm_auth run as proxy user succeeds.
>
> I've setup debug to 4 and the following is the output in cache.log
>
> 2008/05/27 10:55:47| aclCheck: checking ' http_access allow my_auth'
> 2008/05/27 10:55:47| aclMatchAclList: checking my_auth
> 2008/05/27 10:55:47| aclMatchAcl: checking 'acl my_auth proxy_auth
> REQUIRED'
> 2008/05/27 10:55:47| authenticateAuthenticate: no connection authentication
> type
> 2008/05/27 10:55:47| aclMatchAcl: returning 0 sending credentials to
> helper.
> 2008/05/27 10:55:47| aclMatchAclList: no match, returning 0
> 2008/05/27 10:55:47| aclCheck: checking password via authenticator
> 2008/05/27 10:55:47| authenticateNTLMHelperServerAvailable: not starving -
> returning 1
> 2008/05/27 10:55:47| aclCheck: checking ' http_access allow my_auth'
> 2008/05/27 10:55:47| aclMatchAclList: checking my_auth
> 2008/05/27 10:55:47| aclMatchAcl: checking 'acl my_auth proxy_auth
> REQUIRED'
> 2008/05/27 10:55:47| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2008/05/27 10:55:47| aclMatchAclList: no match, returning 0
> 2008/05/27 10:55:47| aclCheck: match found, returning 2
> 2008/05/27 10:55:47| The request GET http://www.google.com/ is DENIED,
> because it matched 'my_auth'
>
> The current config is at : http://paste.lisp.org/display/61303
>
> Any ideas ? comment ?

NTLM authentication works by sending the browser a "407 Authentication
Required" message back to the browser if it dod not supply auth
credentials in its request.

That looks like a normal first-cycle NTLM authentication check to me.

You should see it followed up by an identical request to the same URL,
but which passes or fails the auth test without saying "sending
authentication challenge".

Amos

-- 
Please use Squid 2.7.STABLE1 or 3.0.STABLE6

Received on Fri May 30 2008 - 09:06:21 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT