[squid-users] auth failed to downstream squid proxy from myocella on 2009-10-08 (squid-users)

From: myocella <myocella_at_gmail.com>
Date: Fri, 9 Oct 2009 13:42:54 +1000

I've 2 proxy servers chained together. Both authenticates against
different AD domains.
The downstream proxy is running on Windows (squid/2.5.STABLE1-CVS)
supporting only
basic auth (nt_auth.exe). This proxy server has a cache_peer basic
auth setup to the upstream
proxy:

cache_peer upstream.proxy 3128 0 no-query
login=UPSTREAM_DOMAIN\dummyuser:password

The upstream is running on RHEL (squid/2.7.STABLE7) supporting
NTLM,Basic with AD using this
guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory,
plus
wb_info.pl for the group lookup.

The users in UPSTREAM_DOMAIN can browse Internet using upstream proxy.

However, the downstream proxy users can't browse the Internet. Their
browser prompt for username
and password twice - the first time it showed the downstream Realm
which makes sense, but the
second prompt showed the upstream Realm!.

In the access.log file on downstream, it showed the authentication
successfully with username.
x.x.x.x - downstream_domain\user [09/Oct/2009:12:58:59] "GET
http://www.google.com/ HTTP/1.0" 200 240 TCP_MISS:FIRST_UP_PARENT

But the access.log file on the upstream proxy showed 407 with the
"UPSTREAM_DOMAIN\dummyuser",
which is correct.
downstream.proxy - upstream_domain\user [09/Oct/2009:12:58:59] "GET
http://www.google.com/ HTTP/1.0" 407 1685 TCP_DENIED:NONE

Below here is auth conf on the upstream proxy..

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Internet Access
external_acl_type ads-group children=20 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl -d

acl downstream_user proxy_auth -i upstream_domain\dummyuser
http_access allow downstream_user
http_reply_access allow downstream_user

Does anyone has any idea how to resolve this problem?

Thank you

myocella
Received on Fri Oct 09 2009 - 03:43:01 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT