[squid-users] cache_peer, squid parents and NTLM : NT_STATUS_INVALID_PARAMETER

Dear

I would like to use several parent proxy backend with a squid proxy that in
charge to balacne requests to backends
parents proxy are connected to the Active Directory and perform
authentication.
This in order to log accounts in access_log

BROWSER 10.32.0.21 => Squid client 10.32.0.25 => PEER 10.32.0.26/10.32.0.27
(connected to Active Directory) => ROUTER => INTERNET

I have set on the squid front-end these lines

cache_peer 10.32.0.26 parent proxy-only no-query no-digest default
login=PASS connection-auth on
cache_peer 10.32.0.27 parent proxy-only no-query no-digest default
login=PASS connection-auth on

But when connecting a browser to the squid frontend an authentication POPUP
is displayed because parents refuse the NTLM sent by the squid client.

On a parent with debug mode we can see that the NTLM is correclty sent from
the squid client:

2012/12/08 00:23:21.728 kid1| client_side.cc(2258) parseHttpRequest: repare
absolute URL from
2012/12/08 00:23:21.728 kid1| client_side.cc(2295) parseHttpRequest:
parseHttpRequest: Complete request received
2012/12/08 00:23:21.728 kid1| client_side.cc(2298) parseHttpRequest: HTTP
Client local=10.32.0.21:3128 remote=10.32.0.25:41984 FD 12 flags=1
2012/12/08 00:23:21.728 kid1| client_side.cc(2299) parseHttpRequest: HTTP
Client REQUEST:
---------
GET http://t.fr.msn.com/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64;
Trident/6.0)
Accept-Encoding: gzip, deflate
Cookie: mh=MSFT; Sample=38; MUID=2E0332D24C216EAA086836F948216ED4
DNT: 1
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAJAAAABAAUABqAAAABIAEgBYAAAAEAAQAGoAAAAWABYAegAAAAAAAADoAQAABYKIogYC8CMAAAAPMzIoFOB6SjnpMImGzLG+AUEARgBFAE8ATgBMAEkATgBFAGQAdABvAHUAegBlAGEAdQAyADUAMgBEADgAMAAxAFQAQQBPAEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIGdwEQmCLnuc/uTnONcyTwEBAAAAAAAAapor2dHUzQFsjXCe+/oWYwAAAAACABIAQQBGAEUATwBOAEwASQBOAEUAAQAWADAAMAAwAFMATAAwADcAUABSAE8AWAAEABoAYQBmAGUAbwBuAGwAaQBuAGUALgBuAGUAdAADADIAMAAwADAAUwBMADAANwBQAFIATwBYAC4AYQBmAGUAbwBuAGwAaQBuAGUALgBuAGUAdAAIADAAMAAAAAAAAAAAAAAAACAAAK6dfzwK8q0yctw3nb8Es7vizb1e17w0TPPsIlbX/BvHCgAQAAAAAAAAAAAAAAAAAAAAAAAJADwASABUAFQAUAAvADAAMAAwAHMAbAAwADcAcAByAG8AeAAuAGEAZgBlAG8AbgBsAGkAbgBlAC4AbgBlAHQAAAAAAAAAAAA=
Host: t.fr.msn.com
Via: 1.1 000SL07PROX (squid/3.2.4-20121205-r11738)
X-Forwarded-For: 10.33.252.88
Cache-Control: max-age=259200
Connection: keep-alive

../...

2012/12/08 00:23:21.728 kid1| HttpHeader.cc(546) parse: parsing hdr:
(0x2fb5d48)
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64;
Trident/6.0)
Accept-Encoding: gzip, deflate
Cookie: mh=MSFT; Sample=38; MUID=2E0332D24C216EAA086836F948216ED4
DNT: 1
Pragma: no-cache
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAJAAAABAAUABqAAAABIAEgBYAAAAEAAQAGoAAAAWABYAegAAAAAAAADoAQAABYKIogYC8CMAAAAPMzIoFOB6SjnpMImGzLG+AUEARgBFAE8ATgBMAEkATgBFAGQAdABvAHUAegBlAGEAdQAyADUAMgBEADgAMAAxAFQAQQBPAEwAAAAAAAAAAAAA

The Squid parent understand the authorization but the NTLM helper return
'NT_STATUS_INVALID_PARAMETER':

2012/12/08 00:23:21.731 kid1| helper.cc(969) helperStatefulHandleRead:
helperStatefulHandleRead: 31 bytes from ntlmauthenticator #1
2012/12/08 00:23:21.731 kid1| helper.cc(993) helperStatefulHandleRead:
helperStatefulHandleRead: end of reply found
2012/12/08 00:23:21.731 kid1| UserRequest.cc(116) releaseAuthServer:
releasing NTLM auth server '0x2c4c628'
2012/12/08 00:23:21.731 kid1| helper.cc(463) helperStatefulReleaseServer:
srv-0 flags.reserved = 1
2012/12/08 00:23:21.731 kid1| helper.cc(1202) StatefulGetFirstAvailable:
StatefulGetFirstAvailable: Running servers 4
2012/12/08 00:23:21.731 kid1| helper.cc(1222) StatefulGetFirstAvailable:
StatefulGetFirstAvailable: returning srv-0
2012/12/08 00:23:21.731 kid1| UserRequest.cc(322) HandleReply: Failed
validating user via NTLM. Error returned 'NT_STATUS_INVALID_PARAMETER'

I have set the external acl helper to debug in order to see if the squid
parent send username in order to retreive the group in the Active Directory:

2012/12/08 00:55:43.613 kid1| client_side_request.cc(760)
clientAccessCheckDone: The request GET http://t.fr.msn.com/ is 3, because it
matched 'Group1'

The rule "Group1" allow an active directory group to go to internet.
This means that the NTLM identification are correctly understood by the
parent and the phearent extracts the username from NTLM and sends it to the
helper

But for squid parents, users are not authenticated results are : deny
access.

Here its a part of my squid.conf in my Squid parent.

#NTLM authentication:
auth_param ntlm program
/usr/bin/ntlm_auth --domain=COMPANY.COM --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm COMPANY.COM
auth_param basic credentialsttl 2 hours
external_acl_type ads_group ttl=0 %LOGIN /etc/squid3/net_ads_group.pl

Squid Cache: Version 3.2.4-20121205-r11738

Is there any tips to let squid parent correctly accept the NTLM sent by the
Squid client ?
Received on Sat Dec 08 2012 - 00:26:58 MST