[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Strange Squid problem.
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2008-05-30 9:06:11
Message-ID: 483FC383.3040609 () treenet ! co ! nz
[Download RAW message or body]

Henti Smith wrote:
> Hi all.
> 
> I'm having a weirdness at a client.
> 
> Squid auth using ntlm on samba thats connected to ADS.
> 
> Setup was working until they replaced the ads server with new one. I have
> updated configs with the new ADS and re added samba. however squid auth is
> still not working.
> 
> wbinfo -g and -u works wbinfo -t succeeds.
> ntlm_auth run as proxy user succeeds.
> 
> I've setup debug to 4 and the following is the output in cache.log
> 
> 2008/05/27 10:55:47| aclCheck: checking ' http_access allow my_auth'
> 2008/05/27 10:55:47| aclMatchAclList: checking my_auth
> 2008/05/27 10:55:47| aclMatchAcl: checking 'acl my_auth proxy_auth
> REQUIRED'
> 2008/05/27 10:55:47| authenticateAuthenticate: no connection authentication
> type
> 2008/05/27 10:55:47| aclMatchAcl: returning 0 sending credentials to
> helper.
> 2008/05/27 10:55:47| aclMatchAclList: no match, returning 0
> 2008/05/27 10:55:47| aclCheck: checking password via authenticator
> 2008/05/27 10:55:47| authenticateNTLMHelperServerAvailable: not starving -
> returning 1
> 2008/05/27 10:55:47| aclCheck: checking ' http_access allow my_auth'
> 2008/05/27 10:55:47| aclMatchAclList: checking my_auth
> 2008/05/27 10:55:47| aclMatchAcl: checking 'acl my_auth proxy_auth
> REQUIRED'
> 2008/05/27 10:55:47| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2008/05/27 10:55:47| aclMatchAclList: no match, returning 0
> 2008/05/27 10:55:47| aclCheck: match found, returning 2
> 2008/05/27 10:55:47| The request GET http://www.google.com/ is DENIED,
> because it matched 'my_auth'
> 
> The current config is at : http://paste.lisp.org/display/61303
> 
> Any ideas ? comment ?

NTLM authentication works by sending the browser a "407 Authentication 
Required" message back to the browser if it dod not supply auth 
credentials in its request.

That looks like a normal first-cycle NTLM authentication check to me.

You should see it followed up by an identical request to the same URL, 
but which passes or fails the auth test without saying "sending 
authentication challenge".

Amos
-- 
Please use Squid 2.7.STABLE1 or 3.0.STABLE6
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic