01-31-06 07:46 AM
I am trying to setup Squid with winbind (from samba) to get NTLM and
basic authentication.
It's confusing me, b/c I am not able to authenicate to the proxy.
According to the log file, it said both ALLOWED & DENIED matched the
'Authenticated' ACL. Could some please point out what was wrong with
the squid.conf?
HERE is my squid.conf:
========================================
========
cache_peer dev-bld-sol8.blahblah.com parent 3128 3130
proxy-only
http_port 3128 80 443
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
pid_filename /usr/local/squid/var/logs/squid.pid
auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 64
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reus
es 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/local/squid/libexec/ncsa_auth
/usr/local/squid/etc/squid.htpasswd
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh scp
acl Safe_ports port 23 # telnet
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?
acl Authenticated proxy_auth REQUIRED
no_cache deny QUERY
http_access allow manager localhost
http_access allow Authenticated
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_reply_access allow all
acl FTP proto FTP
always_direct allow FTP
cache_mgr chui@blahblah.com
cache_effective_user nobody
cache_effective_group nobody
memory_pools on
forwarded_for on
error_directory /usr/local/squid/share/errors/English
coredump_dir /usr/local/squid
debug_options ALL,1 33,2
visible_hostname dev-bld-sol8
========================================
===================
Here is the cache.log:
========================================
=================
2006/01/31 03:59:50| The request GET http://www.apple.com/ is DENIED,
because it matched 'Authenticated'
[2006/01/31 03:59:50, 10] utils/ntlm_auth.c:manage_squid_request(1609)
Got 'YR' from squid (length: 2).
[2006/01/31 03:59:50, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
2006/01/31 03:59:50| The request GET http://www.apple.com/ is DENIED,
because it matched 'Authenticated'
[2006/01/31 03:59:50, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(597)
NTLMSSP challenge
[2006/01/31 03:59:50, 10] utils/ntlm_auth.c:manage_squid_request(1609)
Got 'KK
TlRMTVNTUAADAAAAGAAYAFQAAAAYABgAbAAAAAMA
AwBAAAAABAAEAEMAAAANAA0ARwAAAAAAAACE
AAAAAgIAAERFVldFSTFBWC1JUENCVUlMRDAxyIlw
WS17Ek04LO7p9zVJNjUqBzy6k2JkaluB3lP6
FHmutfOaLI3xEYzfj+dF278M'
from squid (length: 179).
[2006/01/31 03:59:50, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(587)
got NTLMSSP packet:
[2006/01/31 03:59:50, 10] lib/util.c:dump_data(1977)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP.
........
[010] 54 00 00 00 18 00 18 00 6C 00 00 00 03 00 03 00 T.......
l.......
[020] 40 00 00 00 04 00 04 00 43 00 00 00 0D 00 0D 00 @.......
C.......
[030] 47 00 00 00 00 00 00 00 84 00 00 00 02 02 00 00 G.......
........
[040] 44 45 56 57 45 49 31 41 58 2D 49 50 43 42 55 49 DEVWEI1A
X-IPCBUI
[050] 4C 44 30 31 C8 89 70 59 2D 7B 12 4D 38 2C EE E9 LD01..pY
-{.M8,..
[060] F7 35 49 36 35 2A 07 3C BA 93 62 64 6A 5B 81 DE .5I65*.<
..bdj[..
[070] 53 FA 14 79 AE B5 F3 9A 2C 8D F1 11 8C DF 8F E7 S..y....
,.......
[080] 45 DB BF 0C E...
[2006/01/31 03:59:50, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[WEI1] domain=[DEV] workstation=[AX-IPCBUILD01] len1=24
len2=24
[2006/01/31 03:59:51, 10] libsmb/ntlmssp.c:ntlmssp_server_auth(705)
ntlmssp_server_auth: Using unmodified nt session key.
[2006/01/31 03:59:51, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/01/31 03:59:51, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x00000212
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
[2006/01/31 03:59:51, 5] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(397)
NTLMSSP Sign/Seal - using NT KEY
2006/01/31 03:59:50| The request GET http://www.apple.com/ is ALLOWED,
because it matched 'Authenticated'
2006/01/31 03:59:51| The request GET http://www.apple.com/ is DENIED,
because it matched 'Authenticated'
2006/01/31 03:59:51| The reply for GET http://www.apple.com/ is
ALLOWED, because it matched 'all'
[2006/01/31 03:59:51, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(608)
NTLMSSP OK!
2006/01/31 04:00:19| authenticateAuthenticate: Unexpected change of
authentication scheme from 'ntlm' to 'Basic dXNlcjE6dXNlcjE=' (client
10.10.50.48)
2006/01/31 04:00:19| The request GET http://www.apple.com/ is DENIED,
because it matched 'Authenticated'
^C
[ Post a follow-up to this message ]
| 
