[squid-users] squid-farm and NTLM

From: Pophal, Michael <[email protected]>
Date: Wed, 3 Apr 2002 10:40:38 +0200

Hi all,

We'va a problem!
What about squid cascades? We have the following squid arrangement:

client - squid 1 - squid 2 - internet
                     |
                     |___ PDC (de_erl_m9a/erlm540a)

squid 1 cascades to its parent squid 2. squid 2 does the client authentication via NTLM.

The configuration of squid 1 is just 'http_access allow all'.

The configuration of squid 2 is:
auth_param ntlm program /opt/squid/bin/ntlm_auth -d de_erl_m9a/erlm540a -d ww001/anakin
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
acl test proxy_auth REQUIRED
http_access allow test

Here the excerpts of the Logs:
squid 1 (access.log):
1017822454.485 0 146.254.168.202 TCP_MISS/407 1354 GET http://www.web.de/ - ROUNDROBIN_PARENT/146.254.166.116 text/html
1017822454.485 0 146.254.168.202 TCP_MISS/407 1423 GET http://www.web.de/ - ROUNDROBIN_PARENT/146.254.166.116 text/html
1017822454.485 0 146.254.168.202 TCP_MISS/407 1423 GET http://www.web.de/ - ROUNDROBIN_PARENT/146.254.166.116 text/html

squid 2 (cache.log):
ntlm-auth[14923](ntlm_auth.c:277): managing request
ntlm-auth[14923](ntlm_auth.c:283): ntlm authenticator. Got 'YR' from Squid
ntlm-auth[14923](ntlm_auth.c:231): obtain_challenge: selecting DE_ERL_M9A\ERLM540A (attempt #1)
ntlm-auth[14923](ntlm_auth.c:244): attempting challenge retrieval
ntlm-auth[14923](libntlmssp.c:119): Connecting to server ERLM540A domain DE_ERL_M9A
ntlm-auth[14923](ntlm_auth.c:246): make_challenge retuned 0x120025ad9
ntlm-auth[14923](ntlm_auth.c:248): Got it
ntlm-auth[14923](ntlm_auth.c:430): sending 'TT TlRMTVNTUAACAAAACgAKACgAAACCgkEACN38B2UFIE4AAAAAAAAAAERFX0VSTF9NOUE=' to squid

Why does the handshake interrupt? It seems the comunication ends with TT.

Any idea??? Does anybody have made experiance with squid hierarchies?

Any suggestion is apprecited,

thanx

Mike
Received on Wed Apr 03 2002 - 01:40:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:19 MST