RE: [squid-users] NTLM issues *Pretty long*

From: David Robinet <[email protected]>
Date: Wed, 28 Jan 2004 07:31:09 -0500

Thanks, Henrik.

I've literally pulled an all-nighter trying to get Squid up and running
(I'd managed to figure that out - after several hours of looking at
documentation, "Squid" and "Samba" began to look the same and I was
reading "Squid" documentation).

I've got authentication working for the most part. What I'm now
experiencing is that it pops up the 3 box authentication prompt
frequently, but not always. In other words, loading up www.yahoo.com
might pop up the authentication box 4 times - it will load most graphics
and maybe the top part of the HTML, for example, but it will ask for
authentication over and over again.

I've tried increasing the helper children to 15 (I was at 5), but that
didn't seem to help.

The log file looks like this (partial, with comments):

# Here, I tail -f'ed the log, and entered www.dslreports.com into IE6 on
my PC. #
1075291824.640 1 172.17.4.51 TCP_DENIED/407 2474 GET
http://www.dslreports.com/ - NONE/- text/html
1075292003.908 1 172.17.4.51 TCP_DENIED/407 2281 GET
http://www.dslreports.com/ - NONE/- text/html
1075292004.123 1 172.17.4.51 TCP_DENIED/407 2387 GET
http://www.dslreports.com/ - NONE/- text/html
1075292004.592 0 172.17.4.51 TCP_DENIED/407 2436 GET
http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html
1075292004.615 0 172.17.4.51 TCP_DENIED/407 2538 GET
http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html
1075292025.097 2 172.17.4.51 TCP_DENIED/407 2524 GET
http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html
# Asked me for my userid, which I entered manually in the challenge box
#
1075292025.330 223 172.17.4.51 TCP_MISS/200 3429 GET
http://www.dslreports.com/front/1-lite-20031204.css ECD\DROBINET
DIRECT/209.123.109.175 text/css
1075292025.404 0 172.17.4.51 TCP_DENIED/407 2362 GET
http://i.dslr.net/sk/bl/lgin.gif - NONE/- text/html
1075292025.406 0 172.17.4.51 TCP_DENIED/407 2346 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
1075292025.436 0 172.17.4.51 TCP_DENIED/407 2430 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
1075292025.438 1 172.17.4.51 TCP_DENIED/407 2450 GET
http://i.dslr.net/sk/bl/lgin.gif - NONE/- text/html
1075292025.448 0 172.17.4.51 TCP_DENIED/407 2358 GET
http://i.dslr.net/sk/bl/go1.gif - NONE/- text/html
1075292025.472 1 172.17.4.51 TCP_DENIED/407 2446 GET
http://i.dslr.net/sk/bl/go1.gif - NONE/- text/html
#Here, it begins using my credentials after failing a few
authentications, but not asking me to re-enter: #
1075292025.701 212 172.17.4.51 TCP_MISS/200 498 GET
http://i.dslr.net/sk/bl/go1.gif ECD\DROBINET DIRECT/209.123.205.211
image/gif
1075292025.773 323 172.17.4.51 TCP_MISS/200 1603 GET
http://i.dslr.net/sk/bl/lgin.gif ECD\DROBINET DIRECT/209.123.205.210
image/gif
1075292025.777 55 172.17.4.51 TCP_MISS/200 696 GET
http://i.dslr.net/xml.gif ECD\DROBINET DIRECT/209.123.205.211 image/gif
1075292025.841 460 172.17.4.51 TCP_MISS/200 5255 GET
http://i.dslr.net/sk/bl/logo.gif ECD\DROBINET DIRECT/209.123.205.211
image/gif
1075292025.873 59 172.17.4.51 TCP_MISS/200 326 GET
http://i.dslr.net/fp2.gif ECD\DROBINET DIRECT/209.123.205.210 image/gif
# ...about 30 more successful parts of the page load, then... #
1075292074.490 0 172.17.4.51 TCP_DENIED/407 2430 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
1075292076.605 0 172.17.4.51 TCP_DENIED/407 2430 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
# (...and it's begun asking me for userid once again. #

So, wherever it seems to fail, it logs the "- NONE/-" bit, and then
prompts me for my userid. When I enter it, it does authenticate me
correctly, but then it reverts to challenging me. The challenge box does
appear to be for NTLM authentication (3 boxes, including the domain
field), but even that I'm not 100% sure of.

The only other logging I'm aware of is the winbindd.log file, which
simply contains:

[2004/01/28 06:58:30, 1]
nsswitch/winbindd_util.c:add_trusted_domains(207)
  scanning trusted domain list
[2004/01/28 07:01:00, 1]
nsswitch/winbindd_group.c:winbindd_getgroups(960)
  user 'root' does not exist
[2004/01/28 07:03:30, 1]
nsswitch/winbindd_util.c:add_trusted_domains(207)
  scanning trusted domain list

(over and over again...), and the log.winbindd file, which just says
it's been started.

I'm having a fairly difficult time troubleshooting this, and I'd
definitely appreciate anyone's advice, here. There's some pretty
enormous pressure right now to get our Internet under control, and I'm
really trying to win "my" proposal of Squid, instead of the Windows
admin standard MS Proxy (the money for which would come directly from my
budget).

I'm running Samba 3.0.1 (--version flags confirmed that all daemons are
3.0.1) and Squid 3.0-PRE3.

Here's squid.conf in its entirety. I went through and removed all
commented lines to try and make debugging easier:

----
http_port 3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
auth_param ntlm program /usr/local/squid/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/squid/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_reply_access allow all
icp_access allow all
visible_hostname wvproxy1
coredump_dir /usr/local/squid/var/cache
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
----
Anyone have any suggestions at all?
Dave
--
Dave Robinet  (dave.robinet@magnasteyr.com)
IT Manager - Magna Steyr Engineering Center Detroit
Ph: 248-293-0206        Fax: 248-299-5711
>-----Original Message-----
>From: Henrik Nordstrom [mailto:hno@squid-cache.org] 
>Sent: Tuesday, January 27, 2004 6:06 PM
>To: David Robinet
>Cc: squid-users@squid-cache.org
>Subject: Re: [squid-users] NTLM issues
>
>
>On Tue, 27 Jan 2004, David Robinet wrote:
>
>> One glitch is that it doesn't appear to be building the ntlm_auth 
>> module. My configure options are:
>
>ntlm_auth is part of the Samba distribution when using Samba 3. Also 
>remember to read the Samba 3 ntlm_auth manual.
>
>> ./configure --enable-auth="ntlm,basic" 
>> --enable-external-acl-helpers="wbinfo_group" --enable-ssl 
>> --enable-snmp
>
>Looks fine to me. Nor sure if you really need --enable-ssl 
>however, but is 
>not relevant to your question.
>
>The path to Samba 3 ntlm_auth is different than when using the 
>older Samba 2.2.X helper shipped with Squid. See your Samba 
>package installation.
>
>Regards
>Henrik
>
>
Received on Wed Jan 28 2004 - 05:31:17 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:09 MST