[squid-users] Random auth popup, help needed

From: <[email protected]>
Date: Fri, 19 Mar 2004 10:18:58 -0500

Hi everybody,

I hope somebody can point me to the right direction. When browsing the web, my users are sometimes getting random basic authentication popups.

I'm using squid 2.5.STABLE5 on two Red Hat Linux 9 (one as parent the other a sibling). I'm also using NTLM auth with winbind (Samba 3.0.0) on a NT4 domain.

I search the web and FAQ for similar problems, but in the solutions I found, none of them works.

I found the "Random auth popups and account lockouts when using NTLM" patch on the squid website so I updated from squid STABLE4 to STABLE5, but I still got the popups.

I notice also that when a user got a popup in the log file I can see a line similar to that:
1079705199.972 56 10.10.2.15 TCP_SWAPFAIL_MISS/407 1886 GET http://212.158.38.131/provantis/images/instemsite0.gif DOMAIN\USERNAME DEFAULT_PARENT/squidout.ctbr.com text/html

I red about TCP_SWAPFAIL_MISS, and according to what I found, I shouldn't care about that. The 407 code mean Proxy auth required, so this is probably the problem, but why the NTLM doesn't answer?

Here is a part of my squid.conf:
---------------------------cut------------------------------------
# NTLM Auth
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 20
auth_param ntlm max_challenge_lifetime 20 minutes

# Basic Auth (in case the client doesn't support NTLM)
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server Basic Auth
auth_param basic credentialsttl 2 hours

# Full internet user access file
acl FULL proxy_auth "/etc/squid/users/users.full"

# User list that can download specific extentions (see acl EXTDENY for extention list)
acl EXTUSERS proxy_auth "/etc/squid/users/users.extentions"

# File extentions denied for normal user, accepted for ITS
acl EXTDENY1 urlpath_regex "/etc/squid/acl/extentions1.list"

# File extentions that are denied for everybody (even ITS)
acl EXTDENY2 urlpath_regex "/etc/squid/acl/extentions2.list"

# This is to accept ICP queries from squidout
acl ICPSQUIDOUT src 192.168.254.3/255.255.255.255

# List the MAC address of internet stations, to bypass the auth on those computers
acl INETSTATION arp "/etc/squid/users/inetmac.list"

# Exception list
acl EXCEPTIONS url_regex "/etc/squid/acl/exceptions.list"

# Exception for Pasteur2 to be able to download Sophos updates
acl PASTEUR2 arp 00:02:B3:8A:F8:DE
acl SOPHOS dstdomain .sophos.com

# Permit direct access to internal servers
acl LANSERV dstdomain "/etc/squid/acl/alwaysdirect.list"

# Allow Internet stations
http_access allow INETSTATION !EXTDENY1 !EXTDENY2

# Allow direct access to internal servers
always_direct allow LANSERV

# Allow Pasteur2 to download Sophos updates
http_access allow PASTEUR2 SOPHOS

# Exception list
http_access allow EXCEPTIONS FULL

# Allow Squidout to do ICP queries
http_access allow ICPSQUIDOUT

# Allow users that are in the extentions list to download some extentions
http_access allow EXTUSERS EXTDENY1

# Deny extentions in extentions2.list for everybody
http_access deny EXTDENY2

# Deny other extentions
http_access deny EXTDENY1

# Send them to this page
deny_info http://squidin/accessdenied.php?reason=ext EXTDENY1
deny_info http://squidin/accessdenied.php?reason=ext EXTDENY2

# Allow access to FULL
http_access allow FULL all

# Deny the rest
http_access deny all

---------------------------------cut-----------------------------

If you need more information ask me.

Thanks in advance,

Jean-Philippe Houde
Received on Fri Mar 19 2004 - 08:19:13 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST