[squid-users] Squid Ident/NTLM ident_not_aware_hosts

From: Janno de Wit <[email protected]>
Date: Wed, 06 Oct 2004 21:52:53 +0200

Hi Folks,
 
We've a little ACL problem here:
Let me explain the situation:
There are 2 networks, one for Admin, one for Educative. On the Admin
lan, we want to use Ident. On the Edu lan, we want to use ident, except
for 3 citrix servers, these should use NTLM.
This implemented in squid becames:

auth_param ntlm program /usr/lib/squid/ntlm_auth DO_EDU/PDC_EDU
auth_param ntlm children 50
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 60 minutes
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour

acl all src 0.0.0.0/0.0.0.0

acl citrix_servers src 192.168.15.149 192.168.15.4 192.168.15.6
ident_lookup_access deny citrix_servers
ident_lookup_access allow all

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl purge method PURGE
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED # doesn't make any sense in problem
acl l_url_5 regex_domain "/etc/squid/ACL/l_url_5"
acl l_url_4 regex_domain "/etc/squid/ACL/l_url_4"

acl g_src_128 src "/etc/squid/ACL/g_IP_128"
acl g_user_128 ident -i "/etc/squid/ACL/g_USER_128"
acl g_ntlm_128 proxy_auth -i "/etc/squid/ACL/g_USER_128_ntlm"

acl g_src_126 src "/etc/squid/ACL/g_IP_126"
acl g_user_126 ident -i "/etc/squid/ACL/g_USER_126"
acl g_ntlm_126 proxy_auth -i "/etc/squid/ACL/g_USER_126_ntlm"
[snip other acl defs]
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow l_always_kliksafe
# ident / ip based auth for 128
http_access allow g_src_128 l_url_4
http_access allow g_user_128 l_url_4
http_access allow g_src_128
http_access allow g_user_128

http_access allow g_src_126 l_url_4
http_access allow g_user_126 l_url_4
http_access allow g_src_126
http_access allow g_user_126

[snip other acl defs, in this style]
# ntlm fallback auth
http_access allow g_ntlm_128 l_url_4
http_access allow g_ntlm_128

http_access allow g_ntlm_126 l_url_4
http_access allow g_ntlm_126

[eof]

This should force squid to not do ident lookups to the citrix servers.
But what happens...! Squid is happy going to get the ident request, and
finds 1 citrix user, not the one which should be used by NTLM auth.
Because on one citrix server 100 users can be logged in...

Of course, i can disable ident on the citrix, but this is in this
situation not what i want because of other software. Squid should not do
any ident lookups for Citrix, why is squid doing this?
When i disable ident on citrix with ident server, squid is authorizing
with ntlm, as it should... Strange is that this setup has worked with
older Squids (as far as i know, i didn't get any complains about wrong
rights given on individual citrix users)...

Keep in mind: acl password proxy_auth REQUIRED # doesn't make any sense
in problem

Using Squid-2.5-STABLE6.

Is this a bug or a feature ;-).

Thanks a lot!

Regards, Janno.

Janno de Wit
DNA services B.V.
Received on Wed Oct 06 2004 - 13:53:15 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST