[squid-users] cache_peer_access and NTLM groups.

From: Christopher Weimann <cweimann@dont-contact.us>
Date: Mon, 24 Mar 2003 15:09:45 -0500

I am running 2.5.STABLE2 with squid-2.5.STABLE2-concurrent_external_acl.patch
This did not work without the conncurrent_external_acl.patch either.

I am having trouble using cache_peer_access with groups and
NTLM. This works perfectly with Mozilla and Basic auth but
not with NTLM (IE6 or IE5.5). Sometimes the page comes up
with broken images and sometimes I get "Unable to forward
this request at this time."

It seems that it is failing to pick a cache_peer. I turned on
some debug_options and it appears that the auth info is lost
at some point when using NTLM.

It works ...

2003/03/24 13:56:04| aclCheckFast: list: 0x821a6d0
2003/03/24 13:56:04| aclMatchAclList: checking Staff
2003/03/24 13:56:04| aclMatchAcl: checking 'acl Staff external nt_group Staff'
2003/03/24 13:56:04| aclMatchExternal: acl="nt_group"
2003/03/24 13:56:04| authenticateAuthenticate: header NTLM TlRMTVNTUAADAAAAGAAYAF....[snip]....
2003/03/24 13:56:04| authenticateAuthenticate: This is a new checklist test on FD:-1
2003/03/24 13:56:04| authenticateAuthUserRequestLock auth_user request '0x87087a0'.
2003/03/24 13:56:04| authenticateAuthUserRequestLock auth_user request '0x87087a0' now at '3'.
2003/03/24 13:56:04| authenticateValidateUser: Validating Auth_user request '0x87087a0'.
2003/03/24 13:56:04| authenticateValidateUser: Validated Auth_user request '0x87087a0'.
2003/03/24 13:56:04| authenticateAuthUserRequestUnlock auth_user request '0x87087a0'.
2003/03/24 13:56:04| authenticateAuthUserRequestUnlock auth_user_request '0x87087a0' now at '2'.
2003/03/24 13:56:04| aclMatchExternal: nt_group = 1
2003/03/24 13:56:04| aclMatchAclList: returning 1

and then moments later it doesn't ...

2003/03/24 13:56:04| aclCheckFast: list: 0x821a6d0
2003/03/24 13:56:04| aclMatchAclList: checking Staff
2003/03/24 13:56:04| aclMatchAcl: checking 'acl Staff external nt_group Staff'
2003/03/24 13:56:04| aclMatchExternal: acl="nt_group"
2003/03/24 13:56:04| authenticateValidateUser: Validating Auth_user request '0x0'.
2003/03/24 13:56:04| authenticateValidateUser: Auth_user_request was NULL!
2003/03/24 13:56:04| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header.
2003/03/24 13:56:04| aclMatchAcl: returning 0 sending authentication challenge.
2003/03/24 13:56:04| aclMatchExternal: nt_group user not authenticated (0)
2003/03/24 13:56:04| aclMatchAclList: returning 0

Here are the important bits of my squid.conf

debug_options ALL,1 28,9 29,9 44,9 3,9 54,9 82,9 84,9 72,9

auth_param ntlm program /usr/local/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type nt_group %LOGIN /usr/local/libexec/wb_group.sh

acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED

miss_access allow all
never_direct allow all

acl Proxy1 external nt_group Proxy1
acl Staff external nt_group Staff

http_access deny !password

http_access allow Staff
http_access allow Proxy1

http_access deny all

cache_peer 127.0.0.1 parent 8081 0 proxy-only no-query
cache_peer_access 127.0.0.1 allow Proxy1
cache_peer_access 127.0.0.1 deny !Proxy1

cache_peer 127.0.0.2 parent 8082 0 proxy-only no-query
cache_peer_access 127.0.0.2 allow Staff
cache_peer_access 127.0.0.2 deny !Staff

Thanks in advance.
Received on Mon Mar 24 2003 - 13:09:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:19 MST