[squid-users] Squid and NTLM issue...

From: Kaan Saldiraner <kaan.saldiraner@dont-contact.us>
Date: Fri, 14 Nov 2003 14:39:58 -0500

I am running squid-2.5.STABLE4 and Samba using winbind NTLM authentication...
When i try to access a site i see in the logs that it is infact sending the
domain and username... But when i try to access a site with NTLM
authentication i get TCP MISS 401... What am i doing wrong? and why does
squid need to send the domain and user info for every site... Any help would
be nice.. :-)

Thanks in advance

--
Kaan
Here is the setup
Squid configure: ./configure  --prefix=/usr/local/squid-ntlm --disable-wccp 
--enable-snmp --disable-ident-lookups --enable-underscores 
'--enable-auth=basic ntlm' '--enable-basic-auth-helpers=SMB MSNT' 
--enable-ntlm-auth-helpers=winbind
Samba configure: ./configure  --with-winbind --with-winbind-auth-challenge
Wbinfo works perfectly...
Here is my Squid Conf:
--snip
# squid conf file 
# ------------------------------- 
# Network options 
# ------------------------------- 
http_port 4040 
icp_port 4141 
acl QUERY urlpath_regex cgi-bin \? 
no_cache deny QUERY 
# ------------------------------- 
# Cache Neighbour options 
# ------------------------------- 
#cache_peer machinename.domain.com parent 4040 3130  
# ------------------------------- 
# Cache size options 
# ------------------------------- 
maximum_object_size 4096 KB 
minimum_object_size 0 KB 
maximum_object_size_in_memory 512 KB 
# ------------------------------- 
# Cache dir & logging options 
# ------------------------------- 
cache_dir ufs /cache 8192 16 256 
pid_filename /var/lock/squid-cache.pid 
debug_options all, 5 
#-------------------------------- 
# NTLM OPTIONS 
auth_param ntlm program /usr/local/squid-ntlm/libexec/ntlm_auth 
#authenticate_program_ntlm 
#authenticate_children_ntlm 5 
#auth_param ntlm program /usr/local/squid-ntlm/libexec/wb_ntlmauth          
auth_param ntlm children 10 
auth_param ntlm max_challenge_reuses 0 
auth_param ntlm max_challenge_lifetime 2 minutes 
# ------------------------------- 
# options for external support programs 
# ------------------------------- 
ftp_user squid@machinename.domain.com 
ftp_list_width 64 
ftp_passive on 
# ------------------------------- 
# Cache tuning options 
# ------------------------------- 
#  REM - MRV - all these numbers are done on the basis of a T1 line having  
#  25 users on it, giving a viable request bandwidth of 5.5kb/sec 
quick_abort_min 22 Kb 
quick_abort_max 100 Kb 
quick_abort_pct 75 
# ------------------------------- 
# Cache admin options 
# ------------------------------- 
cache_mgr sysadmins@domain.com 
cache_effective_user squid 
cache_effective_group squid 
visible_hostname machinename.domain.com
# ------------------------------- 
# Cache misc options 
# ------------------------------- 
append_domain .domainname 
#chroot enable 
pipeline_prefetch on 
# ------------------------------- 
# Cache ACL options 
# ------------------------------- 
acl all src 0.0.0.0/0.0.0.0 
acl manager proto cache_object 
acl localhost src "IPAdress" 
acl AuthorizedUsers proxy_auth REQUIRED 
acl AnotherPlace src "IPAdress"
acl Place src "IPAdress"
acl Place-no-nat src "IPAdress" 
acl urldenied url_regex "/usr/local/squid-ntlm/etc/urldenied" 
acl SSL_ports port 443 563 
acl Safe_ports port 80          # http 
acl Safe_ports port 21          # ftp 
acl Safe_ports port 443 563     # https, snews 
acl Safe_ports port 70          # gopher 
acl Safe_ports port 210         # wais 
acl Safe_ports port 1025-65535  # unregistered ports 
acl Safe_ports port 280         # http-mgmt 
acl Safe_ports port 488         # gss-http 
acl Safe_ports port 591         # filemaker 
acl Safe_ports port 777         # multiling http 
acl CONNECT method CONNECT 
http_access allow manager localhost 
http_access deny urldenied 
http_access allow all AuthorizedUsers 
http_access allow AnotherPlace 
http_access allow Place 
http_access allow Place-no-nat 
http_access deny manager 
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access deny all 
icp_access allow all 
# ------------------------------- [eof] 
Received on Fri Nov 14 2003 - 12:42:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:19 MST