Thanks, Henrik.
I've literally pulled an all-nighter trying to get Squid up and running
(I'd managed to figure that out - after several hours of looking at
documentation, "Squid" and "Samba" began to look the same and I was
reading "Squid" documentation).
I've got authentication working for the most part. What I'm now
experiencing is that it pops up the 3 box authentication prompt
frequently, but not always. In other words, loading up www.yahoo.com
might pop up the authentication box 4 times - it will load most graphics
and maybe the top part of the HTML, for example, but it will ask for
authentication over and over again.
I've tried increasing the helper children to 15 (I was at 5), but that
didn't seem to help.
The log file looks like this (partial, with comments):
# Here, I tail -f'ed the log, and entered www.dslreports.com into IE6 on
my PC. #
1075291824.640 1 172.17.4.51 TCP_DENIED/407 2474 GET
http://www.dslreports.com/ - NONE/- text/html
1075292003.908 1 172.17.4.51 TCP_DENIED/407 2281 GET
http://www.dslreports.com/ - NONE/- text/html
1075292004.123 1 172.17.4.51 TCP_DENIED/407 2387 GET
http://www.dslreports.com/ - NONE/- text/html
1075292004.592 0 172.17.4.51 TCP_DENIED/407 2436 GET
http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html
1075292004.615 0 172.17.4.51 TCP_DENIED/407 2538 GET
http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html
1075292025.097 2 172.17.4.51 TCP_DENIED/407 2524 GET
http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html
# Asked me for my userid, which I entered manually in the challenge box
#
1075292025.330 223 172.17.4.51 TCP_MISS/200 3429 GET
http://www.dslreports.com/front/1-lite-20031204.css ECD\DROBINET
DIRECT/209.123.109.175 text/css
1075292025.404 0 172.17.4.51 TCP_DENIED/407 2362 GET
http://i.dslr.net/sk/bl/lgin.gif - NONE/- text/html
1075292025.406 0 172.17.4.51 TCP_DENIED/407 2346 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
1075292025.436 0 172.17.4.51 TCP_DENIED/407 2430 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
1075292025.438 1 172.17.4.51 TCP_DENIED/407 2450 GET
http://i.dslr.net/sk/bl/lgin.gif - NONE/- text/html
1075292025.448 0 172.17.4.51 TCP_DENIED/407 2358 GET
http://i.dslr.net/sk/bl/go1.gif - NONE/- text/html
1075292025.472 1 172.17.4.51 TCP_DENIED/407 2446 GET
http://i.dslr.net/sk/bl/go1.gif - NONE/- text/html
#Here, it begins using my credentials after failing a few
authentications, but not asking me to re-enter: #
1075292025.701 212 172.17.4.51 TCP_MISS/200 498 GET
http://i.dslr.net/sk/bl/go1.gif ECD\DROBINET DIRECT/209.123.205.211
image/gif
1075292025.773 323 172.17.4.51 TCP_MISS/200 1603 GET
http://i.dslr.net/sk/bl/lgin.gif ECD\DROBINET DIRECT/209.123.205.210
image/gif
1075292025.777 55 172.17.4.51 TCP_MISS/200 696 GET
http://i.dslr.net/xml.gif ECD\DROBINET DIRECT/209.123.205.211 image/gif
1075292025.841 460 172.17.4.51 TCP_MISS/200 5255 GET
http://i.dslr.net/sk/bl/logo.gif ECD\DROBINET DIRECT/209.123.205.211
image/gif
1075292025.873 59 172.17.4.51 TCP_MISS/200 326 GET
http://i.dslr.net/fp2.gif ECD\DROBINET DIRECT/209.123.205.210 image/gif
# ...about 30 more successful parts of the page load, then... #
1075292074.490 0 172.17.4.51 TCP_DENIED/407 2430 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
1075292076.605 0 172.17.4.51 TCP_DENIED/407 2430 GET
http://i.dslr.net/1ptrans.gif - NONE/- text/html
# (...and it's begun asking me for userid once again. #
So, wherever it seems to fail, it logs the "- NONE/-" bit, and then
prompts me for my userid. When I enter it, it does authenticate me
correctly, but then it reverts to challenging me. The challenge box does
appear to be for NTLM authentication (3 boxes, including the domain
field), but even that I'm not 100% sure of.
The only other logging I'm aware of is the winbindd.log file, which
simply contains:
[2004/01/28 06:58:30, 1]
nsswitch/winbindd_util.c:add_trusted_domains(207)
scanning trusted domain list
[2004/01/28 07:01:00, 1]
nsswitch/winbindd_group.c:winbindd_getgroups(960)
user 'root' does not exist
[2004/01/28 07:03:30, 1]
nsswitch/winbindd_util.c:add_trusted_domains(207)
scanning trusted domain list
(over and over again...), and the log.winbindd file, which just says
it's been started.
I'm having a fairly difficult time troubleshooting this, and I'd
definitely appreciate anyone's advice, here. There's some pretty
enormous pressure right now to get our Internet under control, and I'm
really trying to win "my" proposal of Squid, instead of the Windows
admin standard MS Proxy (the money for which would come directly from my
budget).
I'm running Samba 3.0.1 (--version flags confirmed that all daemons are
3.0.1) and Squid 3.0-PRE3.
Here's squid.conf in its entirety. I went through and removed all
commented lines to try and make debugging easier:
---- http_port 3128 icp_port 3130 hierarchy_stoplist cgi-bin ? auth_param ntlm program /usr/local/squid/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/squid/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_reply_access allow all icp_access allow all visible_hostname wvproxy1 coredump_dir /usr/local/squid/var/cache acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers ---- Anyone have any suggestions at all? Dave -- Dave Robinet (dave.robinet@magnasteyr.com) IT Manager - Magna Steyr Engineering Center Detroit Ph: 248-293-0206 Fax: 248-299-5711 >-----Original Message----- >From: Henrik Nordstrom [mailto:hno@squid-cache.org] >Sent: Tuesday, January 27, 2004 6:06 PM >To: David Robinet >Cc: squid-users@squid-cache.org >Subject: Re: [squid-users] NTLM issues > > >On Tue, 27 Jan 2004, David Robinet wrote: > >> One glitch is that it doesn't appear to be building the ntlm_auth >> module. My configure options are: > >ntlm_auth is part of the Samba distribution when using Samba 3. Also >remember to read the Samba 3 ntlm_auth manual. > >> ./configure --enable-auth="ntlm,basic" >> --enable-external-acl-helpers="wbinfo_group" --enable-ssl >> --enable-snmp > >Looks fine to me. Nor sure if you really need --enable-ssl >however, but is >not relevant to your question. > >The path to Samba 3 ntlm_auth is different than when using the >older Samba 2.2.X helper shipped with Squid. See your Samba >package installation. > >Regards >Henrik > >Received on Wed Jan 28 2004 - 05:31:17 MST
This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:09 MST