Re: [squid-users] NTLM username logging problem

From: <lukas.fuchs@dont-contact.us>
Date: Tue, 11 May 2004 18:16:15 +0200

Here... have a look on this: -> username must be specified! what does this
mean???
It is from the /etc/squid/cache.log

2004/05/11 15:52:57| Done reading /etc/squid/cache swaplog (3385 entries)
2004/05/11 15:52:57| Finished rebuilding storage from disk.
2004/05/11 15:52:57| 3385 Entries scanned
2004/05/11 15:52:57| 0 Invalid entries.
2004/05/11 15:52:57| 0 With invalid flags.
2004/05/11 15:52:57| 3385 Objects loaded.
2004/05/11 15:52:57| 0 Objects expired.
2004/05/11 15:52:57| 0 Objects cancelled.
2004/05/11 15:52:57| 0 Duplicate URLs purged.
2004/05/11 15:52:57| 0 Swapfile clashes avoided.
2004/05/11 15:52:57| Took 0.2 seconds (19186.9 objects/sec).
2004/05/11 15:52:57| Beginning Validation Procedure
2004/05/11 15:52:57| Completed Validation Procedure
2004/05/11 15:52:57| Validated 3385 Entries
2004/05/11 15:52:57| store_swap_size = 30104k
username must be specified!

Usage: [OPTION...]
  --helper-protocol=helper protocol to use operate as a stdio-based
helper
  --username=STRING username
  --domain=STRING domain name
  --workstation=STRING workstation
  --challenge=STRING challenge (HEX encoded)
  --lm-response=STRING LM Response to the challenge
                                               (HEX encoded)
  --nt-response=STRING NT or NTLMv2 Response to the
                                               challenge (HEX encoded)
  --password=STRING User's plaintext password
  --request-lm-key Retreive LM session key
  --request-nt-key Retreive NT session key
  --diagnostics Perform diagnostics on the
                                               authentictaion chain

Help options:
  -?, --help Show this help message
  --usage Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL Set debug level
  -s, --configfile=CONFIGFILE Use alternative
configuration
                                               file
  -l, --log-basename=LOGFILEBASE Basename for log/debug files
  -V, --version Print version
username must be specified!

Usage: [OPTION...]
  --helper-protocol=helper protocol to use operate as a stdio-based
helper
  --username=STRING username
  --domain=STRING domain name
  --workstation=STRING workstation
  --challenge=STRING challenge (HEX encoded)
  --lm-response=STRING LM Response to the challenge
                                               (HEX encoded)
  --nt-response=STRING NT or NTLMv2 Response to the
                                               challenge (HEX encoded)
  --password=STRING User's plaintext password
  --request-lm-key Retreive LM session key
  --request-nt-key Retreive NT session key
  --diagnostics Perform diagnostics on the
                                               authentictaion chain

Help options:
  -?, --help Show this help message
  --usage Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL Set debug level
  -s, --configfile=CONFIGFILE Use alternative
configuration
                                               file
  -l, --log-basename=LOGFILEBASE Basename for log/debug files
  -V, --version Print version
2004/05/11 15:52:58| storeLateRelease: released 0 objects

                                                                           
             sdavy@bics.fr
                                                                           
             11.05.2004 18:45 To
                                                                           
                                       lukas.fuchs@rieter.com
                                                                        cc
                                       squid-users@squid-cache.org
                                                                           
                                                                           
                                                                           
                                                                           
                                                                   Subject
                                       [squid-users] NTLM username logging
                                       problem
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           

This means that your authentication doesn't work properly

What do you have in cache.log? in winnbind.log?

---
Stéphane Davy - Consultant Alcôve
                      lukas.fuchs@rieter.com
                                                Pour :   sdavy@bics.fr
                      11/05/2004 16:42          cc :
squid-users@squid-cache.org
                                                Objet :  Re: [squid-users]
NTLM username logging problem
hm no it' doesnt work... in the access.log is written: Denied!
so
acl authorizedusers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl our_networks src 82.29.1.0/24
http_access allow all authorizedusers
http_access allow our_networks
http_access deny allw
works and
acl authorizedusers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
http_access allow all authorizedusers
http_access deny all
works not...
but if the fing that was told me bevor is right, I've a failure in the
working one...
and it jups over this faiure, probably it works because of this jump.
(remember: the sting: http_access allow our_networks is not used because
this schould stay in the upper allow line ....)
strange...
Lukas
             sdavy@bics.fr
             11.05.2004 16:55                                           To
                                       lukas.fuchs@rieter.com
                                                                        cc
                                       squid-users@squid-cache.org
                                                                   Subject
                                       [squid-users] NTLM username logging
                                       problem
and with that:
acl authorizedusers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
http_access allow all authorizedusers
http_access deny all
what happens?
---
Stéphane Davy - Consultant Alcôve
                      lukas.fuchs@rieter.com
                                                Pour :
squid-users@squid-cache.org
                      11/05/2004 14:18          cc :
                                                Objet :  [squid-users] Re:
Réf. : [squid-users] NTLM username logging problem
      Hm ok. Sorry my fault... In other words: My problem is not the
security with ACL's...
   I just want to log the usernames with NTLM into a file ( access.log).
   Maybe I should try it without ACL's... Ok on a minimum reduced it looks
like this:
squid.conf:
...
debug_options ALL,1
auth_param ntlm program /usr/bin/ntlm_auth3 \
--helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth3 \
--helper-protocol=squid-2.5-basic
acl authorizedusers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl our_networks src 82.29.1.0/24
http_access allow all authorizedusers
http_access allow our_networks
http_access deny all
=====================================================
Now, if somebody tries to connect to the internet, he has to be authorized,
I think???
Ok if he's really authorized, I want do write (it should write!) the
username in a file (perhaps access.log),
that I can read out, who has which website on which time visited...
@ the moment, it works, but the access.log still looks like:
1084264501.855   3416 82.29.1.18 TCP_MISS/200 3980 GET
http://www.google.ch/ - DIRECT/www.google.ch text/html
   there is an ip, but no username... I don't know what to do to become
this username! It's confusing...
   But I think the acl authorizedusers proxy_auth REQUIRED is the key to
this problem...
   Thanks for your help!
   Lukas
             sdavy@bics.fr
             11.05.2004 15:10                                           To
                                       lukas.fuchs@rieter.com
                                                                        cc
                                       squid-users@squid-cache.org
                                                                   Subject
                                       Réf. : [squid-users] NTLM username
                                       logging problem
I think i have it:
you define a acl called our_network based on a src IP, and you allow it
http_access. i think you probably want to allow access to servers inside
your network, and then use a "dst" acl definition instead of a "src" one.
Is it what you want to do?
---
Stéphane Davy - Consultant Alcôve
                      lukas.fuchs@rieter.com
                                                Pour :
squid-users@squid-cache.org
                      11/05/2004 10:30          cc :
                                                Objet :  [squid-users] NTLM
username logging problem
hi!
I've Squid 2.5 with NTLM, Samba 3 with Winbind, and Mandrake 9.2 running.
My problem is, that I want to log the usernames and their visited websites.
I want to do this with NTLM / Winbind. The user ID's are stored on a
WinNT-PDC.
And I don't want that the user must enter his key everytime, he connects to
the interet.
I think my Winbind works properly, so it must be something wrong with my
squid.conf...
squid.conf:
...
log_ip_on_direct off # off=hostname, on=ip ?
debug_options ALL,1
client_db on
auth_param ntlm program /usr/bin/ntlm_auth3 \
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth3 \
--helper-protocol=squid-2.5-basic
auth_param basic realm basic-squid-cache
auth_param basic children 5
auth_param basic credentialsttl 2 hours
acl authorizedusers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl our_networks src 82.29.1.0/24
acl localhost src 82.29.1.26/255.255.255.255
acl safe_ports port 80              # http
acl safe_ports port 21              # ftp
acl safe_ports port 443             # https
acl safe_ports port 563             # https
acl safe_ports port 1025-65535      # unregistered ports
acl CONNECT method CONNECT
acl allowed_hosts src 82.29.1.0/255.255.255.0
http_access allow localhost
http_access deny !safe_ports
http_access deny CONNECT !safe_ports
http_access allow allowed_hosts
http_access allow our_networks
http_access allow all authorizedusers
http_access deny all
http_reply_access allow all
I think its probably something with the ACL's... Can you help me please?
Thanks!!!
Lukas
Received on Tue May 11 2004 - 10:16:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT