Re: [squid-users] Wrong domain in some NTLM authentication requests

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 30 Mar 2010 23:05:58 +0000

On Tue, 30 Mar 2010 14:16:54 -0300, Diego Lima <lists_at_diegolima.org>
wrote:
> Hi All,
>
> I'm currently running some squid proxies that serve a lot (3k+) of
> users. Until recently they were using the NTLM authenticator that is
> shipped with squid (/usr/lib64/squid/ntlm_auth), but due to countless
> problems recently I've finally set them to use the helper provided by
> Samba (Version 3.0.28-0.el5.8). It seems to work fine under most
> circumstances but about 10 users cannot authenticate as their
> computers seem not to be sending the correct domain to the proxy. The
> log goes like this:
>
> Got user=[USERNAME] domain=[PROXY1] workstation=[WRKSTATION] len1=24
> len2=24
> Login for user [PROXY1]\[USERNAME]@[WRKSTATION] failed due to [No such
> user]
>
> This happens when we set their proxy address to proxy1.ourdomain.com.
> If we manually set the proxy IP address on their proxy settings it
> seems to authenticate just fine:
>
> Got user=[USERNAME] domain=[INTRA] workstation=[WRKSTATION] len1=24
len2=24
>
> Our domain name is INTRA. On the same machine I'm able to log in with
> my domain user and use the proxy normally. We have tried re-creating
> the user's profile to no avail.
>
> The authentication settings are as follow:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 256
> auth_param ntlm keep_alive on
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 64
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> auth_param basic realm "Access Control "
>
> And our external acl is:
>
> external_acl_type nt_group ttl=10 concurrency=5 children=20 %LOGIN
> /usr/lib64/squid/wbinfo_group.pl
>
> Does anyone have any idea as to what could be going on, or where to
> start looking for a fix?

With the browser software. Your initial statements clearly indicate that
the problem is what the browser is sending.

To get Squid accepting any garbage credentials passed to it, turn off
authentication. Somehow I don't think this is a good solution.

Amos
Received on Tue Mar 30 2010 - 23:06:03 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 31 2010 - 12:00:06 MDT