On Thu, 2005-01-27 at 21:26 +0200, Dave Raven wrote: > Hi all, > I've been testing the behavior of Challenge/Response today with > cache peers. the versions etc are not relevant as I have Challenge/Response > and BASIC working fine if I point directly to the unit. Below is a makeshift > diagram of how I've set this up now: > > --------- > | squid | > | NTLM | ----> Windows 2003 > --------- > | > / \ > peer1 -- peer2 > \ / > \ / > main cache > > I point to "main cache", which has two parents which are the only routes > (never_direct + always_direct) - login=PASS is on my peer lines. On those > two I have setup each of them as siblings with login=PASS, and a parent of > the squid NTLM authenticating unit (which works fine if I point direct), > also with login=PASS. > > The behavior I see is that if I'm using the auth box, I have to login (with > basic) with DOMAIN\user (and challenge response works). If I go through the > peers I have to login with only the user - if I add the domain it doesn't > work at _all_. When I try challenge response it naturally doesn't work as > the username gets passed with no domain... Could you paste the relevant lines in the three boxes' squid.conf? > Is the fix for this as simple as it seems? Or is the problem more > complicated. I'd really like to get this working... Do you want the two peers to be directly accessed? If the purpose is for them to only cache, you might want to distinguish roles: main cache does auth + logging + request routing, the others do caching (you might want use CARP to balance the parents to maximize efficiency). If so, it would be enough for you to use a 'src' type acl on the parents locked on the main cache ip and log usernames only on the main cache log. Kinkie
