Hello, the "main cache" unit forwards requests to the two peers, which are set as parents with icp enabled. There is no logging or authentication until the "squid NTLM" unit at which stage the user is authenticated against the Windows 2003 machine. I have it working perfectly if I point directly to "squid NTLM", but if I point to "main cache" it fails. If I look in the log when its successful I get DOMAIN\user - when it fails all I see is user... I hope this has explained it more... The main goal is to do single signon through multiple cache's with login=PASS set on the peers -----Original Message----- From: Kinkie [mailto:kinkie-squid@xxxxxxxxx] Sent: 29 January 2005 11:34 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: [squid-users] Challenge/Response with Cache Peers (NTLM) On Thu, 2005-01-27 at 21:26 +0200, Dave Raven wrote: > Hi all, > I've been testing the behavior of Challenge/Response today with > cache peers. the versions etc are not relevant as I have Challenge/Response > and BASIC working fine if I point directly to the unit. Below is a makeshift > diagram of how I've set this up now: > > --------- > | squid | > | NTLM | ----> Windows 2003 > --------- > | > / \ > peer1 -- peer2 > \ / > \ / > main cache > > I point to "main cache", which has two parents which are the only routes > (never_direct + always_direct) - login=PASS is on my peer lines. On those > two I have setup each of them as siblings with login=PASS, and a parent of > the squid NTLM authenticating unit (which works fine if I point direct), > also with login=PASS. > > The behavior I see is that if I'm using the auth box, I have to login (with > basic) with DOMAIN\user (and challenge response works). If I go through the > peers I have to login with only the user - if I add the domain it doesn't > work at _all_. When I try challenge response it naturally doesn't work as > the username gets passed with no domain... Could you paste the relevant lines in the three boxes' squid.conf? > Is the fix for this as simple as it seems? Or is the problem more > complicated. I'd really like to get this working... Do you want the two peers to be directly accessed? If the purpose is for them to only cache, you might want to distinguish roles: main cache does auth + logging + request routing, the others do caching (you might want use CARP to balance the parents to maximize efficiency). If so, it would be enough for you to use a 'src' type acl on the parents locked on the main cache ip and log usernames only on the main cache log. Kinkie
