Hi,
my squid.conf can be seen at http://www.magnarapa.com/squid/squid.conf
my cache.log can be seen at http://www.magnarapa.com/squid/cache.log
the strange bit is the following:
>>>
2005/06/02 16:08:34| parseHttpRequest: Complete request received
2005/06/02 16:08:34| conn->in.offset = 0
2005/06/02 16:08:34| clientSetKeepaliveFlag: http_ver = 1.1
2005/06/02 16:08:34| clientSetKeepaliveFlag: method = GET
[2005/06/02 16:08:34, 1] utils/ntlm_auth.c:check_plaintext_auth(286)
Reading winbind reply failed! (0x01)
2005/06/02 16:08:34| The request GET http://officescan-p.activeupdate.trendmicro.com:80/activeupdate/server.ini is DENIED, because it matched 'Authenticated'
2005/06/02 16:08:34| Access Denied: http://officescan-p.activeupdate.trendmicro.com:80/activeupdate/server.ini
2005/06/02 16:08:34| AclMatchedName = Authenticated
2005/06/02 16:08:34| Proxy Auth Message = <null>
<<<
First of all, I find strange that the request is "DENIED because it matched Authenticated".
Authenticated users, as per the squid.conf file, should be allowed, not denied.
But the strangest thing is the "Reading winbind reply failed". Wbinfo works:
# wbinfo -p
Ping to winbindd succeeded on fd 4
The squid user (squid:squid) has group access to the privileged pipe.
Besides, I temporarily assigned a bash shell to the squid user and, logging as squid user, I have tried to manually run ntlm_auth.
It works, it authenticates correctly with the Windows domain.
When I authenticate with kinit, I find my ticket with klist :
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@xxxxxxxxxxxxxx
Valid starting Expires Service principal
06/02/05 16:26:54 06/03/05 02:26:57 krbtgt/MYDOMAIN.LOCAL@xxxxxxxxxxxxxx
renew until 06/03/05 16:26:54, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I even joined the domain as follows:
# net ads join -U administrator@xxxxxxxxxxxxxx
administrator@xxxxxxxxxxxxxx's password:
[2005/06/02 16:29:49, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for scx1 already exists - modifying old account
Using short domain name -- MYDOMAIN
Joined 'SCX1' to realm 'MYDOMAIN.LOCAL'
In short, it looks like domain authentications is setup correctly, ntlm_auth works, everything works, BUT squid. I'm sure I am doing something wrong, but after much research and investigation, I am rather stuck.
What can I do?
Marcantonio
James Gray wrote:
On Wed, 25 May 2005 04:10 am, marcantonio wrote:
Hi,
How can I troubleshoot Squid with ntlm_auth?
Using FC3 and latest samba+squid.
Marcantonio
What's in the squid logs? How have you configured your ACL's?
Cheers,
James
