Greetings squid users,
I have squid set up to authenticate against an NT domain. It
works just fine -- however the logging is very strange. The
following log snippet is (almost) typical of what is going on --
the user at 10.0.0.165 is making three requests, and this is
being logged as three different users:
1155218476.213 194 10.0.0.165 TCP_MISS/200 1996 GET http://www.news24.com/Images/News24v2/Newsletter/Central/Images/subicon_travel_bg.gif TlRMTVNTUAACAAAADgAOADAAAAAFgomi5U3CdcWj1sQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAA DIRECT/196.14.52.227 image/gif
1155218476.254 150 10.0.0.165 TCP_MISS/200 1181 GET http://www.news24.com/Images/News24v2/Newsletter/Central/Images/subicon_competition_bg.gif DOMAIN\sruiter DIRECT/196.14.52.227 image/gif
1155218476.396 240 10.0.0.165 TCP_MISS/200 1039 GET http://www.news24.com/Images/News24v2/Newsletter/Central/Images/subicon_lotto_bg.gif DOMAIN\rothstein DIRECT/196.14.52.227 image/gif
The interesting one is TlRMTVNTUAACAAAADgAOADAAAAAFgomi5U3Cdc...
which is base64 encoded for "NTLMSSP0" followed by binary soup.
It suggests that some of the output of or input to ntlm-auth is
being replacing the user name -- perhaps a flush() is missing in
reading or writing to the authenticator process...
The versions are:
squid: squid-beta-3.0-260 (packaged with OpenSuSE 10.1)
ntlm-auth: samba-winbind-3.0.23a-0.1.34 (from samba.org)
The configuration file says:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAIN\\internetaccess
auth_param ntlm children 60
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=DOMAIN\\internetaccess
Any suggestions on where to start debugging this -- e.g. debugging flags for
ntlm_auth or for squid?
&:-)
--
Linux - the finest selection of binary digits available
