Search squid archive

No apparent errors on NTLM but still cache_access_denied

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello squid users,

I can't seem to get the ntlm to work on the following setup:

Debian 4.0 etch
Squid Cache: Version 2.6.STABLE5
Microsoft Windows Server 2003 SP2
Kerberos environment OK: wbinfo -t, -u and -g work fine
Using ntlm_auth from Samba Winbind 3.0.24-6etch9

squid.conf looks like this:

http_port localhost:3128
icp_port 0
htcp_port 0
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
quick_abort_min -1 KB
maximum_object_size 1 GB
acl youtube dstdomain .youtube.com
cache allow youtube
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
debug_options ALL,9
hosts_file /etc/hosts
auth_param ntlm program /usr/bin/ntlm_auth -d 10 --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 30
auth_param ntlm keep_alive on
external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
[...]
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl InternetInterdit external nt_group internet_interdit
acl FTPUsers external nt_group ftp_users_ext
acl AuthenticatedUsers proxy_auth REQUIRED
acl FTP proto FTP
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny FTP !FTPUsers
http_access deny InternetInterdit
http_access allow all AuthenticatedUsers
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
-coredump_dir /var/spool/squid

The authentication works fine with the --helper-protocol=squid-2.5-basic but with the ntlm protocol the following appears in the log files. Can someone shed some light on this ? I don't know what to investigate further as there is no explicit error message. It seems as if the NTLM protocol starts fine but then stops because one of the parties does not send what it's supposed to. I've tried using the ntlmauth bundled with Squid but that doesn't solve the problem.

[2008/03/07 10:56:35, 10] utils/ntlm_auth.c:manage_squid_request(1615)
Got 'YR TlRMTVNTUAABAAAAB7...RzEzNzBJTlRSQS1UUEc=' from squid (length: 79). [2008/03/07 10:56:35, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
 got NTLMSSP packet:
[2008/03/07 10:56:35, 10] lib/util.c:dump_data(2222)
 [000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 07 B2 08 A2  NTLMSSP. ........
 [010] 09 00 09 00 2F 00 00 00  07 00 07 00 28 00 00 00  ..../... ....(...
 [020] 05 01 28 0A 00 00 00 0F  54 50 XX XX XX XX XX XX  ..(..... XXXXXXXX
 [030] XX XX XX XX XX XX XX XX                           XXXXXXX
[2008/03/07 10:56:35, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
 Got NTLMSSP neg_flags=0xa208b207
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_NEGOTIATE_OEM
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED
   NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_56
[2008/03/07 10:56:35, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
 NTLMSSP challenge

Isn't the NTLM negotiation supposed to be longer ?
I think this is the same problem as in http://www.squid-cache.org/mail-archive/squid-dev/200708/0167.html but the answer to that question does not give a solution. Has someone solved this ?

Thanks,

Jerome Steunenberg


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux