Hello List,
I'm having a quite strange problem that I just can't figure it out.
Using NTLM_AUTH with NTLMSSP helper, my browser (IE and Firefox)
can't connect to HTTP but it can connect to HTTPS site.
As an example, I can connect to "https://www.gmail.com"; but cannot
connect to "http://www.gmail.com";.
Checking my logs and sniffing packets, it became clear that CONNECT
requests do full successful authentication, but GET commands won't.
Could any good soul point me a direction? I've tried pretty much
everything I could in last 10 hours trying to isolate the problem, but
no matter what log level I use I just can't get a hint.
FACTS
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
challenge/response password authentication succeeded
MY SETUP
x86 box
Fedora 6 ( 2.6.18-1.2798.fc6)
Samba version 3.0.26a (RPM)
OPENLDAP as passdb backend
squid-2.6.STABLE20.tar.gz (compiled with ntlm,basic)
SQUID is running on a BDC, with slave LDAP all sitting in a different
subnet from the PDC.
PIECE OF LOG
2008/05/01 19:28:32| The request GET http://www.gmail.com/ is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:32| The reply for GET http://www.gmail.com/ is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:32| authenticateNTLMAuthenticateUser: need to challenge
client
'TlRMTVNTUAACAAAAFAAUADAAAAAFgomitLh/n3nYBEkAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'!
2008/05/01 19:28:32| The request GET http://www.gmail.com/ is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:32| The reply for GET http://www.gmail.com/ is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:32| clientReadRequest: FD 17: no data to process ((11)
Resource temporarily unavailable)
2008/05/01 19:28:36| The request CONNECT www.gmail.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:36| The reply for CONNECT www.gmail.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:36| authenticateNTLMAuthenticateUser: need to challenge
client
'TlRMTVNTUAACAAAAFAAUADAAAAAFgomi2eV4B/2CiVAAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'!
2008/05/01 19:28:36| The request CONNECT www.gmail.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:36| The reply for CONNECT www.gmail.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:36| clientReadRequest: FD 17: no data to process ((11)
Resource temporarily unavailable)
2008/05/01 19:28:37| authenticateAuthUserRequestSetIp: user 'aleks' has
been seen at a new IP address (192.168.1.235)
2008/05/01 19:28:37| The request CONNECT www.gmail.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:41| The reply for CONNECT mail.google.com:443 is
ALLOWED, because it matched 'autenticados'
2008/05/01 19:28:41| authenticateNTLMAuthenticateUser: need to challenge
client
'TlRMTVNTUAACAAAAFAAUADAAAAAFgomib/Z8EcbV8moAAAAAAAAAAEAAQABEAAAAQQBTAFMASQBNAEUARABJAEMAQQACABQAQQBTAFMASQBNAEUARABJAEMAQQABAAwATgBFAFQAQgBEAEMABAAAAAMADABuAGUAdABiAGQAYwAAAAAA'!
2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:41| The reply for CONNECT mail.google.com:443 is
ALLOWED, because it matched 'autenticados'
2008/05/01 19:28:41| clientReadRequest: FD 21: no data to process ((11)
Resource temporarily unavailable)
2008/05/01 19:28:41| The request CONNECT mail.google.com:443 is ALLOWED,
because it matched 'autenticados'
2008/05/01 19:28:44| The request CONNECT www.google.com:443 is DENIED,
because it matched 'autenticados'
2008/05/01 19:28:44| The reply for CONNECT www.google.com:443 is
ALLOWED, because it matched 'autenticados'
Any piece of useful information is more than welcome.
Many thanks,
Aleksander França Honma
