Hmmm, strange. I tested 2.7STABLE4, but it doesn't seem to be stripping
the DOMAIN, it will still accept only DOMAIN\USERNAME. Perhaps I'm
missing something?
I also tested squid-3.1-20081016, built with a spec file adopted from a
squid3.0STABLE7 Redhat package:
configure \
--exec_prefix=/usr \
--bindir=%{_sbindir} \
--libexecdir=%{_libdir}/squid \
--localstatedir=/var \
--datadir=%{_datadir} \
--sysconfdir=/etc/squid \
--disable-dependency-tracking \
--enable-arp-acl \
--enable-auth="basic,digest,ntlm,negotiate" \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-do
main-NTLM,SASL" \
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-delay-pools \
--enable-digest-auth-helpers="password" \
--enable-epoll \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
p" \
--enable-icap-client \
--enable-ident-lookups \
--enable-linux-netfilter \
--enable-ntlm-auth-helpers="SMB,fakeauth" \
--enable-referer-log \
--enable-removal-policies="heap,lru" \
--enable-snmp \
--enable-ssl \
--enable-storeio="aufs,coss,diskd,,ufs" \
--enable-useragent-log \
--enable-wccpv2 \
--with-default-user="squid" \
--with-filedescriptors=16384 \
--with-dl \
--with-openssl=/usr/kerberos \
--with-pthreads
And it looks like NTLM could be broken (I don't want to make
assumptions). I was unable to pass credentials in either the
DOMAIN\USERNAME or USERNAME format to OWA through squid. It also forced
an NTLM prompt for Firefox that I had to escape out of before I could
authenticate with BASIC auth.
I wasn't able to test spell-check as I couldn't authenticate to the OWA
server.
Thanks!
-Chris
-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Thursday, October 16, 2008 5:37 AM
To: Chris Natter
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Authentication Issue with Squid and mixed
BASIC/NTLM auth
Chris Natter wrote:
> We were having issues with spell-check in 3.0, I haven't tried any of
> the development builds to see if it was resolved though in a later
> release.
>
> OWA spell-check just seems to hang when you attempt to spell-check an
> email, or gives the "try again later" prompt. I saw some previous
> postings on the archive of the mailing list, but most of them are very
> outdated.
>
> I'll have to build an RPM of squid 2.7 and check to see if that solves
> both issues.
Ah, now that you mention it I vaguely recall the topic as it flew past a
while back.
Yes, 2.7 is likely the most dependable to have both combos of fixes you
need.
Without knowing the cause the spellcheck issue _may_ have been resolved
in 3.1. Both of the MS workarounds and 'unknown method' support are now
present. If you have a spare moment and are inclined to test it please
let us know the result. If you still hit bad news for 3.1, its
definitely a bug that needs looking into at some point.
Amos
>
> Thanks for the help.
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> Sent: Wednesday, October 15, 2008 6:46 PM
> To: Chris Natter
> Cc: squid-users@xxxxxxxxxxxxxxx
> Subject: Re: Authentication Issue with Squid and mixed
> BASIC/NTLM auth
>
>> Hey all,
>>
>>
>>
>> I've got a tough situation I'm hoping someone can help me with.
>>
>>
>>
>> We 'downgraded' from an old 3.0PRE build that a predecessor had setup
> on a
>> reverse proxy, to squid 2.6.STABLE20. The proxy runs your standard
OWA
>> over Reverse Proxy setup, with login=PASS to an OWA backend running
> with
>> BASIC/NTLM auth. We have to have the NTLM for phones that sync with
>> ActiveSync.
>>
>>
>>
>> It seems like something fundamental has changed in the way squid
> handles
>> auth from 3.0 to squid 2.6. Using firefox on 2.6, I can auth with
just
>> 'USERNAME', with IE on 2.6 we have to type "DOMAINUSERNAME" or
>> "USER@DOMAIN" now. Previously, with squid 3.0, just 'USERNAME' would
> work
>> for auth.
>>
>>
>>
>> While this seems trivial, anything harder than just 'USERNAME'
boggles
> a
>> lot of users. I'm assuming this has something to do with 'attempting
> NTLM'
>> negotiation? Is there a way around it in squid 2.6?
>>
>
> The cleaner @DOMAIN handling was only added to Squid 2.7+ and 3.0+.
You
> will need an upgrade again to one of those versions at least.
>
> What caused you to downgrade though? perhapse its been fixed now in
3.1?
>
> Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
