Um, something weird is going on. I'm a little scared by the double sets
of bad news.
Can you confirm that your in-use systems are okay. I haven't led you to
a point where anything serious is broken? (ie this is all isolated on a
test machine where its okay to break?)
Chris Natter wrote:
Hmmm, strange. I tested 2.7STABLE4, but it doesn't seem to be stripping
the DOMAIN, it will still accept only DOMAIN\USERNAME. Perhaps I'm
missing something?
I've looked at it closer. And the patches which I saw earlier were for a
slightly different helper (mapping NTLM front-end auth to LDAP backend)
Henrik informs me that NTLM always needs the domain. Which makes me
wonder why you didn't in 3.0.
I also tested squid-3.1-20081016, built with a spec file adopted from a
squid3.0STABLE7 Redhat package:
configure \
--exec_prefix=/usr \
--bindir=%{_sbindir} \
--libexecdir=%{_libdir}/squid \
--localstatedir=/var \
--datadir=%{_datadir} \
--sysconfdir=/etc/squid \
--disable-dependency-tracking \
--enable-arp-acl \
--enable-auth="basic,digest,ntlm,negotiate" \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-do
main-NTLM,SASL" \
--enable-cache-digests \
--enable-cachemgr-hostname=localhost \
--enable-delay-pools \
--enable-digest-auth-helpers="password" \
--enable-epoll \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_grou
p" \
--enable-icap-client \
--enable-ident-lookups \
--enable-linux-netfilter \
--enable-ntlm-auth-helpers="SMB,fakeauth" \
--enable-referer-log \
--enable-removal-policies="heap,lru" \
--enable-snmp \
--enable-ssl \
--enable-storeio="aufs,coss,diskd,,ufs" \
--enable-useragent-log \
--enable-wccpv2 \
--with-default-user="squid" \
--with-filedescriptors=16384 \
--with-dl \
--with-openssl=/usr/kerberos \
--with-pthreads
And it looks like NTLM could be broken (I don't want to make
assumptions). I was unable to pass credentials in either the
DOMAIN\USERNAME or USERNAME format to OWA through squid. It also forced
an NTLM prompt for Firefox that I had to escape out of before I could
authenticate with BASIC auth.
I wasn't able to test spell-check as I couldn't authenticate to the OWA
server.
That is a worry for us. Thanks for testing and finding the issue.
This is the first bug report on connection pinning.
for our info: did you have the "login=PASS" on the cache_peer line? and
woudld you mind sharing the config?
Amos
Thanks!
-Chris
-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Thursday, October 16, 2008 5:37 AM
To: Chris Natter
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Authentication Issue with Squid and mixed
BASIC/NTLM auth
Chris Natter wrote:
We were having issues with spell-check in 3.0, I haven't tried any of
the development builds to see if it was resolved though in a later
release.
>
OWA spell-check just seems to hang when you attempt to spell-check an
email, or gives the "try again later" prompt. I saw some previous
postings on the archive of the mailing list, but most of them are very
outdated.
I'll have to build an RPM of squid 2.7 and check to see if that solves
both issues.
Ah, now that you mention it I vaguely recall the topic as it flew past a
while back.
Yes, 2.7 is likely the most dependable to have both combos of fixes you
need.
Without knowing the cause the spellcheck issue _may_ have been resolved
in 3.1. Both of the MS workarounds and 'unknown method' support are now
present. If you have a spare moment and are inclined to test it please
let us know the result. If you still hit bad news for 3.1, its
definitely a bug that needs looking into at some point.
Amos
Thanks for the help.
-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Wednesday, October 15, 2008 6:46 PM
To: Chris Natter
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Authentication Issue with Squid and mixed
BASIC/NTLM auth
Hey all,
I've got a tough situation I'm hoping someone can help me with.
We 'downgraded' from an old 3.0PRE build that a predecessor had setup
on a
reverse proxy, to squid 2.6.STABLE20. The proxy runs your standard
OWA
over Reverse Proxy setup, with login=PASS to an OWA backend running
with
BASIC/NTLM auth. We have to have the NTLM for phones that sync with
ActiveSync.
It seems like something fundamental has changed in the way squid
handles
auth from 3.0 to squid 2.6. Using firefox on 2.6, I can auth with
just
'USERNAME', with IE on 2.6 we have to type "DOMAINUSERNAME" or
"USER@DOMAIN" now. Previously, with squid 3.0, just 'USERNAME' would
work
for auth.
While this seems trivial, anything harder than just 'USERNAME'
boggles
a
lot of users. I'm assuming this has something to do with 'attempting
NTLM'
negotiation? Is there a way around it in squid 2.6?
The cleaner @DOMAIN handling was only added to Squid 2.7+ and 3.0+.
You
will need an upgrade again to one of those versions at least.
What caused you to downgrade though? perhapse its been fixed now in
3.1?
Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
