Re: squid_kerb_auth and access.log issue

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Sorry I don't know what could be wrong.  Can you see in the cache.log file 
the squid_kerb_auth debug information about successful auth ? Your examples 
below are all denies and you won't have a username if it gets denied because 
of an invalid Kerberos token.

Markus


----- Original Message ----- 
From: "Wojciech Dudys" <wdudys@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Sent: Thursday, August 27, 2009 8:16 PM
Subject: Re:  Re: squid_kerb_auth and access.log issue


> My configuration is very simple. I just added those lines to the
> default squid.conf file
>
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> acl kerb_auth proxy_auth REQUIRED
> acl multi_ip max_user_ip 2
>
> http_access deny multi_ip
> http_access allow kerb_auth
> http_access deny all
>
> The only rule that apply to CONNECT is
> http_access deny CONNECT !SSL_ports
>
> Regards,
> Wojtek
>
> 2009/8/27 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
> > Is it possible that you allow CONNECT without authentication ? A
> > configuration error ?
> >
> > Markus
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message 
news:h76j5e$d6b$1@xxxxxxxxxxxxxxxx
> Is it possible that you allow CONNECT without authentication ? A 
> configuration error ?
>
> Markus
>
> ----- Original Message ----- 
> From: "Wojciech Dudys" <wdudys@xxxxxxxxx>
> To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
> Sent: Thursday, August 27, 2009 8:47 AM
> Subject: Re:  Re: squid_kerb_auth and access.log issue
>
>
> > Auth is ok. I can get to https sites with no problem. There just is no
> > information about my login in the access.log
> > With http everything is ok.
> >
> > Wojtek
> >
> >
> > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message 
> > news:h746v9$s72$1@xxxxxxxxxxxxxxxx
> > I am not sure, but squid_auth_kerb is a normal helper and doesn't do 
> > anything with logging. If auth fails which means squid_kerb_auth can not 
> > get the usename then squid evidently can not log it.
> >
> > Markus
> >
> >
> > "Wojciech Dudys" <wdudys@xxxxxxxxx> wrote in message 
> > news:98f978a70908260801p33627ecdj30509566ad00d469@xxxxxxxxxxxxxxxxx
> > Hi,
> >
> > I have squid 3.0.18 configured to use squid_kerb_auth helper.
> >
> > When I make a proper HTTP request I see in the access.log:
> >
> > 1251290049.789 209 X.X.X.X TCP_MISS/200 486 POST
> > http://mail.google.com/mail/channel/bind? USER@REALM
> > DIRECT/74.125.39.17 text/plain
> >
> > Ident field is filled with USER@REALM. And this is great.
> >
> > but when I make HTTPS request I see:
> >
> > 1251289923.734 0 X.X.X.X TCP_DENIED/407 2233 CONNECT
> > www.google.com:443 - NONE/- text/html
> >
> > and there is NONE in the Ident field.
> >
> > The same situation is when I get TCP_DENIED
> >
> > 1251289928.638 0 X.X.X.X TCP_DENIED/407 3353 GET
> > http://mail.google.com/mail/? - NONE/- text/html
> >
> >
> > Is this a bug?
> >
> > Regards