myocella wrote:
I've 2 proxy servers chained together. Both authenticates against
different AD domains.
The downstream proxy is running on Windows (squid/2.5.STABLE1-CVS)
supporting only
basic auth (nt_auth.exe). This proxy server has a cache_peer basic
auth setup to the upstream
proxy:
cache_peer upstream.proxy 3128 0 no-query
login=UPSTREAM_DOMAIN\dummyuser:password
The upstream is running on RHEL (squid/2.7.STABLE7) supporting
NTLM,Basic with AD using this
guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory,
plus
wb_info.pl for the group lookup.
The users in UPSTREAM_DOMAIN can browse Internet using upstream proxy.
However, the downstream proxy users can't browse the Internet. Their
browser prompt for username
and password twice - the first time it showed the downstream Realm
which makes sense, but the
second prompt showed the upstream Realm!.
In the access.log file on downstream, it showed the authentication
successfully with username.
x.x.x.x - downstream_domain\user [09/Oct/2009:12:58:59] "GET
http://www.google.com/ HTTP/1.0" 200 240 TCP_MISS:FIRST_UP_PARENT
But the access.log file on the upstream proxy showed 407 with the
"UPSTREAM_DOMAIN\dummyuser",
which is correct.
No this is NOT correct.
It means the auth credentials UPSTREAM_DOMAIN\dummyuser:password sent to
upstream were checked and failed.
>
> Does anyone has any idea how to resolve this problem?
>
* Send the correct login to upstream.
* Fix whatever in upstream is causing the login to be denied.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.14
