Search squid archive

cache_peer, squid parents and NTLM : NT_STATUS_INVALID_PARAMETER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear

I would like to use several parent proxy backend with a squid proxy that in charge to balacne requests to backends parents proxy are connected to the Active Directory and perform authentication.
This in order to log accounts in access_log

BROWSER 10.32.0.21 => Squid client 10.32.0.25 => PEER 10.32.0.26/10.32.0.27 (connected to Active Directory) => ROUTER => INTERNET

I have set on the squid front-end these lines

cache_peer 10.32.0.26 parent proxy-only no-query no-digest default login=PASS connection-auth on cache_peer 10.32.0.27 parent proxy-only no-query no-digest default login=PASS connection-auth on

But when connecting a browser to the squid frontend an authentication POPUP is displayed because parents refuse the NTLM sent by the squid client.

On a parent with debug mode we can see that the NTLM is correclty sent from the squid client:

2012/12/08 00:23:21.728 kid1| client_side.cc(2258) parseHttpRequest: repare absolute URL from 2012/12/08 00:23:21.728 kid1| client_side.cc(2295) parseHttpRequest: parseHttpRequest: Complete request received 2012/12/08 00:23:21.728 kid1| client_side.cc(2298) parseHttpRequest: HTTP Client local=10.32.0.21:3128 remote=10.32.0.25:41984 FD 12 flags=1 2012/12/08 00:23:21.728 kid1| client_side.cc(2299) parseHttpRequest: HTTP Client REQUEST:
---------
GET http://t.fr.msn.com/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Cookie: mh=MSFT; Sample=38; MUID=2E0332D24C216EAA086836F948216ED4
DNT: 1
Pragma: no-cache
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJAAAABAAUABqAAAABIAEgBYAAAAEAAQAGoAAAAWABYAegAAAAAAAADoAQAABYKIogYC8CMAAAAPMzIoFOB6SjnpMImGzLG+AUEARgBFAE8ATgBMAEkATgBFAGQAdABvAHUAegBlAGEAdQAyADUAMgBEADgAMAAxAFQAQQBPAEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIGdwEQmCLnuc/uTnONcyTwEBAAAAAAAAapor2dHUzQFsjXCe+/oWYwAAAAACABIAQQBGAEUATwBOAEwASQBOAEUAAQAWADAAMAAwAFMATAAwADcAUABSAE8AWAAEABoAYQBmAGUAbwBuAGwAaQBuAGUALgBuAGUAdAADADIAMAAwADAAUwBMADAANwBQAFIATwBYAC4AYQBmAGUAbwBuAGwAaQBuAGUALgBuAGUAdAAIADAAMAAAAAAAAAAAAAAAACAAAK6dfzwK8q0yctw3nb8Es7vizb1e17w0TPPsIlbX/BvHCgAQAAAAAAAAAAAAAAAAAAAAAAAJADwASABUAFQAUAAvADAAMAAwAHMAbAAwADcAcAByAG8AeAAuAGEAZgBlAG8AbgBsAGkAbgBlAC4AbgBlAHQAAAAAAAAAAAA=
Host: t.fr.msn.com
Via: 1.1 000SL07PROX (squid/3.2.4-20121205-r11738)
X-Forwarded-For: 10.33.252.88
Cache-Control: max-age=259200
Connection: keep-alive

../...

2012/12/08 00:23:21.728 kid1| HttpHeader.cc(546) parse: parsing hdr: (0x2fb5d48)
Accept: text/html, application/xhtml+xml, */*
Accept-Language: fr-FR
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Cookie: mh=MSFT; Sample=38; MUID=2E0332D24C216EAA086836F948216ED4
DNT: 1
Pragma: no-cache
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJAAAABAAUABqAAAABIAEgBYAAAAEAAQAGoAAAAWABYAegAAAAAAAADoAQAABYKIogYC8CMAAAAPMzIoFOB6SjnpMImGzLG+AUEARgBFAE8ATgBMAEkATgBFAGQAdABvAHUAegBlAGEAdQAyADUAMgBEADgAMAAxAFQAQQBPAEwAAAAAAAAAAAAA

The Squid parent understand the authorization but the NTLM helper return 'NT_STATUS_INVALID_PARAMETER':

2012/12/08 00:23:21.731 kid1| helper.cc(969) helperStatefulHandleRead: helperStatefulHandleRead: 31 bytes from ntlmauthenticator #1 2012/12/08 00:23:21.731 kid1| helper.cc(993) helperStatefulHandleRead: helperStatefulHandleRead: end of reply found 2012/12/08 00:23:21.731 kid1| UserRequest.cc(116) releaseAuthServer: releasing NTLM auth server '0x2c4c628' 2012/12/08 00:23:21.731 kid1| helper.cc(463) helperStatefulReleaseServer: srv-0 flags.reserved = 1 2012/12/08 00:23:21.731 kid1| helper.cc(1202) StatefulGetFirstAvailable: StatefulGetFirstAvailable: Running servers 4 2012/12/08 00:23:21.731 kid1| helper.cc(1222) StatefulGetFirstAvailable: StatefulGetFirstAvailable: returning srv-0 2012/12/08 00:23:21.731 kid1| UserRequest.cc(322) HandleReply: Failed validating user via NTLM. Error returned 'NT_STATUS_INVALID_PARAMETER'

I have set the external acl helper to debug in order to see if the squid parent send username in order to retreive the group in the Active Directory:

2012/12/08 00:55:43.613 kid1| client_side_request.cc(760) clientAccessCheckDone: The request GET http://t.fr.msn.com/ is 3, because it matched 'Group1'

The rule "Group1" allow an active directory group to go to internet.
This means that the NTLM identification are correctly understood by the parent and the phearent extracts the username from NTLM and sends it to the helper

But for squid parents, users are not authenticated results are : deny access.


Here its a part of my squid.conf in my Squid parent.

#NTLM authentication:
auth_param ntlm program /usr/bin/ntlm_auth --domain=COMPANY.COM --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 30
auth_param basic realm COMPANY.COM
auth_param basic credentialsttl 2 hours
external_acl_type ads_group ttl=0 %LOGIN /etc/squid3/net_ads_group.pl

Squid Cache: Version 3.2.4-20121205-r11738


Is there any tips to let squid parent correctly accept the NTLM sent by the Squid client ?





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux