On 24/03/2016 10:08 p.m., L.P.H. van Belle wrote: > Hello Amos, > > I was missing in my setup also, now i know the problem where that was comming from. Can you help me a bit with explaining the diffence in these base on below example. Because if i post somewhere, i want to be sure the setup is correct. And it was not, :-(, im thinking, what i missed here in my understanding. > > --helper-protocol=gss-spnego > --helper-protocol=gss-spnego-client > --helper-protocol=squid-2.5-ntlmssp > Squid used to have different helper protocols for each interface. --helper-protocol=squid-2.5-ntlmssp make it communicate with Squid using the old "auth_param ntlm" helper interface protocol. --helper-protocol=gss-spnego makes it communicate with Squid using the old "auth_param negotiate" helper interface protocol. When NTLM handshake is happening the helper auto-converts between NTLM and Negoiate interface protocols by prefixing the username with "* ". The wrapper helper also will attempt to auto-convert old protocol syntax into the current (Squid-3.4+) protocol syntax. BUT, it can only do so properly if the expected old syntax was being sent for the relevant helper (--ntlm vs --kerberos arguments to wrapper). The result is that ntlm_auth helper auto-converts the result by prefixing with "* ". Then the wrapper helper also auto-converts that result by prefixing _that_ with "= ". Ending with the strange "AF = * username" output. --helper-protocol=gss-spnego-client is for something unrelated to Squid. > I was in belief the following. > > With use of auth_param negotiate and i wanted to have full kerberos auth. > --helper-protocol=gss-spnego is needed, but i dont know it this is correct. That is correct for the Samba ntlm_auth helper operating *by itself* on the "authparam negotiate" interface of Squid. --> Not when using the wrapper helpers --ntlm interface. NP: when using the wrapper helpers --kerberos interface it *is* correct. > And i had also * as username. > --helper-protocol=squid-2.5-ntlmssp works fine also and i now see the username. > > And more one question. > > The log now show for : > Kerberos authenticated users : username@REALM > NTLM authenticated users : username > > Is there a way to log users with only username, for both authentications? > That depends on whether the Kerberos helper you are using can strip the realm name. Squid is simply logging the label it gets told by the helper. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
