On 1/09/2016 12:37 a.m., akn ab wrote: > Dear all, > i'm facing a strange problem using squid 3.5.20 with ntlm transparent > authentication. > I cannot use kerberos auth because i need to pass DOMAIN\user to my parent proxy > with x-authenticated-user header, and the form USERNAME@DOMAIN is not supported. > Users can surf the web without problems but, sometimes, they receive request > credential popup from browser (explorer, edge, mozilla and chrome it does not > matter). > auth_param ntlm program /usr/local/samba/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 300 startup=200 idle=10 concurrency=0 > auth_param ntlm keep_alive on > auth_param basic program /usr/local/samba/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 25 startup=15 idle=5 concurrency=0 > auth_param basic realm PROXY AUTHORIZATION REQUIRED > auth_param basic credentialsttl 30 minutes > authenticate_cache_garbage_interval 1 hours > authenticate_ttl 30 minutes > authenticate_ip_ttl 30 minutes > > I migrated from squid 2.6.x and, with similar configuration, the required > credentials was displayed only when the password was expired. > In this situation, users must click on abort button many times to restore a > good situation, but i cannot understand why the request popup suddenly. > Is this a credentials cache timeout problm (authenticate_ttl 30 minutes)? Maybe. If so its not an NTLM problem since NTLM credentials are "cached" by being tied to the TCP connection state, not stored in a regular cache like Basic auth credentials. I suggest trying: auth_param ntlm keep_alive off Squid-3 is now HTTP/1.1 which behaves a bit differently with persistent connectiosn than HTTP/1.0 did. Which affects the pile of nasty hacks needed to make NTLM work over HTTP. > Is this a problem in the browser? Yes, at least partially. The popup only occurs when the browser thinks none of its credentials are valid to send to the proxy. Why it thinks that might be a browser bug or a Squid bug. Or just the way NTLM behaves in some HTTP message circumstances. > Is this a comunication problem with squind and Active Directory? Unlikely. It's more probably between Squid and browser. Squid only interacts with AD at the start of a new TCP connection, or when NTLM is started on an existing connection. It could be browser sending unacceptible credentials (eg. the users machine's account instead of the users own account) then deciding NTLM is unusable. It could be the browser failing to send the right NTLM token for Squid to check against the existing known credentials tied to the connection. > I would like to undestrand why, so i need advices to start debug and find a > solution. <http://wiki.squid-cache.org/KnowledgeBase/DebugSections> Section 29 is the various authenticators. You will also need the ACL processing section and results. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
