On 16/05/19 5:45 am, Rafael Silva Daniel wrote: > Helo! im in need of serious help, in my company we need the access logs by > user name, is the only reason the proxy is setted to authenticate. but it > just dont show it, the relevant parts of the .conf is looking like this: > > (...) > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=XXXXX(domain name) > auth_param ntlm children 100 > auth_param ntlm keep_alive off > > external_acl_type NT_global_group %LOGIN /usr/lib/squid/ext_wbinfo_group_acl > acl users external NT_global_group "/etc/squid/fapgrp" > (...) > > (...) > http_access deny !users > http_access allow users > http_access deny !auth > (...) > There is no natural reason why those CONNECT should be exempt from authenticating. I usually find situations like what you describe happen where someone has misunderstood the default security rules and "customized" them a bit. They are finely tuned rules, so vast changes to proxy behaviour (like complete bypass of auth) can result if updates to them are not done correctly. Can you please show more of your http_access rules? all of them would be best. At minimum all of the ones above that "http_access deny !auth" line, and the definition lines for any ACLs used in those rules (include that "auth" ACL definition too please). > ***("/etc/squid/fapgrp" is a text file with the text "Usuários do dóminio", > its "Domain Users" in portuguese) > > when i test the helper: > > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp > --domain=XXXXX > user password > BH SPNEGO request invalid prefix > > i read somewhere that ntlmssp can be tested like this, because we are > sending the credentials as plain text, so i tested with basic and the result > is this: > > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic > --domain=XXXXX > user password > OK > user password > ERR > > so, im assuming that the way squid is processing the challenges are fine, is > it right? That is a test that the helper is talking to the AD service okay. It cannot tell you whether the client and Squid are communicating the NTLM credentials. The NTLM protocol does not deliver passwords across the network. NTLM uses (weak) encrypted tokens instead. All Squid does is pass the token as-is to the helper. The helper then informs Squid what username to log for that token (if any). So to test that part you need to locate a valid token and pass that to the helper instead of username/password. However, before you go to any trouble over that. I do not think the helper or auth are the problem here. Something is clearly letting the CONNECT happen without even going near the auth process. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users