Amos,
I understood: the helper.cc does not parse the KK-request and does not know about the username. He can only get the username information from the reply of the external helper. But since the external helper returns only an error without a username, this information is missing from the logs.
Is there any other possibility to log username and source IP address in such NTLM-failed authentication attempts?
Kind regards,
Ankor.
вт, 31 янв. 2023 г. в 07:56, Andrey K <ankor2023@xxxxxxxxx>:
Hello Amos,Thank you for the information.I turned on squid debug_options 84,9 and see in the cashe.log that in the first NTLM_NEGOTIATE request (YR) there is no username:TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=00000000 4e 54 4c 4d 53 53 50 00 01 00 00 00 06 82 08 00 |NTLMSSP.........|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|so SQUID responded with the NTLMSSP_CHALLENGE (TT).But in the second NTLMSSP_AUTH request (KK) client sends username (sa0000bcmon) as well as hostname (0001bcreport02):TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=00000000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 |NTLMSSP.........|
00000010 40 00 00 00 18 00 18 00 58 00 00 00 00 00 00 00 |@.......X.......|
00000020 70 00 00 00 0b 00 0b 00 70 00 00 00 0e 00 0e 00 |p.......p.......|
00000030 7b 00 00 00 00 00 00 00 00 00 00 00 06 82 89 02 |{...............|
00000040 6e 38 40 e9 72 17 60 f9 00 00 00 00 00 00 00 00 |n8@.r.`.........|
00000050 00 00 00 00 00 00 00 00 92 a1 ee 47 2a 46 a5 55 |...........G*F.U|
00000060 35 28 2a 70 fb ef 71 dc c7 f1 1b d7 56 90 04 e2 |5(*p..q.....V...|
00000070 73 61 30 30 30 30 62 63 6d 6f 6e 30 30 30 31 62 |sa0000bcmon0001b|
00000080 63 72 65 70 6f 72 74 30 32 |creport02|Client uses wrong password to calculate NTLM response so helper returns NT_STATUS_LOGON_FAILURE:2023/01/31 07:21:18.916 kid2| 84,9| helper.cc(666) submit: placeholder: '0', buf[188]=KK TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=
2023/01/31 07:21:18.935 kid2| 84,5| helper.cc(1107) helperStatefulHandleRead: helperStatefulHandleRead: 27 bytes from ntlmauthenticator #Hlpr25
2023/01/31 07:21:18.935 kid2| 84,9| helper.cc(1117) helperStatefulHandleRead: accumulated[27]=NA NT_STATUS_LOGON_FAILUREIn the acess.log there are two records, but there is no username in both:2023-01-31 07:21:18| 2 10.73.16.136 TCP_DENIED/407/- 4531 CONNECT google.com:443 - HIER_NONE/- text/html -
2023-01-31 07:21:18| 19 10.73.16.136 TCP_DENIED/407/- 4500 CONNECT google.com:443 - HIER_NONE/- text/html -вт, 31 янв. 2023 г. в 07:09, Amos Jeffries <squid3@xxxxxxxxxxxxx>:On 31/01/2023 4:55 pm, Andrey K wrote:
> Hello,
>
> I need to log failed Proxy-authentication attempts. The log
> information should contain timestamp, username and client IP address.
> 407-records in the access.log file do not contain username if
> NTLM-authentication is used.
> I was wondering if it is possible to set up such a configuration?
Squid log entries record username for all authentication types as soon
as a username exists.
I expect you are being confused by log records for the part of NTLM
handshake before the username is sent to Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users