Hello Amos,
Thank you for your recommendations.
I modified negotiate_wrapper_auth to parse NTLM tokens and to set the user attribute in AV-pairs,
so now I can configure the desired logging using acl note-type.
But I also have BASIC authentication type users.
Usernames of those users are known to the squid even if they type wrong passwords, but the user-attribute is not set in the note-list in such transactions.
Should I write a new wrapper script for the BASIC-authentication to set the user-attribute, or I can check if the username is known without using wrapper?
The general idea is to log wrong authentication attempts to find the sources if user accounts are blocked in AD.
> But I recommend
> just upgrading your systems to Kerberos which will avoid a lot of
> these complications entirely.
> just upgrading your systems to Kerberos which will avoid a lot of
> these complications entirely.
We have many linux-users whose software can't perform Kerberos proxy authentication, they can just NTLM, or even BASIC (or they can't work through http-proxy at all, but we configure them to use cntlm or proxifier). So we cannot refuse NTLM and BASIC proxy-authentications.
Kind regards,
Ankor.
пт, 17 февр. 2023 г. в 23:20, Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 18/02/2023 7:29 am, Amos Jeffries wrote:
> On 17/02/2023 7:29 pm, Andrey K wrote:
>> Hello,
>>
>> I would like to disable logging of 407-errors, except when the
>> username is known.
>> Is it possible to configure?
>
> Assuming that you have the wrapper script from your previous request
> about always logging usernames you should be able to use a note type
> ACL like so:
>
> acl knownUser note user
> access_log ... on-error=drop http-407 !knownUser
>
>
>>
>> I have now the log configured:
>> acl http-407 http_status 407
>> access_log daemon:/var/log/squid/access.log logformat=extended-squid
>> on-error=drop !http-407
>>
>> But I would also like to see authentication errors when a user types
>> the wrong password (the username is known in these cases).
>>
>
> With most HTTP authentication you could rely on all 407 meaning bad or
> unknown credentials. But NTLM (ab)uses that code for its handshake
> type-2 response, so you one distinguish a failed from an incomplete
> authentication.
That was meant to say "so one cannot distinguish a failed from an
incomplete authentication."
>
> At this point you are already wrapping and re-writing most of the
> NTLM->Squid helper traffic. You could adjust the challenge to also use
> the current helper syntax with a custom note to log. But I recommend
> just upgrading your systems to Kerberos which will avoid a lot of
> these complications entirely.
>
> Cheers
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users