Bug#435741: NTLM SQUID STABLE dosen't work

[Luigi Gangitano]

Hi Guido,
this seems to be a know behaviour of NTLM auth in Squid. Please see
  http://readlist.com/lists/squid-cache.org/squid-users/0/2783.html

for more informations. Probably the bug is in the Samba code rather  
than in Squid's.

I'll open a new upstream bug in the next few days and forward this bug.

Regards,

L


Il giorno 20/ago/07, alle ore 23:40, Guido Lorenzutti ha scritto:

Yes, this is the error that appears in the cache_log when a pop up
appears asking for the password and username:

[2007/08/20 06:27:57, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
  got NTLMSSP command 3, expected 1

If this error appears, the ntlm stops working. The browser ask for the
username and password (and it should not ask for it), if you enter it
several times you can continue... some times you have to close the
session and start over.

This is the squid.conf:

#debug_options ALL,1 33,2
log_fqdn on
cache_store_log none
useragent_log none
cache_log /var/log/squid/cache_log.log
access_log /var/log/squid/access.log
error_directory /usr/share/squid/errors/Spanish
offline_mode on

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=jusbaires
auth_param ntlm children 25

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --domain=jusbaires
auth_param basic children 25
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type ldap_group ttl=0 children=25 %LOGIN
/usr/lib/squid/squid_ldap_group -b  
"ou=Group,dc=jusbaires,dc=gov,dc=ar"
-f "(&(cn=%a)(memberuid=%v)(objectClass=posixgroup))" -h
tacuari-fs.jusbaires.gov.ar -v3 -S

refresh_pattern windowsupdate.com/.*\.(cab|exe)  4320 100% 43200
reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe)  4320 100% 43200
reload-into-ims
refresh_pattern ^http://.*\.cnn\.com 360 50% 4320 override-lastmod
refresh_pattern ^http://news\.bbc\.co\.uk 360 50% 4320 override- 
lastmod
refresh_pattern microsoft 1080 150% 10080 override-lastmod
refresh_pattern msn\.com 4320 150% 10080 override-lastmod
refresh_pattern ^http://.*\.doubleclick\.net 10080 300% 40320
override-lastmod
refresh_pattern ^http://.*FIDO 360 1000% 480
refresh_pattern \.r[0-9][0-0]$ 10080 150% 40320
refresh_pattern ^http://.*\.gif$ 1440 50% 20160
refresh_pattern ^http://.*\.asis$ 1440 50% 20160
refresh_pattern -i \.pdf$ 10080 90% 43200
refresh_pattern -i \.art$ 10080 150% 43200
refresh_pattern -i \.avi$ 10080 150% 40320
refresh_pattern -i \.mov$ 10080 150% 40320
refresh_pattern -i \.wav$ 10080 150% 40320
refresh_pattern -i \.mp3$ 10080 150% 40320
refresh_pattern -i \.qtm$ 10080 150% 40320
refresh_pattern -i \.mid$ 10080 150% 40320
refresh_pattern -i \.viv$ 10080 150% 40320
refresh_pattern -i \.mpg$ 10080 150% 40320
refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.rar$ 10080 150% 40320
refresh_pattern -i \.ram$ 10080 150% 40320
refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override- 
lastmod
refresh_pattern -i \.zip$ 2880 200% 40320
refresh_pattern -i \.arj$ 2880 200% 40320
refresh_pattern -i \.exe$ 2880 200% 40320
refresh_pattern -i \.doc$ 2880 200% 40320
refresh_pattern -i \.pdf$ 2880 200% 40320
refresh_pattern -i \.xls$ 2880 200% 40320
refresh_pattern -i \.tgz$ 10080 200% 40320
refresh_pattern -i \.gz$ 10080 200% 40320
refresh_pattern -i \.tgz$ 10080 200% 40320
refresh_pattern -i \.tar$ 10080 200% 40320
refresh_pattern -i \.Z$ 10080 200% 40320
refresh_pattern ^ftp:// 1440 50% 10080
refresh_pattern ^gopher:// 1440 10% 1440
refresh_pattern . 0 20% 4320

negative_ttl 1 minutes
positive_dns_ttl 5 minutes
negative_dns_ttl 1 minutes
half_closed_clients off
connect_timeout 3 seconds
cache_dir aufs /var/spool/squid 9800 16 256
cache_swap_low 85
cache_swap_high 95
maximum_object_size 81920 KB
maximum_object_size_in_memory 300 KB
cache_mem 100 MB
fqdncache_size 6144
cache_replacement_policy lfuda
pipeline_prefetch off
client_persistent_connections on
server_persistent_connections on
visible_hostname proxy.sarasa.com

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0

acl lan_10_7 src 10.7.0.0/255.255.0.0

acl msnenoutlook url_regex http://services.msn.com/svcs/hotmail/ 
httpmail.asp
acl nomsnurl dstdomain "/etc/squid/nomsn"

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 1863 6667 4430
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # multiling http
acl Safe_ports port 631         # CUPS

acl auth proxy_auth REQUIRED
acl noinet external ldap_group noinet
acl fullinet external ldap_group fullinet
acl nomsn external ldap_group nomsn

acl CONNECT method CONNECT
acl PURGE method PURGE
http_access allow PURGE localhost
http_access deny PURGE

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

http_access deny noinet
http_reply_access deny noinet

http_access deny nomsn nomsnurl
http_reply_access deny nomsn nomsnurl

http_access allow fullinet
http_reply_access allow fullinet

http_access allow lan_10_7 auth

http_access deny all
icp_access deny all

http_port 3128


They are a few parameters that change from one version to another, but
basically the same config file works in the sarge version of squid and
the NTLM works OK without any problem.

The winbind config is this, but is the same from etch or sarge:

[global]
   workgroup = JUSBAIRES
   netbios name = TACUARI-PROXY
   wins support = no
   wins server = 10.7.0.1
   password server = 10.7.0.1
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = no
   syslog = 0
   security = domain
   domain master = no
   encrypt passwords = true
   passdb backend = tdbsam
   printing = none
   restrict anonymous = 1
   winbind enum users = yes
   winbind use default domain = yes
   winbind separator = \\
   load printers = no
   winbind uid = 10000-20000
   winbind gid = 10000-20000


I try just installing the squid, squid-common and squidclient from  
etch
on a sarge and the same thing happends. The squid version from etch
broke the ntlm authentication.

I try the squid from testing and the log disappear, but the problem
persists. For me isn't resolved in the 2.6.stable8 like the squid bug
says. The only way I solve this is staying in the sarge version of  
squid :(

Tell me if you need anything else.

--
Luigi Gangitano -- <[EMAIL PROTECTED]> -- <[EMAIL PROTECTED]>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]