Re: [squid-users] AOL's webmail and logging in
On 12/12/06, Henrik Nordstrom [EMAIL PROTECTED] wrote: No ideas at the moment, safe for getting packet level traffic captures of both sessions and starting at them to see if anything obvious sticks out.. I ran a few tcpdump sessions and did not find anything out of the ordinary. Squid appears to be getting answers back from registration.aol.com, although I am unsure if these are the responses required in order for everything to function normally. Btw, is this a transparent interception setup, or is the browser configured to use the proxy? If transparent interception try configuring the browser to use the proxy. Does, maybe, ISA rewrite something that possibly Squid does not, which would cause this to work? I know Microsoft is good for cleaning up areas that it really should stay out of and wonder if that might be happening in this instance? Has anyone else experienced any similar issues or is anyone able to duplicate this? Just wondering if it is only me. :-) Regards, Scott
Re: [squid-users] AOL's webmail and logging in
On 12/10/06, Henrik Nordstrom [EMAIL PROTECTED] wrote: Have you perhaps enabled any of the anonymization features, possibly stripping cookies? See is you have any header_access directives in your squid.conf. Default is none, applying no anonymization. I have not enabled any of the anonymization features and make no use of any header_access directives. Do you have any other ideas as to why this might be happening or areas that you can point me towards? Regards, -- Scott Jarkoff
Re: [squid-users] AOL's webmail and logging in
On 12/12/06, Henrik Nordstrom [EMAIL PROTECTED] wrote: No ideas at the moment, safe for getting packet level traffic captures of both sessions and starting at them to see if anything obvious sticks out.. Thanks Henrik. I'll run a few tcpdump sessions and see what I can come up with. Btw, is this a transparent interception setup, or is the browser configured to use the proxy? If transparent interception try configuring the browser to use the proxy. The browsers are configured to explicitly use the proxy. We do not do transparent proxying since it does not play nicely with integrated AD authentication schemes. Regards, -- Scott Jarkoff
Re: [squid-users] Random authentication popups
I would truly love to say otherwise, however I have been unable to reconcile this problem once and for all. While the popups do not appear to be as frequent as they used to be, after a minor modification to my smb.conf file, they are still present. Because of this I am unable to get Squid deployed throughout our enterprise. scott On 6/16/06, Ngo, Toan [EMAIL PROTECTED] wrote: Are there any more suggestions on the random auth prompts? Thanks. -Original Message- From: Ngo, Toan Sent: Monday, June 05, 2006 9:09 AM To: Guido Serassio; Visolve squid; Scott Jarkoff Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Random authentication popups SMB.CONF [global] workgroup = DOMAIN realm = DOMAIN.COM netbios name = PROXY-01 server string = Proxy Server log file = /var/log/samba/%m.log security = ads password server = dc1.domain.com dc2.domain.com dc3.domain.com idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator= \\ # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # winbind use default domain = yes template shell = /sbin/nologin encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no wins server = x.x.x.x dns proxy = no SQUID.CONF auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 3 minutes -Original Message- From: Guido Serassio [mailto:[EMAIL PROTECTED] Sent: Saturday, June 03, 2006 2:05 AM To: Ngo, Toan; Visolve squid; Scott Jarkoff Cc: squid-users@squid-cache.org Subject: RE: [squid-users] Random authentication popups Hi, At 01.34 03/06/2006, Ngo, Toan wrote: I get these messages in cache.log. [2006/06/02 16:22:51, 1] libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1 [2006/06/02 16:24:30, 1] libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1 [2006/06/02 16:25:39, 1] libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 1, expected 3 [2006/06/02 16:26:04, 1] libsmb/ntlmssp.c:ntlmssp_update(252) got NTLMSSP command 3, expected 1 Any ideas? Are others seeing the same log messages when the random login prompts? This is the trace of some out of order NTLM packets, the messages come from Samba's ntlm_auth helper. From your previous message, I can read that you are using Samba 3.0.14a, 3.0.22 would be better, please do you can post your smb.conf and the auth_param section of your squid.conf. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/ -- Scott Jarkoff
Re: [squid-users] Authentication Pop-up after Domain Controller restart
On 6/6/06, Rodrigo Barros [EMAIL PROTECTED] wrote: I have a Squid 2.5.STABLE14 and a samba-3.0.22 running in my company with NTLM authentication, I have almost 1000 users on it today and It's running very smothly. We're very satisfied but there's one situation I could find an solution yet and I'd like your advise on it. Once in a while our Domain Controller has to be restarted and every time this happens I have to Rejoin samba to the domain and restart samba. Is there any way to avoid this from happening? I know this is probably a samba question, but I though you guys could have some experience on this. I was wondering if you would mind sharing your samba configuration for your domain? I ask because while I have Squid running with NTLM authentication, I am experiencing random authentication popups. http://www.mail-archive.com/squid-users@squid-cache.org/msg38420.html explains the problems I am running in to. Looking for a solution but have not found one yet, so any help would be greatly appreciated. Thanks in advance! Regards, -- Scott Jarkoff
Re: [squid-users] Random authentication popups
On 6/3/06, Guido Serassio [EMAIL PROTECTED] wrote: - Look into Samba logs and in Security logs of ALL your Domain Controllers I found the following in the Samba logs when the random authentication dialog's popup: [2006/06/05 11:09:59, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(454) [0]: request interface version [2006/06/05 11:09:59, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487) [0]: request location of privileged pipe [2006/06/05 11:09:59, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(464) [0]: request domain name [2006/06/05 11:09:59, 3] nsswitch/winbindd_misc.c:winbindd_netbios_name(475) [0]: request netbios name [2006/06/05 11:09:59, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519) [0]: pam auth crap domain: [USFJ] user: domainUSER [2006/06/05 11:09:59, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519) [0]: pam auth crap domain: [USFJ] user: domainUSER [2006/06/05 11:09:59, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519) [0]: pam auth crap domain: [USFJ] user: domainUSER Those first 4 entries seem to accompany every occurence of the authentication dialog's. Any ideas what this means? -- Scott Jarkoff
Re: [squid-users] Random authentication popups
On 6/2/06, Guido Serassio [EMAIL PROTECTED] wrote: Usually disabling it, NTLM problems are increased :-( That is pretty much what I saw when turning off negotiation. This could be more useful, but a look into cache.log to see if there are any error like WARNING: All ntlmauthenticator processes are busy before change anything. I am not seeing any weird errors regarding NTLM in the cache.log, which is why I am really confused. Regards, -- Scott Jarkoff
Re: [squid-users] Random authentication popups
On 6/2/06, Serassio Guido [EMAIL PROTECTED] wrote: Try upgrading Samba to 3.0.22, there was a lot of NTLM/NTLMv2 improvements after 3.14. I am running Squid 2.5.STABLE13 and Samba 3.0.22 and encounter the aforementioned issues. -- Scott Jarkoff
Re: [squid-users] Random authentication popups
On 6/2/06, Guido Serassio [EMAIL PROTECTED] wrote: Do you are using NTLM Negotiate ? auth_param ntlm use_ntlm_negotiate on Indeed, I am an running with NTLM negotiate turned on. -- Scott Jarkoff
[squid-users] Random authentication popups
I have setup Squid to perform authentication via NTLM and everything is working fine with the exception of 1 odd error. At random times throughout the day, and for no apparent reason, an authentication popup will be presented to the user. Merely clicking cancel will allow the user to view the site. The proxy server has not yet been deployed throughout the organization and therefore only has a very minimal load on it at the moment, yet it does this random authentication thing. Does anyone have any ideas as to what might be causing this to happen? -- Scott Jarkoff
Re: [squid-users] Best Caching Engine
On 5/27/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does anyone know which is the best (commercial or freeware) caching engine for Large ISP? Is there any comparison sheet between different cache engine? I have heard really good things about BlueCoat and their array of caching products. -- Scott Jarkoff
[squid-users] Authentication issue
I have Squid setup so that it performs NTLM authentication from a Windows 2003 Active Directory domain controller. It currently works without issue, allowing only properly authenticated users web browsing access and denying others. What I would like to do is block certain accounts from web browsing. When I implement such a block the users are presented with an authentication dialog box, and then ultimately receive the proper deny message in the browser. The problem is that I do not want them to be prompted for valid credentials; they should be immediately denied access. Here is the appropriate areas of my configuration: acl authenticated_users proxy_auth REQUIRED acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin acl denied_users proxy_auth_regex -i /etc/squid/denied_users http_access deny denied_users http_access deny denied_admin deny_info ERR_ACCESS_DENIED_ADMIN denied_admin http_access allow authenticated_users http_access allow localhost http_access allow local_network http_access deny all Any ideas how I can get rid of the authentication dialog box that pops up and just have the deny message issued immediately? -- Scott Jarkoff
Re: [squid-users] Authentication problem
On 5/24/06, Chris Robertson [EMAIL PROTECTED] wrote: See http://www.squid-cache.org/mail-archive/squid-users/200603/0845.html and http://www.squid-cache.org/mail-archive/squid-users/200603/0851.html Thanks very much Chris. Those links were exactly what I was looking for. Much appreciated! -- Scott Jarkoff
[squid-users] Authentication problem
I have Squid setup so that it performs NTLM authentication from a Windows 2003 Active Directory domain controller. It currently works without issue, allowing only properly authenticated users web browsing access and denying others. What I would like to do is block certain accounts from web browsing. When I implement such a block the users are presented with an authentication dialog box, and then ultimately receive the proper deny message in the browser. The problem is that I do not want them to be prompted for valid credentials; they should be immediately denied access. Here is the appropriate areas of my configuration: acl authenticated_users proxy_auth REQUIRED acl denied_admin proxy_auth_regex -i /etc/squid/denied_admin acl denied_users proxy_auth_regex -i /etc/squid/denied_users http_access deny denied_users http_access deny denied_admin deny_info ERR_ACCESS_DENIED_ADMIN denied_admin http_access allow authenticated_users http_access allow localhost http_access allow local_network http_access deny all Any ideas how I can get rid of the authentication dialog box that pops up and just have the deny message issued immediately? -- Scott Jarkoff