Hi Folks, We've a little ACL problem here: Let me explain the situation: There are 2 networks, one for Admin, one for Educative. On the Admin lan, we want to use Ident. On the Edu lan, we want to use ident, except for 3 citrix servers, these should use NTLM. This implemented in squid becames:
auth_param ntlm program /usr/lib/squid/ntlm_auth DO_EDU/PDC_EDU auth_param ntlm children 50 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 60 minutes authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour acl all src 0.0.0.0/0.0.0.0 acl citrix_servers src 192.168.15.149 192.168.15.4 192.168.15.6 ident_lookup_access deny citrix_servers ident_lookup_access allow all acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl SSL_ports port 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl purge method PURGE acl CONNECT method CONNECT acl password proxy_auth REQUIRED # doesn't make any sense in problem acl l_url_5 regex_domain "/etc/squid/ACL/l_url_5" acl l_url_4 regex_domain "/etc/squid/ACL/l_url_4" acl g_src_128 src "/etc/squid/ACL/g_IP_128" acl g_user_128 ident -i "/etc/squid/ACL/g_USER_128" acl g_ntlm_128 proxy_auth -i "/etc/squid/ACL/g_USER_128_ntlm" acl g_src_126 src "/etc/squid/ACL/g_IP_126" acl g_user_126 ident -i "/etc/squid/ACL/g_USER_126" acl g_ntlm_126 proxy_auth -i "/etc/squid/ACL/g_USER_126_ntlm" [snip other acl defs] http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow l_always_kliksafe # ident / ip based auth for 128 http_access allow g_src_128 l_url_4 http_access allow g_user_128 l_url_4 http_access allow g_src_128 http_access allow g_user_128 http_access allow g_src_126 l_url_4 http_access allow g_user_126 l_url_4 http_access allow g_src_126 http_access allow g_user_126 [snip other acl defs, in this style] # ntlm fallback auth http_access allow g_ntlm_128 l_url_4 http_access allow g_ntlm_128 http_access allow g_ntlm_126 l_url_4 http_access allow g_ntlm_126 [eof] This should force squid to not do ident lookups to the citrix servers. But what happens...! Squid is happy going to get the ident request, and finds 1 citrix user, not the one which should be used by NTLM auth. Because on one citrix server 100 users can be logged in... Of course, i can disable ident on the citrix, but this is in this situation not what i want because of other software. Squid should not do any ident lookups for Citrix, why is squid doing this? When i disable ident on citrix with ident server, squid is authorizing with ntlm, as it should... Strange is that this setup has worked with older Squids (as far as i know, i didn't get any complains about wrong rights given on individual citrix users)... Keep in mind: acl password proxy_auth REQUIRED # doesn't make any sense in problem Using Squid-2.5-STABLE6. Is this a bug or a feature ;-). Thanks a lot! Regards, Janno. Janno de Wit DNA services B.V.