i've asked to be removed countless times. here's another message that i didn't want. it's really not that hard to remove somebody is it...
This is a forwarded message From: David Robinet <[EMAIL PROTECTED]> To: "Henrik Nordstrom" <[EMAIL PROTECTED]> Date: Wednesday, January 28, 2004, 7:31:09 AM Subject: [squid-users] NTLM issues *Pretty long* ===8<==============Original message text=============== Thanks, Henrik. I've literally pulled an all-nighter trying to get Squid up and running (I'd managed to figure that out - after several hours of looking at documentation, "Squid" and "Samba" began to look the same and I was reading "Squid" documentation). I've got authentication working for the most part. What I'm now experiencing is that it pops up the 3 box authentication prompt frequently, but not always. In other words, loading up www.yahoo.com might pop up the authentication box 4 times - it will load most graphics and maybe the top part of the HTML, for example, but it will ask for authentication over and over again. I've tried increasing the helper children to 15 (I was at 5), but that didn't seem to help. The log file looks like this (partial, with comments): # Here, I tail -f'ed the log, and entered www.dslreports.com into IE6 on my PC. # 1075291824.640 1 172.17.4.51 TCP_DENIED/407 2474 GET http://www.dslreports.com/ - NONE/- text/html 1075292003.908 1 172.17.4.51 TCP_DENIED/407 2281 GET http://www.dslreports.com/ - NONE/- text/html 1075292004.123 1 172.17.4.51 TCP_DENIED/407 2387 GET http://www.dslreports.com/ - NONE/- text/html 1075292004.592 0 172.17.4.51 TCP_DENIED/407 2436 GET http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html 1075292004.615 0 172.17.4.51 TCP_DENIED/407 2538 GET http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html 1075292025.097 2 172.17.4.51 TCP_DENIED/407 2524 GET http://www.dslreports.com/front/1-lite-20031204.css - NONE/- text/html # Asked me for my userid, which I entered manually in the challenge box # 1075292025.330 223 172.17.4.51 TCP_MISS/200 3429 GET http://www.dslreports.com/front/1-lite-20031204.css ECD\DROBINET DIRECT/209.123.109.175 text/css 1075292025.404 0 172.17.4.51 TCP_DENIED/407 2362 GET http://i.dslr.net/sk/bl/lgin.gif - NONE/- text/html 1075292025.406 0 172.17.4.51 TCP_DENIED/407 2346 GET http://i.dslr.net/1ptrans.gif - NONE/- text/html 1075292025.436 0 172.17.4.51 TCP_DENIED/407 2430 GET http://i.dslr.net/1ptrans.gif - NONE/- text/html 1075292025.438 1 172.17.4.51 TCP_DENIED/407 2450 GET http://i.dslr.net/sk/bl/lgin.gif - NONE/- text/html 1075292025.448 0 172.17.4.51 TCP_DENIED/407 2358 GET http://i.dslr.net/sk/bl/go1.gif - NONE/- text/html 1075292025.472 1 172.17.4.51 TCP_DENIED/407 2446 GET http://i.dslr.net/sk/bl/go1.gif - NONE/- text/html #Here, it begins using my credentials after failing a few authentications, but not asking me to re-enter: # 1075292025.701 212 172.17.4.51 TCP_MISS/200 498 GET http://i.dslr.net/sk/bl/go1.gif ECD\DROBINET DIRECT/209.123.205.211 image/gif 1075292025.773 323 172.17.4.51 TCP_MISS/200 1603 GET http://i.dslr.net/sk/bl/lgin.gif ECD\DROBINET DIRECT/209.123.205.210 image/gif 1075292025.777 55 172.17.4.51 TCP_MISS/200 696 GET http://i.dslr.net/xml.gif ECD\DROBINET DIRECT/209.123.205.211 image/gif 1075292025.841 460 172.17.4.51 TCP_MISS/200 5255 GET http://i.dslr.net/sk/bl/logo.gif ECD\DROBINET DIRECT/209.123.205.211 image/gif 1075292025.873 59 172.17.4.51 TCP_MISS/200 326 GET http://i.dslr.net/fp2.gif ECD\DROBINET DIRECT/209.123.205.210 image/gif # ...about 30 more successful parts of the page load, then... # 1075292074.490 0 172.17.4.51 TCP_DENIED/407 2430 GET http://i.dslr.net/1ptrans.gif - NONE/- text/html 1075292076.605 0 172.17.4.51 TCP_DENIED/407 2430 GET http://i.dslr.net/1ptrans.gif - NONE/- text/html # (...and it's begun asking me for userid once again. # So, wherever it seems to fail, it logs the "- NONE/-" bit, and then prompts me for my userid. When I enter it, it does authenticate me correctly, but then it reverts to challenging me. The challenge box does appear to be for NTLM authentication (3 boxes, including the domain field), but even that I'm not 100% sure of. The only other logging I'm aware of is the winbindd.log file, which simply contains: [2004/01/28 06:58:30, 1] nsswitch/winbindd_util.c:add_trusted_domains(207) scanning trusted domain list [2004/01/28 07:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(960) user 'root' does not exist [2004/01/28 07:03:30, 1] nsswitch/winbindd_util.c:add_trusted_domains(207) scanning trusted domain list (over and over again...), and the log.winbindd file, which just says it's been started. I'm having a fairly difficult time troubleshooting this, and I'd definitely appreciate anyone's advice, here. There's some pretty enormous pressure right now to get our Internet under control, and I'm really trying to win "my" proposal of Squid, instead of the Windows admin standard MS Proxy (the money for which would come directly from my budget). I'm running Samba 3.0.1 (--version flags confirmed that all daemons are 3.0.1) and Squid 3.0-PRE3. Here's squid.conf in its entirety. I went through and removed all commented lines to try and make debugging easier: ---- http_port 3128 icp_port 3130 hierarchy_stoplist cgi-bin ? auth_param ntlm program /usr/local/squid/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/squid/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_reply_access allow all icp_access allow all visible_hostname wvproxy1 coredump_dir /usr/local/squid/var/cache acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers ---- Anyone have any suggestions at all? Dave -- Dave Robinet ([EMAIL PROTECTED]) IT Manager - Magna Steyr Engineering Center Detroit Ph: 248-293-0206 Fax: 248-299-5711 >-----Original Message----- >From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] >Sent: Tuesday, January 27, 2004 6:06 PM >To: David Robinet >Cc: [EMAIL PROTECTED] >Subject: Re: [squid-users] NTLM issues > > >On Tue, 27 Jan 2004, David Robinet wrote: > >> One glitch is that it doesn't appear to be building the ntlm_auth >> module. My configure options are: > >ntlm_auth is part of the Samba distribution when using Samba 3. Also >remember to read the Samba 3 ntlm_auth manual. > >> ./configure --enable-auth="ntlm,basic" >> --enable-external-acl-helpers="wbinfo_group" --enable-ssl >> --enable-snmp > >Looks fine to me. Nor sure if you really need --enable-ssl >however, but is >not relevant to your question. > >The path to Samba 3 ntlm_auth is different than when using the >older Samba 2.2.X helper shipped with Squid. See your Samba >package installation. > >Regards >Henrik > > ===8<===========End of original message text=========== -- Best regards, mortbox mailto:[EMAIL PROTECTED]
