Hi everybody, I hope somebody can point me to the right direction. When browsing the web, my users are sometimes getting random basic authentication popups.
I'm using squid 2.5.STABLE5 on two Red Hat Linux 9 (one as parent the other a sibling). I'm also using NTLM auth with winbind (Samba 3.0.0) on a NT4 domain. I search the web and FAQ for similar problems, but in the solutions I found, none of them works. I found the "Random auth popups and account lockouts when using NTLM" patch on the squid website so I updated from squid STABLE4 to STABLE5, but I still got the popups. I notice also that when a user got a popup in the log file I can see a line similar to that: 1079705199.972 56 10.10.2.15 TCP_SWAPFAIL_MISS/407 1886 GET http://212.158.38.131/provantis/images/instemsite0.gif DOMAIN\USERNAME DEFAULT_PARENT/squidout.ctbr.com text/html I red about TCP_SWAPFAIL_MISS, and according to what I found, I shouldn't care about that. The 407 code mean Proxy auth required, so this is probably the problem, but why the NTLM doesn't answer? Here is a part of my squid.conf: ---------------------------cut------------------------------------ # NTLM Auth auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 40 auth_param ntlm max_challenge_reuses 20 auth_param ntlm max_challenge_lifetime 20 minutes # Basic Auth (in case the client doesn't support NTLM) auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server Basic Auth auth_param basic credentialsttl 2 hours # Full internet user access file acl FULL proxy_auth "/etc/squid/users/users.full" # User list that can download specific extentions (see acl EXTDENY for extention list) acl EXTUSERS proxy_auth "/etc/squid/users/users.extentions" # File extentions denied for normal user, accepted for ITS acl EXTDENY1 urlpath_regex "/etc/squid/acl/extentions1.list" # File extentions that are denied for everybody (even ITS) acl EXTDENY2 urlpath_regex "/etc/squid/acl/extentions2.list" # This is to accept ICP queries from squidout acl ICPSQUIDOUT src 192.168.254.3/255.255.255.255 # List the MAC address of internet stations, to bypass the auth on those computers acl INETSTATION arp "/etc/squid/users/inetmac.list" # Exception list acl EXCEPTIONS url_regex "/etc/squid/acl/exceptions.list" # Exception for Pasteur2 to be able to download Sophos updates acl PASTEUR2 arp 00:02:B3:8A:F8:DE acl SOPHOS dstdomain .sophos.com # Permit direct access to internal servers acl LANSERV dstdomain "/etc/squid/acl/alwaysdirect.list" # Allow Internet stations http_access allow INETSTATION !EXTDENY1 !EXTDENY2 # Allow direct access to internal servers always_direct allow LANSERV # Allow Pasteur2 to download Sophos updates http_access allow PASTEUR2 SOPHOS # Exception list http_access allow EXCEPTIONS FULL # Allow Squidout to do ICP queries http_access allow ICPSQUIDOUT # Allow users that are in the extentions list to download some extentions http_access allow EXTUSERS EXTDENY1 # Deny extentions in extentions2.list for everybody http_access deny EXTDENY2 # Deny other extentions http_access deny EXTDENY1 # Send them to this page deny_info http://squidin/accessdenied.php?reason=ext EXTDENY1 deny_info http://squidin/accessdenied.php?reason=ext EXTDENY2 # Allow access to FULL http_access allow FULL all # Deny the rest http_access deny all ---------------------------------cut----------------------------- If you need more information ask me. Thanks in advance, Jean-Philippe Houde
