Re: [squid-users] Can't see usernames in logs after enabling NTLM

Sun, 20 Feb 2005 15:17:04 -0800

Chris Robertson wrote: 
-----Original Message-----
From: Oliver Hookins [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 10, 2005 1:15 PM
To: Henrik Nordstrom
Cc: squid-users@squid-cache.org; Chris Robertson
Subject: Re: [squid-users] Can't see usernames in logs after enabling
NTLM


Henrik Nordstrom wrote:

After that we have someone who IS in the LDAP group, is in the SURFING IP range and is access a site that is also not in allowedsites. The connection is denied and the username is not logged.


Here the browser did not agree on logging in to the proxy and hence the request is denied as you require authentication (even if faked verification).

This could be a problem. So any program that chooses not to authenticate, or for some reason cannot authenticate (for example, it's not built-in) will be denied access?

If we reversed the rules like this:

http_access allow SURFING
http_access allow allowedsites mynetwork
http_access allow AuthGroup mynetwork
http_access deny all

that would force authentication for non-SURFING && non-allowedsites requests, right? I'm just thinking of server programs that download stuff but don't authenticate (in which case we would put them in the SURFING acl).

Regards,
Oliver



That would allow unauthenticated surfing for computers in the SURFING IP
range and for any computers on "mynetwork" accessing "allowedsites".  Once
someone not in the SURFING IP range (but in "mynetwork") tries to access a
site that is not on the allowedsites list, authentication will be requested,
and the AuthGroup will be checked.  Dependant on the outcome of *that* test,
either the request will be allowed or denied.

In short, I think you've nailed it.

Sorry to drag this issue out so long but it still isn't working 100%. I've got some more access.log examples of what is happening now. I understand that when a client is requested authentication, there are a couple of TCP_DENIED entries in the logs and that it is normal.

However we are getting a couple of TCP_DENIED messages without the user credentials, then further TCP_DENIED messages with the user credentials. I have double- and triple-checked and this user is definitely in the authorised group. If I do a manual check with the squid_ldap_group on the command line, I get an OK.

1108612447.271    459 192.168.0.61 TCP_REFRESH_HIT/200 905 GET
http://www.microsoft.com/h/en-us/r/for_developers.gif -
DIRECT/207.46.144.188 image/gif
1108612447.379    482 192.168.0.61 TCP_REFRESH_HIT/200 1036 GET
http://www.microsoft.com/h/en-us/r/company_info.gif - DIRECT/207.46.144.188
image/gif
1108612447.622    478 192.168.0.61 TCP_MISS/200 628 GET
http://c.microsoft.com/trans_pixel.asp? - DIRECT/207.46.197.85 image/gif
1108612447.711    490 192.168.0.61 TCP_MISS/200 438 GET
http://c1.microsoft.com/c.gif? - DIRECT/207.68.177.126 image/gif
1108612510.253      0 192.168.0.61 TCP_DENIED/407 1684 GET
http://www.ninemsn.com.au/ - NONE/- text/html
1108612510.260      0 192.168.0.61 TCP_DENIED/407 1770 GET
http://www.ninemsn.com.au/ - NONE/- text/html
1108612510.356     95 192.168.0.61 TCP_DENIED/403 1379 GET
http://www.ninemsn.com.au/ epa\aderooy NONE/- text/html
1108612527.261      4 192.168.0.61 TCP_IMS_HIT/304 221 GET
http://www.acrlimited.com.au/ - NONE/- text/html
1108612527.306     23 192.168.0.61 TCP_IMS_HIT/304 225 GET
http://www.acrlimited.com.au/images/header-top-pic.jpg - NONE/- image/jpeg
1108612527.332     25 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/header-top-r.gif - NONE/- image/gif
1108612527.351     18 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/header-bottom-slogan.gif - NONE/-
image/gif
1108612527.418     67 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/header-bottom-r.gif - NONE/- image/gif
1108612527.458     17 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/home-on.gif - NONE/- image/gif
1108612527.477      0 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/rates-off.gif - NONE/- image/gif
1108612527.506     28 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/privacy-off.gif - NONE/- image/gif
1108612527.530     24 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/contact-off.gif - NONE/- image/gif
1108612527.548     17 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/blank.gif - NONE/- image/gif
1108612527.565     16 192.168.0.61 TCP_IMS_HIT/304 223 GET
http://www.acrlimited.com.au/images/rates.jpg - NONE/- image/jpeg
1108612527.599     34 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/acr_bar-home.gif - NONE/- image/gif
1108612527.631     31 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/w.gif - NONE/- image/gif
1108612527.654     22 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/footer_home-top.gif - NONE/- image/gif
1108612527.683     28 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/footer-logo.gif - NONE/- image/gif
1108612527.697     13 192.168.0.61 TCP_IMS_HIT/304 222 GET
http://www.acrlimited.com.au/images/footer_home-bottom.gif - NONE/-
image/gif
1108612539.031    156 192.168.0.61 TCP_DENIED/403 1377 GET
http://www.google.com.au/ epa\aderooy NONE/- text/html

www.acrlimited.com.au is in the allowedsites ACL as is microsoft.com. 192.168.0.61 is NOT in the SURFING ACL. How can I diagnose what is going on between squid and squid_ldap_group? Obviously I am getting a username here but somewhere in between something is getting mucked up.

I'd appreciate any help on the issue as it is getting rather urgent.

Regards,
Oliver

Reply via email to