Henti Smith wrote:
Hi all.
I'm having a weirdness at a client.
Squid auth using ntlm on samba thats connected to ADS.
Setup was working until they replaced the ads server with new one. I have
updated configs with the new ADS and re added samba. however squid auth is
still not working.
wbinfo -g and -u works wbinfo -t succeeds.
ntlm_auth run as proxy user succeeds.
I've setup debug to 4 and the following is the output in cache.log
2008/05/27 10:55:47| aclCheck: checking ' http_access allow my_auth'
2008/05/27 10:55:47| aclMatchAclList: checking my_auth
2008/05/27 10:55:47| aclMatchAcl: checking 'acl my_auth proxy_auth
REQUIRED'
2008/05/27 10:55:47| authenticateAuthenticate: no connection authentication
type
2008/05/27 10:55:47| aclMatchAcl: returning 0 sending credentials to
helper.
2008/05/27 10:55:47| aclMatchAclList: no match, returning 0
2008/05/27 10:55:47| aclCheck: checking password via authenticator
2008/05/27 10:55:47| authenticateNTLMHelperServerAvailable: not starving -
returning 1
2008/05/27 10:55:47| aclCheck: checking ' http_access allow my_auth'
2008/05/27 10:55:47| aclMatchAclList: checking my_auth
2008/05/27 10:55:47| aclMatchAcl: checking 'acl my_auth proxy_auth
REQUIRED'
2008/05/27 10:55:47| aclMatchAcl: returning 0 sending authentication
challenge.
2008/05/27 10:55:47| aclMatchAclList: no match, returning 0
2008/05/27 10:55:47| aclCheck: match found, returning 2
2008/05/27 10:55:47| The request GET http://www.google.com/ is DENIED,
because it matched 'my_auth'
The current config is at : http://paste.lisp.org/display/61303
Any ideas ? comment ?
NTLM authentication works by sending the browser a "407 Authentication
Required" message back to the browser if it dod not supply auth
credentials in its request.
That looks like a normal first-cycle NTLM authentication check to me.
You should see it followed up by an identical request to the same URL,
but which passes or fails the auth test without saying "sending
authentication challenge".
Amos
--
Please use Squid 2.7.STABLE1 or 3.0.STABLE6
