[squid-users] authentication issues using winbind and ntlm

From: Jim Crippen <jcrippen@dont-contact.us>
Date: Tue, 2 Dec 2003 11:17:38 -0600

Hi all,

I don't know if this has already been answered but I was unable to find
anything about it. I've setup squid-2.5.STABLE4 with Samba 3.0.0 using
winbind for authentication. Everything works fine, except, every page
accessed first enters 2 TCP_DENIED entries in the access log. I wanted to
know if there is a way around this as when I add back in the following acl
"acl test url_regex "/etc/blacklist" " and deny access to it, I can not get
the username recorded in the access log. Below is an entry from the
access.log from opening yahoo.com.

1070384877.123 9 192.168.12.50 TCP_DENIED/407 1741 GET
http://www.yahoo.com/ - NONE/- text/html
1070384877.152 9 192.168.12.50 TCP_DENIED/407 1741 GET
http://www.yahoo.com/ - NONE/- text/html
1070384877.456 303 192.168.12.50 TCP_MISS/200 13360 GET
http://www.yahoo.com/ ELITEHOU\JIMC DIRECT/66.218.71.93 text/html
1070384878.276 7 192.168.12.50 TCP_DENIED/407 2094 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/-
text/html
1070384878.288 8 192.168.12.50 TCP_DENIED/407 2098 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1 - NONE/-
text/html
1070384878.312 187 192.168.12.50 TCP_MISS/304 391 GET
http://switch.atdmt.com/action/PTCYahooFront ELITEHOU\JIMC
DIRECT/216.39.69.71 -
1070384878.446 154 192.168.12.50 TCP_MISS/200 261 GET
http://srd.yahoo.com/M=264255.3922691.5448124.3540639/D=yahoo_top/S=2716149:
JAM/A=1886591/N=1226/id=load_cap_lan/fv=6/0.35301091527173617/*1
ELITEHOU\JIMC DIRECT/66.218.71.101 image/gif
1070384879.032 587 192.168.12.50 TCP_MISS/200 515 GET
http://kd.barcfg.myway.com/speedbar/mySpeedbarCfg2.jsp? ELITEHOU\JIMC
DIRECT/63.236.66.5 text/html

Here is the relevant section of the squid.conf file:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10 -l
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

I appreciate any help anyone can give me.

Thanks.

Jim Crippen
Sr LAN Administrator
Elite Transportation
jcrippen@eliteint.com
Received on Tue Dec 02 2003 - 10:18:44 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:04 MST