In Sarge, if I upgrade ONLY the squid package to etch, this starts to happend. In Etch, with everything on Etch happends.
I will try to test the "use http 1.1 through proxy connections" suggestion, but if the only thing that I change is the squid package... and in the testing version of squid, this dosen't happend... I asume that is the etch version of squid. Luigi Gangitano escribió: > Hi Guido, > this seems to be a know behaviour of NTLM auth in Squid. Please see > > http://readlist.com/lists/squid-cache.org/squid-users/0/2783.html > > for more informations. Probably the bug is in the Samba code rather > than in Squid's. > > I'll open a new upstream bug in the next few days and forward this bug. > > Regards, > > L > > > Il giorno 20/ago/07, alle ore 23:40, Guido Lorenzutti ha scritto: > >> Yes, this is the error that appears in the cache_log when a pop up >> appears asking for the password and username: >> >> [2007/08/20 06:27:57, 1] libsmb/ntlmssp.c:ntlmssp_update(267) >> got NTLMSSP command 3, expected 1 >> >> If this error appears, the ntlm stops working. The browser ask for the >> username and password (and it should not ask for it), if you enter it >> several times you can continue... some times you have to close the >> session and start over. >> >> This is the squid.conf: >> >> #debug_options ALL,1 33,2 >> log_fqdn on >> cache_store_log none >> useragent_log none >> cache_log /var/log/squid/cache_log.log >> access_log /var/log/squid/access.log >> error_directory /usr/share/squid/errors/Spanish >> offline_mode on >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp --domain=jusbaires >> auth_param ntlm children 25 >> >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic --domain=jusbaires >> auth_param basic children 25 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> >> external_acl_type ldap_group ttl=0 children=25 %LOGIN >> /usr/lib/squid/squid_ldap_group -b "ou=Group,dc=jusbaires,dc=gov,dc=ar" >> -f "(&(cn=%a)(memberuid=%v)(objectClass=posixgroup))" -h >> tacuari-fs.jusbaires.gov.ar -v3 -S >> >> refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 >> reload-into-ims >> refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 >> reload-into-ims >> refresh_pattern ^http://.*\.cnn\.com 360 50% 4320 override-lastmod >> refresh_pattern ^http://news\.bbc\.co\.uk 360 50% 4320 override-lastmod >> refresh_pattern microsoft 1080 150% 10080 override-lastmod >> refresh_pattern msn\.com 4320 150% 10080 override-lastmod >> refresh_pattern ^http://.*\.doubleclick\.net 10080 300% 40320 >> override-lastmod >> refresh_pattern ^http://.*FIDO 360 1000% 480 >> refresh_pattern \.r[0-9][0-0]$ 10080 150% 40320 >> refresh_pattern ^http://.*\.gif$ 1440 50% 20160 >> refresh_pattern ^http://.*\.asis$ 1440 50% 20160 >> refresh_pattern -i \.pdf$ 10080 90% 43200 >> refresh_pattern -i \.art$ 10080 150% 43200 >> refresh_pattern -i \.avi$ 10080 150% 40320 >> refresh_pattern -i \.mov$ 10080 150% 40320 >> refresh_pattern -i \.wav$ 10080 150% 40320 >> refresh_pattern -i \.mp3$ 10080 150% 40320 >> refresh_pattern -i \.qtm$ 10080 150% 40320 >> refresh_pattern -i \.mid$ 10080 150% 40320 >> refresh_pattern -i \.viv$ 10080 150% 40320 >> refresh_pattern -i \.mpg$ 10080 150% 40320 >> refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims >> refresh_pattern -i \.rar$ 10080 150% 40320 >> refresh_pattern -i \.ram$ 10080 150% 40320 >> refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims >> refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims >> override-lastmod >> refresh_pattern -i \.zip$ 2880 200% 40320 >> refresh_pattern -i \.arj$ 2880 200% 40320 >> refresh_pattern -i \.exe$ 2880 200% 40320 >> refresh_pattern -i \.doc$ 2880 200% 40320 >> refresh_pattern -i \.pdf$ 2880 200% 40320 >> refresh_pattern -i \.xls$ 2880 200% 40320 >> refresh_pattern -i \.tgz$ 10080 200% 40320 >> refresh_pattern -i \.gz$ 10080 200% 40320 >> refresh_pattern -i \.tgz$ 10080 200% 40320 >> refresh_pattern -i \.tar$ 10080 200% 40320 >> refresh_pattern -i \.Z$ 10080 200% 40320 >> refresh_pattern ^ftp:// 1440 50% 10080 >> refresh_pattern ^gopher:// 1440 10% 1440 >> refresh_pattern . 0 20% 4320 >> >> negative_ttl 1 minutes >> positive_dns_ttl 5 minutes >> negative_dns_ttl 1 minutes >> half_closed_clients off >> connect_timeout 3 seconds >> cache_dir aufs /var/spool/squid 9800 16 256 >> cache_swap_low 85 >> cache_swap_high 95 >> maximum_object_size 81920 KB >> maximum_object_size_in_memory 300 KB >> cache_mem 100 MB >> fqdncache_size 6144 >> cache_replacement_policy lfuda >> pipeline_prefetch off >> client_persistent_connections on >> server_persistent_connections on >> visible_hostname proxy.sarasa.com >> >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex cgi-bin \? >> no_cache deny QUERY >> >> acl all src 0.0.0.0/0.0.0.0 >> >> acl lan_10_7 src 10.7.0.0/255.255.0.0 >> >> acl msnenoutlook url_regex >> http://services.msn.com/svcs/hotmail/httpmail.asp >> acl nomsnurl dstdomain "/etc/squid/nomsn" >> >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl SSL_ports port 443 563 1863 6667 4430 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 563 # https, snews >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl Safe_ports port 901 # multiling http >> acl Safe_ports port 631 # CUPS >> >> acl auth proxy_auth REQUIRED >> acl noinet external ldap_group noinet >> acl fullinet external ldap_group fullinet >> acl nomsn external ldap_group nomsn >> >> acl CONNECT method CONNECT >> acl PURGE method PURGE >> http_access allow PURGE localhost >> http_access deny PURGE >> >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost >> >> http_access deny noinet >> http_reply_access deny noinet >> >> http_access deny nomsn nomsnurl >> http_reply_access deny nomsn nomsnurl >> >> http_access allow fullinet >> http_reply_access allow fullinet >> >> http_access allow lan_10_7 auth >> >> http_access deny all >> icp_access deny all >> >> http_port 3128 >> >> >> They are a few parameters that change from one version to another, but >> basically the same config file works in the sarge version of squid and >> the NTLM works OK without any problem. >> >> The winbind config is this, but is the same from etch or sarge: >> >> [global] >> workgroup = JUSBAIRES >> netbios name = TACUARI-PROXY >> wins support = no >> wins server = 10.7.0.1 >> password server = 10.7.0.1 >> dns proxy = no >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog only = no >> syslog = 0 >> security = domain >> domain master = no >> encrypt passwords = true >> passdb backend = tdbsam >> printing = none >> restrict anonymous = 1 >> winbind enum users = yes >> winbind use default domain = yes >> winbind separator = \\ >> load printers = no >> winbind uid = 10000-20000 >> winbind gid = 10000-20000 >> >> >> I try just installing the squid, squid-common and squidclient from etch >> on a sarge and the same thing happends. The squid version from etch >> broke the ntlm authentication. >> >> I try the squid from testing and the log disappear, but the problem >> persists. For me isn't resolved in the 2.6.stable8 like the squid bug >> says. The only way I solve this is staying in the sarge version of >> squid :( >> >> Tell me if you need anything else. > > -- > Luigi Gangitano -- <[EMAIL PROTECTED]> -- <[EMAIL PROTECTED]> > GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 > >
