Hi !
I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM authentication, but squid keeps asking for username and password. And sometimes more than once... Users are authenticated in the domain, using IE6/7/9, but squid keeps asking for username/password. Those with other browsers and Linux it's normal, but in windows no. I don't know if Firefox in windows is supposed to ask for password or not, but it asks. I have everything working with samba and winbind. Samba recognizes the user and winbind too. Wbinfo authentication: wbinfo -a teste%12345 plaintext password authentication succeeded challenge/response password authentication succeeded Squid ntlm_auth also is working ok /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic teste 12345 OK I notice something in the logs that are also a lots of TCP_DENIED before TCP_MISS (and squid din't ask for password) An example of access a website: 111.111.11.11 TCP_DENIED/407 4758 GET http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html 1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html 1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html 1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html 1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html 1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste DIRECT/207.58.139.197 applicat ion/javascript 1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css 1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html 1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html 1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html 1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html 1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET http://www.venezuelatuya.com/scripts/barrabusqueda.js teste DIRECT/207.58.139.197 application/ja vascript 1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 image/jpeg 1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 image/jpeg 1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 image/jpeg Here is my samba config: ------------------------------------------------------------- [global] workgroup = <workgroup> server string = Squid Server Version %v netbios name = Dakota hosts allow = 127. <list_of_ips_allowed> log file = /var/log/samba/log.%m max log size = 50 security = domain realm = HAL.MIN-SAUDE.PT password server = dc.domain.com dc1.domain.com acl compatibility = win2k unix extensions = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes allow trusted domains = yes ------------------------------------------------------------- And here is my squid config: ------------------------------------------------------------- acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl HomeNetworks src "/etc/squid/Networks.squid" acl OtherNetworks src "/etc/squid/OtherNetworks.squid" auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 20 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Por favor autentique-se! auth_param basic credentialsttl 2 hours acl ntlmAuth proxy_auth REQUIRED acl SSL_ports port 443 acl SSL_ports port 631 acl CONNECT method CONNECT acl POST method POST acl AutorizedSites dstdomain "/etc/squid/AutorizedSitesGlobal.squid" acl Nonet src "/etc/squid/Nonet.squid" acl Bypass src "/etc/squid/Bypass.squid" acl Deny dstdom_regex "/etc/squid/Deny.squid" acl DenyUsers proxy_auth -i src "/etc/squid/DenyUsers.squid" http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny !HomeNetworks http_access allow localhost http_access deny Nonet http_access allow AutorizedSites http_access allow Bypass http_access deny DenyUsers http_access allow OtherNetworks http_access allow ntlmAuth http_access deny all http_port 127.0.0.1:3128 hierarchy_stoplist cgi-bin ? follow_x_forwarded_for allow localhost cache_dir aufs /cache 96000 16 256 cache_mem 1276 MB maximum_object_size 4096 KB coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 maximum_object_size 4096 KB access_log /var/log/squid/access.log squid cache_mgr [email protected] mail_from [email protected] cache_effective_user squid visible_hostname proxy.domain.com error_directory /usr/share/squid/errors/pt-pt dns_nameservers dnsip1 dnsip2 ------------------------------------------------------------- and my krb5.conf ------------------------------------------------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM #default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc #default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des-cbc-md5; or des-cbc-crc default_tkt_enctypes = des-cbc-md5; or des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true allow_weak_crypto = yes #ticket_lifetime = 24h ticket_lifetime = 24000 clock_skew = 300 renew_lifetime = 7d forwardable = true [realms] DOMAIN.COM = { kdc = dc1.domain.com:88 admin_server = dc1.domain.com:88 default_domain = domain.com kdc = dc1 kdc = dc2 } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM .kerberos.server = DOMAIN.COM DOMAIN.COM = { } [kdc] profile = /etc/krb5kdc/kdc.conf ------------------------------------------------------------- Any clue why it's happening ? squid is also a member of group wbpriv id squid uid=23(squid) gid=23(squid) groups=88(wbpriv),23(squid) I also have dansguardian listening in port 8080. Thank you all ! -- -- Use Open Source Software Human knowledge belongs to the world Bruno Santos [email protected] http://www.twitter.com/feiticeir0 Tel: +351 962 753 053 Divisão de Informática [email protected] Tel: +351 272 000 155 Fax: +351 272 000 257 Unidade Local de Saúde de Castelo Branco, E.P.E. [email protected] Tel: +351 272 000 272 Fax: +351 272 000 257 Linux registered user #349448 LPIC-1 Certification
