<div>Dear all,</div>
<div> </div>
<div>i have a strange problem with my squid 3.5.19 and authentication NTLM.</div>
<div>On my configuration i have 2 auth method:</div>
<div> </div>
<div>NTLM negotiated with ntlm_auth from samba 3</div>
<div> </div>
<div>auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp<br />auth_param ntlm children 200 startup=100 idle=10 concurrency=0<br />auth_param ntlm keep_alive on<br /><br /></div>
<div>and as a fallback basic ntlm</div>
<div> </div>
<div>auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic<br />auth_param basic children 25 startup=15 idle=5 concurrency=0<br />auth_param basic realm PROXY AUTHORIZATION REQUIRED<br />auth_param basic credentialsttl 30 minutes</div>
<div> </div>
<div>TTL</div>
<div><br />authenticate_cache_garbage_interval 1 hours<br />authenticate_ttl 30 minutes<br />authenticate_ip_ttl 30 minutes<br /><br /></div>
<div>Groups identification with LDAPS</div>
<div> </div>
<div>external_acl_type NAV children-max=200 children-startup=100 children-idle=10 ttl=1800 %LOGIN<br />/usr/local/squid/libexec/ext_ldap_group_acl -s sub -b "dc=domain,dc=xxx" -D "cn=squid,cn=Users,dc<br />=domain,dc=xxx" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(membero<br />f=cn=%a,ou=INTERNET,ou=AAA,dc=domain,dc=xxx))" -S -K -H ldaps://domain.xxx:3269</div>
<div> </div>
<div>... and all work very well.</div>
<div>Sometimes and randomly, my users reported to me that squid cannot do ntlm transparent authentication and request for user/password pair (falling back to ntlm basic).</div>
<div>Entering right credential does not work and to proceed further users need to click on "abort" button many times.</div>
<div> </div>
<div>On my cache.log i see:</div>
<div> </div>
<div>Login for user [DOMAIN][userx]@[PC_XXX] failed due to [Access denied]<br />NTLMSSP BH: NT_STATUS_ACCESS_DENIED<br />2016/06/27 22:59:06 kid1| ERROR: NTLM Authentication validating user. Result: {result=BH, notes={mes<br />sage: NT_STATUS_ACCESS_DENIED; }}<br />2016/06/27 23:00:02| Set Current Directory to /squid/log<br />2016/06/27 23:10:01| Set Current Directory to /squid/log<br />2016/06/27 23:20:01| Set Current Directory to /squid/log<br />2016/06/27 23:21:09 kid1| Logfile: opening log stdio:/var/log/squid/netdb.state<br />2016/06/27 23:21:09 kid1| Logfile: closing log stdio:/var/log/squid/netdb.state</div>
<div> </div>
<div>every times a user receive credential request.</div>
<div>After aborting each requests squid do, users can surf the internet without problems and i cannot replicate the issue.</div>
<div>Trying to close the browser, clear cache, and going to the same site does not produce same error.</div>
<div>Stopping squid, remove cache, starting squid does not produce same error.</div>
<div>It's totally random and i'm going mad to understand why.</div>
<div>Can someone help me to debug and understand the problem?</div>
<div>Any help will be appreciated.</div>
<div> </div>
<div>Many thanks.</div>
<div>Giulius.</div><br><div><font face=Verdana,Arial size=2>----<br>
ZE-Light e ZE-Pro: servizi zimbra per caselle con dominio email.it, per tutti i dettagli <a href="http://posta.email.it/caselle-di-posta-z-email-it/?utm_campaign=email_Zimbra_102014=main_footer" target="_blank">clicca qui</a><br> <br>
Sponsor:<br>
Registra i domini che desideri ed inizia a creare il tuo sito web<br>
<a href="http://adv.email.it/cgi-bin/foclick.cgi?mid=13323&d=20160628" target="_blank" >Clicca qui</a> </font><br>