<div dir="ltr">Amos, <br><div><br></div><div>I understood: the helper.cc does not parse the KK-request and does not know about the username. He can only get the username information from the reply of the external helper. But since the external helper returns only an error without a username, this information is missing from the logs.<br></div><div><br></div><div>Is there any other possibility to log username and source IP address in such NTLM-failed authentication attempts?<br></div><div><br></div><div>Kind regards,</div><div> Ankor.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вт, 31 янв. 2023 г. в 07:56, Andrey K <<a href="mailto:ankor2023@gmail.com">ankor2023@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello Amos,<div><br></div><div>Thank you for the information.</div><div><br></div><div>I turned on squid debug_options 84,9 and see in the cashe.log that in the first NTLM_NEGOTIATE request (YR) there is no username: </div><div>TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=</div><div>00000000 4e 54 4c 4d 53 53 50 00 01 00 00 00 06 82 08 00 |NTLMSSP.........|<br>00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br></div><div><br></div><div>so SQUID responded with the <span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">NTLMSSP_CHALLENGE (</span>TT<span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">).</span></div><div><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><br></span></div><div><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">But in the second </span><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">NTLMSSP_AUTH request </span><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">(KK)</span><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"> client sends username (</span>sa0000bcmon<span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">) as well as hostname (</span>0001bcreport02<span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px">):</span></div><div>TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=<br></div><div><br></div><div>00000000 4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 |NTLMSSP.........|<br>00000010 40 00 00 00 18 00 18 00 58 00 00 00 00 00 00 00 |@.......X.......|<br>00000020 70 00 00 00 0b 00 0b 00 70 00 00 00 0e 00 0e 00 |p.......p.......|<br>00000030 7b 00 00 00 00 00 00 00 00 00 00 00 06 82 89 02 |{...............|<br>00000040 6e 38 40 e9 72 17 60 f9 00 00 00 00 00 00 00 00 |n8@.r.`.........|<br>00000050 00 00 00 00 00 00 00 00 92 a1 ee 47 2a 46 a5 55 |...........G*F.U|<br>00000060 35 28 2a 70 fb ef 71 dc c7 f1 1b d7 56 90 04 e2 |5(*p..q.....V...|<br>00000070 73 61 30 30 30 30 62 63 6d 6f 6e 30 30 30 31 62 |sa0000bcmon0001b|<br>00000080 63 72 65 70 6f 72 74 30 32 |creport02|<br></div><div><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><br></span></div><div><font color="#172b4d" face="-apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Oxygen, Ubuntu, Fira Sans, Droid Sans, Helvetica Neue, sans-serif"><span style="font-size:14px">Client uses wrong password to calculate NTLM response so helper returns </span></font>NT_STATUS_LOGON_FAILURE:</div><div>2023/01/31 07:21:18.916 kid2| 84,9| helper.cc(666) submit: placeholder: '0', buf[188]=KK TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=<br><br>2023/01/31 07:21:18.935 kid2| 84,5| helper.cc(1107) helperStatefulHandleRead: helperStatefulHandleRead: 27 bytes from ntlmauthenticator #Hlpr25<br>2023/01/31 07:21:18.935 kid2| 84,9| helper.cc(1117) helperStatefulHandleRead: accumulated[27]=NA NT_STATUS_LOGON_FAILURE<br></div><div><br></div><div><br></div><div><span style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><br></span></div><div>In the acess.log there are two records, but there is no username in both:</div><div>2023-01-31 07:21:18| 2 10.73.16.136 TCP_DENIED/407/- 4531 CONNECT <a href="http://google.com:443" target="_blank">google.com:443</a> - HIER_NONE/- text/html -<br>2023-01-31 07:21:18| 19 10.73.16.136 TCP_DENIED/407/- 4500 CONNECT <a href="http://google.com:443" target="_blank">google.com:443</a> - HIER_NONE/- text/html -<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вт, 31 янв. 2023 г. в 07:09, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 31/01/2023 4:55 pm, Andrey K wrote:<br>
> Hello,<br>
><br>
> I need to log failed Proxy-authentication attempts. The log <br>
> information should contain timestamp, username and client IP address.<br>
> 407-records in the access.log file do not contain username if <br>
> NTLM-authentication is used.<br>
> I was wondering if it is possible to set up such a configuration?<br>
<br>
Squid log entries record username for all authentication types as soon <br>
as a username exists.<br>
I expect you are being confused by log records for the part of NTLM <br>
handshake before the username is sent to Squid.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</blockquote></div>