<div dir="ltr">Hello Amos,<div><br></div><div>Thank you for your recommendations.</div><div>I modified negotiate_wrapper_auth to parse NTLM tokens and to set the user attribute in AV-pairs, </div><div>so now I can configure the desired logging using acl note-type. </div><div><br></div><div>But I also have BASIC authentication type users.</div><div>Usernames of those users are known to the squid even if they type wrong passwords, but the user-attribute is not set in the note-list in such transactions.</div><div>Should I write a new wrapper script for the BASIC-authentication to set the user-attribute, or I can check if the username is known without using wrapper?</div><div><br></div><div>The general idea is to log wrong authentication attempts to find the sources if user accounts are blocked in AD.</div><div><br></div><div><span style="color:rgb(80,0,80)">> But I recommend</span><br style="color:rgb(80,0,80)"><span style="color:rgb(80,0,80)">> just upgrading your systems to Kerberos which will avoid a lot of</span><br style="color:rgb(80,0,80)"><span style="color:rgb(80,0,80)">> these complications entirely.</span><br></div><div>We have many linux-users whose software can't perform Kerberos proxy authentication, they can just NTLM, or even BASIC (or they can't work through http-proxy at all, but we configure them to use cntlm or proxifier). So we cannot refuse NTLM and BASIC proxy-authentications.</div><div><br></div><div>Kind regards,</div><div> Ankor.</div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 17 февр. 2023 г. в 23:20, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 18/02/2023 7:29 am, Amos Jeffries wrote:<br>
> On 17/02/2023 7:29 pm, Andrey K wrote:<br>
>> Hello,<br>
>><br>
>> I would like to disable logging of 407-errors, except when the <br>
>> username is known.<br>
>> Is it possible to configure?<br>
><br>
> Assuming that you have the wrapper script from your previous request <br>
> about always logging usernames you should be able to use a note type <br>
> ACL like so:<br>
><br>
> acl knownUser note user<br>
> access_log ... on-error=drop http-407 !knownUser<br>
><br>
><br>
>><br>
>> I have now the log configured:<br>
>> acl http-407 http_status 407<br>
>> access_log daemon:/var/log/squid/access.log logformat=extended-squid <br>
>> on-error=drop !http-407<br>
>><br>
>> But I would also like to see authentication errors when a user types <br>
>> the wrong password (the username is known in these cases).<br>
>><br>
><br>
> With most HTTP authentication you could rely on all 407 meaning bad or <br>
> unknown credentials. But NTLM (ab)uses that code for its handshake <br>
> type-2 response, so you one distinguish a failed from an incomplete <br>
> authentication.<br>
<br>
That was meant to say "so one cannot distinguish a failed from an <br>
incomplete authentication."<br>
<br>
<br>
><br>
> At this point you are already wrapping and re-writing most of the <br>
> NTLM->Squid helper traffic. You could adjust the challenge to also use <br>
> the current helper syntax with a custom note to log. But I recommend <br>
> just upgrading your systems to Kerberos which will avoid a lot of <br>
> these complications entirely.<br>
><br>
> Cheers<br>
> Amos<br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>