[squid-users] Squid/NTLM Auth
Amos Jeffries
squid3 at treenet.co.nz
Fri Oct 23 03:32:29 UTC 2015
On 23/10/2015 8:33 a.m., Keith White wrote:
> Added the debug options and grabbed the following after the 407 message was returned to the client. Is there anything specific I should be looking for?
>
> Thanks,
>
> Keith
>
>
> 2015/10/22 12:24:50.573 kid1| Starting new ntlmauthenticator helpers...
> 2015/10/22 12:24:50.574 kid1| 28,4| Acl.cc(70) AuthenticateAcl: returning 2 sending credentials to helper.
> 2015/10/22 12:24:50.574 kid1| 28,3| Acl.cc(158) matches: checked: AuthorizedUsers = -1 async
> 2015/10/22 12:24:50.574 kid1| 28,3| Acl.cc(158) matches: checked: http_access#3 = -1 async
> 2015/10/22 12:24:50.574 kid1| 28,3| Acl.cc(158) matches: checked: http_access = -1 async
> 2015/10/22 12:24:50.618 kid1| 29,4| UserRequest.cc(303) HandleReply: Need to challenge the client with a server token: 'TlRMTVNTUAAC
> AAAACAAIADgAAAAFgomiDULzTzz40XwAAAAAAAAAAIoAigBAAAAABgEAAAAAAA9EAE4ATgBBAAIACABEAE4ATgBBAAEAFABVAFMAUwBFADEAWAAwADAAMQA0AAQAIgBuAGEA
> LgBtAGUAcgBjAGsAZwByAG8AdQBwAC4AYwBvAG0AAwA4AHUAcwBzAGUAMQB4ADAAMAAxADQALgBuAGEALgBtAGUAcgBjAGsAZwByAG8AdQBwAC4AYwBvAG0AAAAAAA=='
> 2015/10/22 12:24:50.618 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0xfb5870'.
> 2015/10/22 12:24:50.618 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access at 2
> 2015/10/22 12:24:50.618 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned
> 2015/10/22 12:24:50.618 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access#3 at 0
> 2015/10/22 12:24:50.618 kid1| 28,5| Acl.cc(138) matches: checking AuthorizedUsers
> 2015/10/22 12:24:50.618 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0xfb5870'.
> 2015/10/22 12:24:50.618 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0xfb5870'.
> 2015/10/22 12:24:50.618 kid1| 29,2| UserRequest.cc(194) authenticate: need to challenge client 'TlRMTVNTUAACAAAACAAIADgAAAAFgomiDULz
> Tzz40XwAAAAAAAAAAIoAigBAAAAABgEAAAAAAA9EAE4ATgBBAAIACABEAE4ATgBBAAEAFABVAFMAUwBFADEAWAAwADAAMQA0AAQAIgBuAGEALgBtAGUAcgBjAGsAZwByAG8A
> dQBwAC4AYwBvAG0AAwA4AHUAcwBzAGUAMQB4ADAAMAAxADQALgBuAGEALgBtAGUAcgBjAGsAZwByAG8AdQBwAC4AYwBvAG0AAAAAAA=='!
> 2015/10/22 12:24:50.618 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0xfb5870'.
> 2015/10/22 12:24:50.618 kid1| 28,4| Acl.cc(76) AuthenticateAcl: returning 3 sending authentication challenge.
> 2015/10/22 12:24:50.618 kid1| 28,3| Checklist.cc(63) markFinished: 0x13d56f8 answer AUTH_REQUIRED for AuthenticateAcl exception
> 2015/10/22 12:24:50.618 kid1| 28,3| Acl.cc(158) matches: checked: AuthorizedUsers = -1
> 2015/10/22 12:24:50.618 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access#3 = -1
> 2015/10/22 12:24:50.618 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access = -1
> 2015/10/22 12:24:50.618 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x13d56f8 answer=AUTH_REQUIRED
> 2015/10/22 12:24:50.618 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc19f8a3d0
> 2015/10/22 12:24:50.618 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffc19f8a3d0
> 2015/10/22 12:24:50.618 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc19f8a3d0
> 2015/10/22 12:24:50.618 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffc19f8a3d0
> 2015/10/22 12:24:50.619 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0xfb5870'.
> 2015/10/22 12:24:50.619 kid1| 11,2| client_side.cc(1391) sendStartOfMessage: HTTP Client local=10.31.78.10:3128 remote=10.1.4.1:5917
> 6 FD 11 flags=1
> 2015/10/22 12:24:50.619 kid1| 11,2| client_side.cc(1392) sendStartOfMessage: HTTP Client REPLY:
>
That is the type-2 tokens happening. There should be an initial client
request and 407, then repeat client request with type-1 tokens leading
up to this.
The details of that reply message you elided at the end should match the
challenge token, and contain Connection:keep-alive.
Then there is the followup client re-request with type-3 tokens. And the
servers final reply should accept that type-3 token. Ideally it should
also use Connection:keep-alive.
If either of those two latter transactions contains Connection:close
from either endpoint NTLM breaks.
You can drop the tokens into
<http://treenet.co.nz/projects/squid/ntlm_token.php> to see what type
they are.
Amos
More information about the squid-users
mailing list