[squid-users] Negotiate wrappter returns AF = on Debian Jessie
James Zuelow
James.Zuelow at juneau.org
Thu Mar 17 18:29:19 UTC 2016
Hello -
I have Squid 3.4.8 installed on Debian Jessie.
I'm using the negotiate wrapper configured like this:
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.domain.local at DOMAIN.LOCAL \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL
The proxy works as intended - authentication happens, and usernames are logged for users that authenticate via Kerberos.
However my logs don't show user names for anyone that authenticates via NTLM. The user name is replaced with an asterisk.
I am testing by configuring my browser to use the FQDN of the proxy (which results in Kerberos authentication) or by using the IP address (which results in NTLM).
Anyway, cache log does show the username but it is apparently in the wrong location to be parsed into the access log:
2016/03/16 16:38:29| negotiate_wrapper: Return 'AF = * james_zuelow
'
This is a problem for me, as my organization wants the username in the log.
Researching the issue I found this:
http://squid-web-proxy-cache.1019090.n4.nabble.com/negotiate-wrapper-Return-AF-username-td4674765.html
In which Amos says this was fixed "a long while back." My google-fu is not strong enough to discover an upstream fix for this issue though.
I want to submit a bug report to Debian that says "please apply this fix to Jessie, and the fix can be found at X."
Can you help me find X?
Specific versions of Squid and Samba are: Squid3 3.4.8-6+deb8u1 and Samba/Winbind 4.1.17+dsfg-2+deb8u2.
Thanks!
James Zuelow
Systems Operations Manager
City and Borough of Juneau - MIS
(907) 586-0236
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160317/ef4f2350/attachment-0001.html>
More information about the squid-users
mailing list