[squid-users] auth username logging

Amos Jeffries squid3 at treenet.co.nz
Sun Sep 30 07:57:36 UTC 2018


On 29/09/18 10:23 PM, Marko Cupać wrote:
> On Sat, 29 Sep 2018 11:17:49 +1200
> Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
>> On 29/09/18 3:56 AM, Marko Cupać wrote:
>>> Hi,
>>>
>>> I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
>>> setup to 4.1. I noticed there are no usernames in access.log, just
>>> "*" for served pages, "-" for 407s.
>>>
>>> How can I get usernames in my access.log again?  
>>
>> What is your auth_param config?
>>
>> It sounds to me like you are using a "Negotiate/NTLM" auth helper for
>> "NTLM" authentication.
> 
> Hi,
> 
> Here's relevant part of squid.conf:
> 
> # AUTHENTICATION HELPERS
> auth_param negotiate program \
>   /usr/local/libexec/squid/negotiate_wrapper_auth \
>     --ntlm /usr/local/bin/ntlm_auth --helper-protocol=gss-spnego \


--helper-protocol=gss-spnego is telling the samba helper to use
Negotiate protocol, but the wrapper is expecting NTLM protocol and
mapping them.

Please try --helper-protocol=squid-2.5-ntlmssp



>       --domain=MIMAR \
>     --kerberos /usr/local/libexec/squid/negotiate_kerberos_auth \
>       -d -r -s GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive on
> 
> I am not sure what exactly authenticates, kerberos or NTLM.
> 
> Thank you in advance for any pointers,
> 


Amos


More information about the squid-users mailing list