Ciao a tutti! Ho configurato Dansguardian 2.10.0.3 con Squid 3.0.STABLE8 su Debian Lenny con autenticazione NTLM ad un dominio Windows il cui PDC è Samba operativo sulla stessa macchina. Tutto funziona, gli utenti vengono correttamente riconosciuti ma saltuariamente (e sempre su un sito in particolare, specialmente quando cerco di accedere a pagine PHP con variabili in GET) dopo una ventina di secondi di latenza il browser mi chiede utente e password (il proxy 192.168.33.1:3131 richiede un nome utente e una password. Il sito riporta: ""). Se anche inserisco "DOMINIO\utente" e la relativa password, dopo un'altra latenza di una ventina di secondi la richiesta password riappare. In particolare, ho notato che l'errore appare il 99% delle volte visualizzando una particolare pagina con una chiamata GET index.php?pagina=articoli all'interno di un'area riservata di un sito. In altre pagine, accessibili sempre tramite chiamate GET diverse (ad esempio index.php?pagina=altrapagina) il problema non compare mai. Inoltre, il problema compare il 99% delle volte da un particolare computer, sia con Firefox che con Internet Explorer (entrambi all'ultima versione). Se annullo ottengo l'errore 403 di Squid "Cache Access Denied". In quell'istante in /var/log/squid3/cache.log ho questo errore: [2009/09/25 10:37:21, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 la cui ricerca in Google però non mi dà molte informazioni utili (ma noto che è un problema noto). Ho provato ad impostare in squid.conf "auth_param ntlm children" e "auth_param basic children" a 100 senza ottenere risultati positivi. Questo è lo stralcio di squid.conf relativo all'autenticazione NTLM e alle ACL: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 100 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 100 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_ttl 1 hour authenticate_cache_garbage_interval 10 minutes acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.33.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED http_access allow AuthorizedUsers http_access allow manager localnet http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localnet http_access allow localhost http_access deny all icp_access deny all htcp_access deny all Impostando il log di Squid a 3 invece che a 1 ottengo una sfilza di messaggi in cache.log, del quale riporto solo le rige attorno all'errore che ho incollato sopra: 2009/09/25 10:37:21.301| AbortChecker::monitor: monitoring half closed FD 213 for aborts 2009/09/25 10:37:21.301| fd_open FD 219 HTTP Request 2009/09/25 10:37:21.302| commSetTimeout: FD 219 timeout 300 2009/09/25 10:37:21.302| ACLChecklist::preCheck: 0x7fff1adb6610 checking 'ident_lookup_access deny all' 2009/09/25 10:37:21.302| ACLList::matches: checking all 2009/09/25 10:37:21.302| ACL::checklistMatches: checking 'all' 2009/09/25 10:37:21.302| aclMatchIp: '127.0.0.1' found 2009/09/25 10:37:21.302| ACL::ChecklistMatches: result for 'all' is 1 2009/09/25 10:37:21.302| aclmatchAclList: 0x7fff1adb6610 returning true (AND list satisfied) 2009/09/25 10:37:21.302| ACLChecklist::markFinished: 0x7fff1adb6610 checklist processing finished 2009/09/25 10:37:21.302| comm_read_try: FD 219, size 4095, retval 830, errno 0 2009/09/25 10:37:21.302| commio_complete_callback: called for 219 (0, 0) 2009/09/25 10:37:21.302| commio_call_callback: called for 219 2009/09/25 10:37:21.302| parseHttpRequest: req_hdr = {Host: admin.miosito.it User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: identity,gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://admin.miosito.it/index.php Cookie: PHPSESSID=581a911a60915f54228fd9c8eeb58342 Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAQABABIAAAAHAAcAEwAAAASABIAaAAAAAAAAACqAAAABYKIogUBKAoAAAAPRQBHAG0AYQB0AHQAaQBhAGYAcgBpAHoAegBlAHIAYQBSAEEAUwBTAEUARwBOAEEAMQB50K+EGQampgAAAAAAAAAAAAAAAAAAAADr8xNYrKETsfRjuMfzej8OiGDbG7lM/ZM= } 2009/09/25 10:37:21.302| parseHttpRequest: end = { } 2009/09/25 10:37:21.302| parseHttpRequest: prefix_sz = 830, req_line_sz = 66 2009/09/25 10:37:21.302| clientStreamInsertHead: Inserted node 0xbcadd8 with data 0x2b0c94182120 after head 2009/09/25 10:37:21.302| commSetTimeout: FD 219 timeout 86400 2009/09/25 10:37:21.302| clientSetKeepaliveFlag: http_ver = 1.0 2009/09/25 10:37:21.302| clientSetKeepaliveFlag: method = GET 2009/09/25 10:37:21.302| client_side_request.cc(124) 0xbd3148 ClientRequestContext constructed 2009/09/25 10:37:21.302| client_side_request.cc(1004) Doing calloutContext->clientAccessCheck() 2009/09/25 10:37:21.302| ACLChecklist::preCheck: 0xbd73f0 checking 'http_access allow AuthorizedUsers' 2009/09/25 10:37:21.302| ACLList::matches: checking AuthorizedUsers 2009/09/25 10:37:21.302| ACL::checklistMatches: checking 'AuthorizedUsers' 2009/09/25 10:37:21.302| ACL::ChecklistMatches: result for 'AuthorizedUsers' is 0 2009/09/25 10:37:21.302| aclmatchAclList: 0xbd73f0 returning false (AND list entry failed to match) 2009/09/25 10:37:21.302| ACLChecklist::asyncInProgress: 0xbd73f0 async set to 1 2009/09/25 10:37:21.302| ACLChecklist::checkForAsync: checking password via authenticator 2009/09/25 10:37:21.302| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=1 lastACLResult() = 0 finished() = 0 2009/09/25 10:37:21.302| commio_complete_callback: called for 8 (0, 0) 2009/09/25 10:37:21.302| commio_call_callback: called for 8 [2009/09/25 10:37:21, 1] libsmb/ntlmssp.c:ntlmssp_update(333) got NTLMSSP command 3, expected 1 2009/09/25 10:37:21.303| comm_read_try: FD 8, size 8191, retval 31, errno 0 2009/09/25 10:37:21.303| commio_complete_callback: called for 8 (0, 0) 2009/09/25 10:37:21.303| commio_call_callback: called for 8 2009/09/25 10:37:21.303| helperStatefulHandleRead: end of reply found 2009/09/25 10:37:21.303| helper.cc(488) srv-0 flags.reserved = 0 2009/09/25 10:37:21.303| ACLChecklist::asyncInProgress: 0xbd73f0 async set to 0 2009/09/25 10:37:21.303| ACLChecklist::preCheck: 0xbd73f0 checking 'http_access allow AuthorizedUsers' 2009/09/25 10:37:21.303| ACLList::matches: checking AuthorizedUsers 2009/09/25 10:37:21.303| ACL::checklistMatches: checking 'AuthorizedUsers' 2009/09/25 10:37:21.303| ACL::ChecklistMatches: result for 'AuthorizedUsers' is 0 2009/09/25 10:37:21.303| aclmatchAclList: 0xbd73f0 returning false (AND list entry failed to match) 2009/09/25 10:37:21.303| ACLChecklist::markFinished: 0xbd73f0 checklist processing finished 2009/09/25 10:37:21.303| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 1 2009/09/25 10:37:21.303| ACLChecklist::check: 0xbd73f0 match found, calling back with 2 2009/09/25 10:37:21.303| ACLChecklist::checkCallback: 0xbd73f0 answer=2 2009/09/25 10:37:21.303| The request GET http://admin.miosito.it/index.php?pagina=articoli is DENIED, because it matched 'AuthorizedUsers' 2009/09/25 10:37:21.303| storeCreateEntry: 'http://admin.miosito.it/index.php?pagina=articoli' 2009/09/25 10:37:21.303| store.cc(366) new StoreEntry 0x2b0c9417b190 2009/09/25 10:37:21.303| MemObject.cc(76) new MemObject 0xb84078 2009/09/25 10:37:21.303| storeKeyPrivate: GET http://admin.miosito.it/index.php?pagina=articoli 2009/09/25 10:37:21.303| StoreEntry::hashInsert: Inserting Entry 0x2b0c9417b190 key '31EBDD1897080864556E3AA6DA763EB3' 2009/09/25 10:37:21.303| StoreEntry::setReleaseFlag: '31EBDD1897080864556E3AA6DA763EB3' Avete qualche idea per risolvere il problema? Grazie mille per l'aiuto! Ciao, Mattia. -- Per iscriversi (o disiscriversi), basta spedire un messaggio con OGGETTO "subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxx