[Linuxtrent] Problema con Squid NTLM

• From: <liste@xxxxxxxxxxxxxxxxxxxx>
• To: <linuxtrent@xxxxxxxxxxxxx>
• Date: Fri, 25 Sep 2009 11:08:55 +0200

Ciao a tutti!

Ho configurato Dansguardian 2.10.0.3 con Squid 3.0.STABLE8 su Debian Lenny
con autenticazione NTLM ad un dominio Windows il cui PDC è Samba operativo
sulla stessa macchina.
Tutto funziona, gli utenti vengono correttamente riconosciuti ma
saltuariamente (e sempre su un sito in particolare, specialmente quando
cerco di accedere a pagine PHP con variabili in GET) dopo una ventina di
secondi di latenza il browser mi chiede utente e password (il proxy
192.168.33.1:3131 richiede un nome utente e una password. Il sito riporta:
""). Se anche inserisco "DOMINIO\utente" e la relativa password, dopo
un'altra latenza di una ventina di secondi la richiesta password riappare.

In particolare, ho notato che l'errore appare il 99% delle volte
visualizzando una particolare pagina con una chiamata GET
index.php?pagina=articoli all'interno di un'area riservata di un sito. In
altre pagine, accessibili sempre tramite chiamate GET diverse (ad esempio
index.php?pagina=altrapagina) il problema non compare mai.
Inoltre, il problema compare il 99% delle volte da un particolare computer,
sia con Firefox che con Internet Explorer (entrambi all'ultima versione).

Se annullo ottengo l'errore 403 di Squid "Cache Access Denied".

In quell'istante in /var/log/squid3/cache.log ho questo errore:

[2009/09/25 10:37:21,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
got NTLMSSP command 3, expected 1

la cui ricerca in Google però non mi dà molte informazioni utili (ma noto
che è un problema noto).

Ho provato ad impostare in squid.conf "auth_param ntlm children" e
"auth_param basic children" a 100 senza ottenere risultati positivi.

Questo è lo stralcio di squid.conf relativo all'autenticazione NTLM e alle
ACL:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_ttl 1 hour
authenticate_cache_garbage_interval 10 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.33.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
http_access allow manager localnet
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all

Impostando il log di Squid a 3 invece che a 1 ottengo una sfilza di
messaggi in cache.log, del quale riporto solo le rige attorno all'errore
che ho incollato sopra:

2009/09/25 10:37:21.301| AbortChecker::monitor: monitoring half closed FD
213 for aborts
2009/09/25 10:37:21.301| fd_open FD 219 HTTP Request
2009/09/25 10:37:21.302| commSetTimeout: FD 219 timeout 300
2009/09/25 10:37:21.302| ACLChecklist::preCheck: 0x7fff1adb6610 checking
'ident_lookup_access deny all'
2009/09/25 10:37:21.302| ACLList::matches: checking all
2009/09/25 10:37:21.302| ACL::checklistMatches: checking 'all'
2009/09/25 10:37:21.302| aclMatchIp: '127.0.0.1' found
2009/09/25 10:37:21.302| ACL::ChecklistMatches: result for 'all' is 1
2009/09/25 10:37:21.302| aclmatchAclList: 0x7fff1adb6610 returning true
(AND list satisfied)
2009/09/25 10:37:21.302| ACLChecklist::markFinished: 0x7fff1adb6610
checklist processing finished
2009/09/25 10:37:21.302| comm_read_try: FD 219, size 4095, retval 830,
errno 0
2009/09/25 10:37:21.302| commio_complete_callback: called for 219 (0, 0)
2009/09/25 10:37:21.302| commio_call_callback: called for 219
2009/09/25 10:37:21.302| parseHttpRequest: req_hdr = {Host:
admin.miosito.it
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.1.3)
Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: identity,gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://admin.miosito.it/index.php
Cookie: PHPSESSID=581a911a60915f54228fd9c8eeb58342
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAQABABIAAAAHAAcAEwAAAASABIAaAAAAAAAAACqAAAABYKIogUBKAoAAAAPRQBHAG0AYQB0AHQAaQBhAGYAcgBpAHoAegBlAHIAYQBSAEEAUwBTAEUARwBOAEEAMQB50K+EGQampgAAAAAAAAAAAAAAAAAAAADr8xNYrKETsfRjuMfzej8OiGDbG7lM/ZM=

}
2009/09/25 10:37:21.302| parseHttpRequest: end = {
}
2009/09/25 10:37:21.302| parseHttpRequest: prefix_sz = 830, req_line_sz =
66
2009/09/25 10:37:21.302| clientStreamInsertHead: Inserted node 0xbcadd8
with data 0x2b0c94182120 after head
2009/09/25 10:37:21.302| commSetTimeout: FD 219 timeout 86400
2009/09/25 10:37:21.302| clientSetKeepaliveFlag: http_ver = 1.0
2009/09/25 10:37:21.302| clientSetKeepaliveFlag: method = GET
2009/09/25 10:37:21.302| client_side_request.cc(124) 0xbd3148
ClientRequestContext constructed
2009/09/25 10:37:21.302| client_side_request.cc(1004) Doing
calloutContext->clientAccessCheck()
2009/09/25 10:37:21.302| ACLChecklist::preCheck: 0xbd73f0 checking
'http_access allow AuthorizedUsers'
2009/09/25 10:37:21.302| ACLList::matches: checking AuthorizedUsers
2009/09/25 10:37:21.302| ACL::checklistMatches: checking 'AuthorizedUsers'
2009/09/25 10:37:21.302| ACL::ChecklistMatches: result for
'AuthorizedUsers' is 0
2009/09/25 10:37:21.302| aclmatchAclList: 0xbd73f0 returning false (AND
list entry failed to match)
2009/09/25 10:37:21.302| ACLChecklist::asyncInProgress: 0xbd73f0 async set
to 1
2009/09/25 10:37:21.302| ACLChecklist::checkForAsync: checking password via
authenticator
2009/09/25 10:37:21.302| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=1 lastACLResult() = 0 finished() = 0
2009/09/25 10:37:21.302| commio_complete_callback: called for 8 (0, 0)
2009/09/25 10:37:21.302| commio_call_callback: called for 8
[2009/09/25 10:37:21,  1] libsmb/ntlmssp.c:ntlmssp_update(333)
got NTLMSSP command 3, expected 1
2009/09/25 10:37:21.303| comm_read_try: FD 8, size 8191, retval 31, errno 0
2009/09/25 10:37:21.303| commio_complete_callback: called for 8 (0, 0)
2009/09/25 10:37:21.303| commio_call_callback: called for 8
2009/09/25 10:37:21.303| helperStatefulHandleRead: end of reply found
2009/09/25 10:37:21.303| helper.cc(488) srv-0 flags.reserved = 0
2009/09/25 10:37:21.303| ACLChecklist::asyncInProgress: 0xbd73f0 async set
to 0
2009/09/25 10:37:21.303| ACLChecklist::preCheck: 0xbd73f0 checking
'http_access allow AuthorizedUsers'
2009/09/25 10:37:21.303| ACLList::matches: checking AuthorizedUsers
2009/09/25 10:37:21.303| ACL::checklistMatches: checking 'AuthorizedUsers'
2009/09/25 10:37:21.303| ACL::ChecklistMatches: result for
'AuthorizedUsers' is 0
2009/09/25 10:37:21.303| aclmatchAclList: 0xbd73f0 returning false (AND
list entry failed to match)
2009/09/25 10:37:21.303| ACLChecklist::markFinished: 0xbd73f0 checklist
processing finished
2009/09/25 10:37:21.303| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 1
2009/09/25 10:37:21.303| ACLChecklist::check: 0xbd73f0 match found, calling
back with 2
2009/09/25 10:37:21.303| ACLChecklist::checkCallback: 0xbd73f0 answer=2
2009/09/25 10:37:21.303| The request GET
http://admin.miosito.it/index.php?pagina=articoli is DENIED, because it
matched 'AuthorizedUsers'
2009/09/25 10:37:21.303| storeCreateEntry:
'http://admin.miosito.it/index.php?pagina=articoli'
2009/09/25 10:37:21.303| store.cc(366) new StoreEntry 0x2b0c9417b190
2009/09/25 10:37:21.303| MemObject.cc(76) new MemObject 0xb84078
2009/09/25 10:37:21.303| storeKeyPrivate: GET
http://admin.miosito.it/index.php?pagina=articoli
2009/09/25 10:37:21.303| StoreEntry::hashInsert: Inserting Entry
0x2b0c9417b190 key '31EBDD1897080864556E3AA6DA763EB3'
2009/09/25 10:37:21.303| StoreEntry::setReleaseFlag:
'31EBDD1897080864556E3AA6DA763EB3'

Avete qualche idea per risolvere il problema?

Grazie mille per l'aiuto!
Ciao,
Mattia.
-- 
Per iscriversi  (o disiscriversi), basta spedire un  messaggio con OGGETTO
"subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxx

• Follow-Ups:
  • [Linuxtrent] Re: Problema con Squid NTLM
    • From: Mauro Colorio

Other related posts:

• » [Linuxtrent] Problema con Squid NTLM - liste
• » [Linuxtrent] Re: Problema con Squid NTLM- Mauro Colorio
• » [Linuxtrent] Re: Problema con Squid NTLM- liste
• » [Linuxtrent] Re: Problema con Squid NTLM- liste
• » [Linuxtrent] Re: Problema con Squid NTLM- Marco Agostini
• » [Linuxtrent] Re: Problema con Squid NTLM- liste
• » [Linuxtrent] Re: Problema con Squid NTLM- Marco Agostini
• » [Linuxtrent] Re: Problema con Squid NTLM- Gianni Caldonazzi
• » [Linuxtrent] Re: Problema con Squid NTLM- liste
• » [Linuxtrent] Re: Problema con Squid NTLM- Gianni Caldonazzi

1. Home
2. linuxtrent
3. Archive
4. 09-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---