Package: squid3 Version: 3.4.8-6+deb8u1 Severity: normal Dear Maintainer,
I have Squid 3.4.8 installed on Debian Jessie. I’m using the negotiate wrapper configured like this: auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.domain.local@DOMAIN.LOCAL \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=DOMAIN.LOCAL The proxy works as intended – authentication happens, and usernames are logged for users that authenticate via Kerberos. However my logs don’t show user names for anyone that authenticates via NTLM. The user name is replaced with an asterisk. I am testing by configuring my browser to use the FQDN of the proxy (which results in Kerberos authentication) or by using the IP address (which results in NTLM). Anyway, cache log does show the username but it is apparently in the wrong location to be parsed into the access log: 2016/03/16 16:38:29| negotiate_wrapper: Return 'AF = * james_zuelow ‘ The correct format for this entry should be: 2000/01/01 12:00:00 negotiate_wrapper: Return 'AF * james_zuelow' This is a problem for me, as my organization wants the username in the log. Researching the issue I found this: http://squid-web-proxy-cache.1019090.n4.nabble.com/negotiate-wrapper-Return-AF-username-td4674765.html In which Amos says this was fixed “a long while back.” My google-fu is not strong enough to discover an upstream fix for this issue though. the NTLM auth binary is part of Winbind, which wasn't picked up by reportbug (I see it says "none" below looking for winbindd vs. winbind). My Samba/Winbind versions are: ii python-samba 2:4.1.17+dfsg-2+deb8u2 amd64 Python bindings for Samba ii samba 2:4.1.17+dfsg-2+deb8u2 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.1.17+dfsg-2+deb8u2 all common files used by both the Samba server and client ii samba-common-bin 2:4.1.17+dfsg-2+deb8u2 amd64 Samba common files used by both the server and the client ii samba-doc 2:4.1.17+dfsg-2+deb8u2 all Samba documentation ii samba-dsdb-modules 2:4.1.17+dfsg-2+deb8u2 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.1.17+dfsg-2+deb8u2 amd64 Samba core libraries ii samba-vfs-modules 2:4.1.17+dfsg-2+deb8u2 amd64 Samba Virtual FileSystem plugins ii libnss-winbind:amd64 2:4.1.17+dfsg-2+deb8u2 amd64 Samba nameservice integration plugins ii libwbclient0:amd64 2:4.1.17+dfsg-2+deb8u2 amd64 Samba winbind client library ii winbind 2:4.1.17+dfsg-2+deb8u2 amd64 service to resolve user and group information from Windows NT servers -- System Information: Debian Release: 8.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.7-ckt9 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages squid3 depends on: ii adduser 3.113+nmu3 ii libc6 2.19-18+deb8u3 ii libcap2 1:2.24-8 ii libcomerr2 1.42.12-1.1 ii libdb5.3 5.3.28-9 ii libecap2 0.2.0-3 ii libexpat1 2.1.0-6+deb8u1 ii libgcc1 1:4.9.2-10 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libk5crypto3 1.12.1+dfsg-19+deb8u2 ii libkrb5-3 1.12.1+dfsg-19+deb8u2 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2 ii libltdl7 2.4.2-1.11 ii libnetfilter-conntrack3 1.0.4-1 ii libnettle4 2.7.1-5 ii libpam0g 1.1.8-3.1+deb8u1 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libstdc++6 4.9.2-10 ii libxml2 2.9.1+dfsg1-5+deb8u1 ii logrotate 3.8.7-1+b1 ii lsb-base 4.1+Debian13+nmu1 ii netbase 5.3 ii squid3-common 3.4.8-6+deb8u1 squid3 recommends no packages. Versions of packages squid3 suggests: pn resolvconf <none> ii smbclient 2:4.1.17+dfsg-2+deb8u2 ii squid-cgi 3.4.8-6+deb8u1 pn squid-purge <none> ii squidclient 3.4.8-6+deb8u1 pn ufw <none> pn winbindd <none> -- Configuration Files: /etc/init.d/squid3 changed: NAME=squid3 DESC="Squid HTTP Proxy 3.x" DAEMON=/usr/sbin/squid3 PIDFILE=/var/run/$NAME.pid CONFIG=/etc/squid3/squid.conf SQUID_ARGS="-YC -f $CONFIG" [ ! -f /etc/default/squid3 ] || . /etc/default/squid3 . /lib/lsb/init-functions PATH=/bin:/usr/bin:/sbin:/usr/sbin [ -x $DAEMON ] || exit 0 ulimit -n 65535 find_cache_dir () { w=" " # space tab res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep "Processing:" | sed s/.*Processing:\ // | sed -ne ' s/^['"$w"']*'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; t end; d; :end q'` [ -n "$res" ] || res=$2 echo "$res" } grepconf () { w=" " # space tab res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep "Processing:" | sed s/.*Processing:\ // | sed -ne ' s/^['"$w"']*'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; t end; d; :end q'` [ -n "$res" ] || res=$2 echo "$res" } create_run_dir () { run_dir=/var/run/squid3 usr=`grepconf cache_effective_user proxy` grp=`grepconf cache_effective_group proxy` if [ "$(dpkg-statoverride --list $run_dir)" = "" ] && [ ! -e $run_dir ] ; then mkdir -p $run_dir chown $usr:$grp $run_dir fi } start () { cache_dir=`find_cache_dir cache_dir` cache_type=`grepconf cache_dir` KRB5_KTNAME=/etc/squid3/proxy-keytab export KRB5_KTNAME kinit -k -t proxy-keytab HTTP/proxy.domain.local@DOMAIN.LOCAL # # Create run dir (needed for several workers on SMP) # create_run_dir # # Create spool dirs if they don't exist. # if test -d "$cache_dir" -a ! -d "$cache_dir/00" then log_warning_msg "Creating $DESC cache structure" $DAEMON -z -f $CONFIG fi umask 027 ulimit -n 65535 cd $cache_dir start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --exec $DAEMON -- $SQUID_ARGS < /dev/null return $? } stop () { PID=`cat $PIDFILE 2>/dev/null` start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON # # Now we have to wait until squid has _really_ stopped. # sleep 2 if test -n "$PID" && kill -0 $PID 2>/dev/null then log_action_begin_msg " Waiting" cnt=0 while kill -0 $PID 2>/dev/null do cnt=`expr $cnt + 1` if [ $cnt -gt 24 ] then log_action_end_msg 1 return 1 fi sleep 5 log_action_cont_msg "" done log_action_end_msg 0 return 0 else return 0 fi } case "$1" in start) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_daemon_msg "Starting $DESC" "$NAME" if start ; then log_end_msg $? else log_end_msg $? fi fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if stop ; then log_end_msg $? else log_end_msg $? fi ;; reload|force-reload) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_action_msg "Reloading $DESC configuration files" start-stop-daemon --stop --signal 1 \ --pidfile $PIDFILE --quiet --exec $DAEMON log_action_end_msg 0 fi ;; restart) res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"` if test -n "$res"; then log_failure_msg "$res" exit 3 else log_daemon_msg "Restarting $DESC" "$NAME" stop if start ; then log_end_msg $? else log_end_msg $? fi fi ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3 ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}" exit 3 ;; esac exit 0 /etc/squid3/squid.conf [Errno 13] Permission denied: u'/etc/squid3/squid.conf' -- no debconf information
