Hi Amos, Thank you for your prompt reply.
As you said, the first request is hitting the proxy with the "user" field empty, but there is no second request. And I was wrong about the "timer". Please find below the config *auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm /usr/local/samba/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=KATANA --kerberos /usr/local/squid/libexec/ext_kerberos_sid_group_acl -d -s GSS_C_NO_NAME* *auth_param negotiate children 60* *auth_param negotiate keep_alive off* *auth_param ntlm program /usr/local/samba/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=KATANA* *auth_param ntlm children 60* *auth_param ntlm keep_alive off* *auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic* *auth_param basic children 60* *auth_param basic credentialsttl 4 hours* *auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -R -b "dc=KATANA,dc=LOCAL" -D katanauser@KATANA.LOCAL -W /usr/local/squid/etc/pass.txt -f sAMAccountName=%s -h 192.168.111.40* *auth_param basic children 60* *auth_param basic realm Katana Local* *auth_param basic credentialsttl 1 minute* *acl auth proxy_auth REQUIRED* *tcp_outgoing_address 0.0.0.0 all* *dns_v4_first on* *acl mimeblock rep_mime_type ^application/x-shockwave-flash$* *http_reply_access deny mimeblock* *acl deny_rep_mime_flashvideo rep_mime_type video/flv* *http_reply_access deny deny_rep_mime_flashvideo* *acl local0 dst 172.16.0.0/12 <http://172.16.0.0/12>* *acl local1 dst 192.168.0.0/16 <http://192.168.0.0/16>* *http_access allow local0 all* *http_access allow local1 all* *cache deny local1* *cache deny local0* *redirector_access deny local0* *redirector_access deny local1* *http_access deny !auth* *http_access allow auth* *#http_access deny all* *http_port 8080* *debug_options 29,9* *cache_swap_low 94* *cache_swap_high 95* *logfile_rotate 150* *cache_dir aufs /media/STORAGE/cache 7000 16 256* *cache_log /media/STORAGE/ACCESS/cache.log* *access_log /media/STORAGE/ACCESS/access.log* *refresh_pattern ^ftp: 1440 20% 10080* *refresh_pattern ^gopher: 1440 0% 1440* *refresh_pattern -i (/cgi-bin/|\?) 0 0% 0* *refresh_pattern . 0 20% 4320* *acl allsrc src all* *acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3129 1025-65535* *acl sslports port 443 563* *acl purge method PURGE* *acl connect method CONNECT* *acl HTTP proto HTTP* *acl HTTPS proto HTTPS* *acl allowed_subnets src 192.168.0.0/16 <http://192.168.0.0/16>* *http_access allow allowed_subnets* *http_access allow manager localhost* *http_access deny manager* *http_access allow purge localhost* *http_access deny purge* *http_access deny !safeports* *http_access deny CONNECT !sslports* *http_access allow localhost* *request_body_max_size 0 KB* *delay_pools 1* *delay_class 1 2* *delay_parameters 1 -1/-1 -1/-1* *delay_initial_bucket_level 100* *delay_access 1 allow allsrc* *http_access deny allsrc* *acl max_user_ip_conn max_user_ip -s 1* *http_access deny max_user_ip_conn* *deny_info https://192.168.111.111/index3.html <https://192.168.111.111/index3.html> max_user_ip_conn* *acl Java browser Java/1.4 Java/1.5 Java/1.6 Java/1.7 Java/1.8* *http_access allow Java* *url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -l /var/log/squid* *url_rewrite_children 64 startup=16 idle=4 concurrency=0* *debug_options 28,9* *url_rewrite_children 10* *icap_enable on* *icap_send_client_ip on* *icap_send_client_username on* *icap_client_username_encode off* *icap_client_username_header X-Authenticated-User* *icap_preview_enable on* *icap_preview_size 1024* *icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav <http://127.0.0.1:1345/squidclamav>* *adaptation_access service_req allow all* *icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav <http://127.0.0.1:1345/squidclamav>* *adaptation_access service_resp allow all* Thank you > > > Message: 1 > Date: Fri, 19 Jul 2019 02:59:13 +1200 > From: Amos Jeffries <squ...@treenet.co.nz> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] squid time out > Message-ID: <9b813ff3-23b3-c35a-8b40-403ee6705...@treenet.co.nz> > Content-Type: text/plain; charset=utf-8 > > On 19/07/19 1:57 am, ANDRINANTENAINA Avo wrote: > > > > I have a huge range in terms of network, but awkwardly, the > > authentication/ACL and everything works well in one given subnet but not > > on the others. The users in the other subnets are not able to surf the > > internet, and this without any specific logs from the proxy side ( the > > most significant part of the config could be seen below). Any request > > from these users just times out. ____ > > > ... > > > __ __ > > > > I can’t really understand the issue, from the affected networks:____ > > > > __- __The user is able to ping the proxy and access its port > > 8080 (through telnet / netcat) ____ > > > > __- __The request is able to reach the proxy but the in the > > access_log the /“user” /is missing ____ > > > > /1563455060.396 1 192.168.230.195 TCP_DENIED/407 4714 GET > > http://api.bing.com/qsml.aspx? - HIER_NONE/- text/html____/ > > > > __- __TCP_DENIED/407, requesting the user to go through the > > authentication phase is presented by the proxy to the user’s browser but > > nothing happens. I thought that if the timer set to Kerberos, NTLM > > expires, a pop up should appear but nothing (from wireshark)____ > > > > Er. Not sure what you mean by a timer. > > The log entry is a reasonable first-request from any client. No sane > client will broadcast user credentials until it knows the receiving > agent needs them - and in what form they are needed. > That is why your log entry has no username, and the purpose of the 407 > status. > > Once that 407 is delivered to the Browser that HTTP transaction is over. > If nothing happens afterwards that is a Browser or network layer > problem, nothing to do with Squid. (There are exceptions, but I see no > sign of those being relevant in your config). > > Browser popup is what happens if the Browser is _unable_ to find > appropriate user credentials to send the proxy or web server needing > login. If it is able to find any Kerberors, NTLM or Basic auth > credentials to use (in that order of priority) - it will start a new > HTTP transaction using those. Which will be logged as a separate HTTP > transaction. > But, if those credentials are not able to validate there may not be any > resulting username to log. Your wireshark trace shows no > Proxy-Authorization header in the request, so of course there will be no > username on that transactions log entry. > > > Setting the timeouts on credentials usability between the DC and the > Browsers will only cause credential tokens to become invalid before they > arrive at the proxy. That can lead to loops of transactions with 407 and > no username logged, especially with NTLM credentials. > > Setting any of the auth related TTL or timeouts in squid.conf to short > values will only cause extra work for the auth validation process. > Slowing everything down. It has no effect on whether credentials are > valid, nor what the Browser does. > > Despite the PR and marketing MS have done about single-sign-on being a > NTLM thing, it is actually a regular part of all HTTP authentication. > Seeing the popup is a *bad* sign, something is going wrong with the > Browsers auth setup if it has to be bothering the user for details. > On Windows particularly the Browser should have access to the users > machine login or Kerberos keytab and so use one of those to access the > proxy without bothering or even being noticed by the user at all. > > > > > - On cache.log there is nothing that could mean something, just > > a bunch of ARP error. Tried to debug the section 29 for authentication … > > but nothing. Checked the IE internet options, just in case the windows > > authentication profile is no ticked … but it is there. > > > > ARP errors may be nothing, or it could be a sign that your routing needs > something fixed. > A routing problem might be affecting background connectivity for NTLM > and Kerberos processes the Browser has to do to allocate auth tokens > with DC. > It might also effect the proxy verifying those tokens, but that would > have a different more obvious error logged. > > > If the above does not help your troubleshooting, please consider posting > your whole squid.conf. (Without the #comment lines, and obfuscate > anything like cachemgr_passwd which should not be made public - but in a > way which ensures we can still tell eg that two IPs are different numbers). > > Amos > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
