Hello Amos,
Thank you for the idea to write a wrapper script.
As NTLM-helper returns "NA NT_STATUS_LOGON_FAILURE" during authentication
failed, I think it is also required to patch the squid sources to copy the
value of the user attribute, returned by the wrapper,
to auth_user_request->user()->username().
As I see, I need to modify the following functions:
Helper::Reply::finalize() - add parsing of additional attributes in the
case when returned value is "NA " ,
Auth::Ntlm/Negotiate::UserRequest::HandleReply() - add finding the "user"
attribute and copping it to the username:
auth_user_request->user()->username(userLabel) in the case of returned
Helper::Error;
By the way, what are these acronyms for (YR, KK, TT, AF, BH, NA, LD)?
Kind regards,
Ankor.
вт, 31 янв. 2023 г. в 08:54, Amos Jeffries <squ...@treenet.co.nz>:
> On 31/01/2023 6:13 pm, Andrey K wrote:
> > Amos,
> >
> > I understood: the helper.cc does not parse the KK-request and does not
> > know about the username. He can only get the username information from
> > the reply of the external helper. But since the external helper
> > returns only an error without a username, this information is missing
> > from the logs.
> >
> > Is there any other possibility to log username and source IP address
> > in such NTLM-failed authentication attempts?
>
> You could make a wrapper script that decodes the KK request and returns
> user=name along with the real helpers result.
> The problem is tat the credentials are known to be invalid at that
> point, so it may just be garbage instead of a username.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
