Discussion:
[squid-users] auth username logging
Marko Cupać
2018-09-28 15:56:18 UTC
Permalink
Hi,

I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
setup to 4.1. I noticed there are no usernames in access.log, just "*"
for served pages, "-" for 407s.

How can I get usernames in my access.log again?

Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
Amos Jeffries
2018-09-28 23:17:49 UTC
Permalink
Post by Marko Cupać
Hi,
I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
setup to 4.1. I noticed there are no usernames in access.log, just "*"
for served pages, "-" for 407s.
How can I get usernames in my access.log again?
What is your auth_param config?

It sounds to me like you are using a "Negotiate/NTLM" auth helper for
"NTLM" authentication.

Amos
Marko Cupać
2018-09-29 10:23:07 UTC
Permalink
On Sat, 29 Sep 2018 11:17:49 +1200
Post by Amos Jeffries
Post by Marko Cupać
Hi,
I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
setup to 4.1. I noticed there are no usernames in access.log, just
"*" for served pages, "-" for 407s.
How can I get usernames in my access.log again?
What is your auth_param config?
It sounds to me like you are using a "Negotiate/NTLM" auth helper for
"NTLM" authentication.
Hi,

Here's relevant part of squid.conf:

# AUTHENTICATION HELPERS
auth_param negotiate program \
/usr/local/libexec/squid/negotiate_wrapper_auth \
--ntlm /usr/local/bin/ntlm_auth --helper-protocol=gss-spnego \
--domain=MIMAR \
--kerberos /usr/local/libexec/squid/negotiate_kerberos_auth \
-d -r -s GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive on

I am not sure what exactly authenticates, kerberos or NTLM.

Thank you in advance for any pointers,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
Amos Jeffries
2018-09-30 07:57:36 UTC
Permalink
Post by Marko Cupać
On Sat, 29 Sep 2018 11:17:49 +1200
Post by Amos Jeffries
Post by Marko Cupać
Hi,
I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
setup to 4.1. I noticed there are no usernames in access.log, just
"*" for served pages, "-" for 407s.
How can I get usernames in my access.log again?
What is your auth_param config?
It sounds to me like you are using a "Negotiate/NTLM" auth helper for
"NTLM" authentication.
Hi,
# AUTHENTICATION HELPERS
auth_param negotiate program \
/usr/local/libexec/squid/negotiate_wrapper_auth \
--ntlm /usr/local/bin/ntlm_auth --helper-protocol=gss-spnego \
--helper-protocol=gss-spnego is telling the samba helper to use
Negotiate protocol, but the wrapper is expecting NTLM protocol and
mapping them.

Please try --helper-protocol=squid-2.5-ntlmssp
Post by Marko Cupać
--domain=MIMAR \
--kerberos /usr/local/libexec/squid/negotiate_kerberos_auth \
-d -r -s GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive on
I am not sure what exactly authenticates, kerberos or NTLM.
Thank you in advance for any pointers,
Amos

Loading...