auth username logging

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

auth username logging

Marko Cupać
Hi,

I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
setup to 4.1. I noticed there are no usernames in access.log, just "*"
for served pages, "-" for 407s.

How can I get usernames in my access.log again?

Thank you in advance,

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: auth username logging

Amos Jeffries
Administrator
On 29/09/18 3:56 AM, Marko Cupać wrote:
> Hi,
>
> I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
> setup to 4.1. I noticed there are no usernames in access.log, just "*"
> for served pages, "-" for 407s.
>
> How can I get usernames in my access.log again?

What is your auth_param config?

It sounds to me like you are using a "Negotiate/NTLM" auth helper for
"NTLM" authentication.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: auth username logging

Marko Cupać
On Sat, 29 Sep 2018 11:17:49 +1200
Amos Jeffries <[hidden email]> wrote:

> On 29/09/18 3:56 AM, Marko Cupać wrote:
> > Hi,
> >
> > I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
> > setup to 4.1. I noticed there are no usernames in access.log, just
> > "*" for served pages, "-" for 407s.
> >
> > How can I get usernames in my access.log again?  
>
> What is your auth_param config?
>
> It sounds to me like you are using a "Negotiate/NTLM" auth helper for
> "NTLM" authentication.

Hi,

Here's relevant part of squid.conf:

# AUTHENTICATION HELPERS
auth_param negotiate program \
  /usr/local/libexec/squid/negotiate_wrapper_auth \
    --ntlm /usr/local/bin/ntlm_auth --helper-protocol=gss-spnego \
      --domain=MIMAR \
    --kerberos /usr/local/libexec/squid/negotiate_kerberos_auth \
      -d -r -s GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive on

I am not sure what exactly authenticates, kerberos or NTLM.

Thank you in advance for any pointers,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: auth username logging

Amos Jeffries
Administrator
On 29/09/18 10:23 PM, Marko Cupać wrote:

> On Sat, 29 Sep 2018 11:17:49 +1200
> Amos Jeffries <[hidden email]> wrote:
>
>> On 29/09/18 3:56 AM, Marko Cupać wrote:
>>> Hi,
>>>
>>> I am testing migration of my AD-authenticated (kerberos + ntlm) 3.5
>>> setup to 4.1. I noticed there are no usernames in access.log, just
>>> "*" for served pages, "-" for 407s.
>>>
>>> How can I get usernames in my access.log again?  
>>
>> What is your auth_param config?
>>
>> It sounds to me like you are using a "Negotiate/NTLM" auth helper for
>> "NTLM" authentication.
>
> Hi,
>
> Here's relevant part of squid.conf:
>
> # AUTHENTICATION HELPERS
> auth_param negotiate program \
>   /usr/local/libexec/squid/negotiate_wrapper_auth \
>     --ntlm /usr/local/bin/ntlm_auth --helper-protocol=gss-spnego \


--helper-protocol=gss-spnego is telling the samba helper to use
Negotiate protocol, but the wrapper is expecting NTLM protocol and
mapping them.

Please try --helper-protocol=squid-2.5-ntlmssp



>       --domain=MIMAR \
>     --kerberos /usr/local/libexec/squid/negotiate_kerberos_auth \
>       -d -r -s GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive on
>
> I am not sure what exactly authenticates, kerberos or NTLM.
>
> Thank you in advance for any pointers,
>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users