Re: [squid-users] Challenge/Response with Cache Peers (NTLM)

From: Kinkie <kinkie-squid@dont-contact.us>
Date: Sat, 29 Jan 2005 10:33:41 +0100

On Thu, 2005-01-27 at 21:26 +0200, Dave Raven wrote:
> Hi all,
> I've been testing the behavior of Challenge/Response today with
> cache peers. the versions etc are not relevant as I have Challenge/Response
> and BASIC working fine if I point directly to the unit. Below is a makeshift
> diagram of how I've set this up now:
>
> ---------
> | squid |
> | NTLM | ----> Windows 2003
> ---------
> |
> / \
> peer1 -- peer2
> \ /
> \ /
> main cache
>
> I point to "main cache", which has two parents which are the only routes
> (never_direct + always_direct) - login=PASS is on my peer lines. On those
> two I have setup each of them as siblings with login=PASS, and a parent of
> the squid NTLM authenticating unit (which works fine if I point direct),
> also with login=PASS.
>
> The behavior I see is that if I'm using the auth box, I have to login (with
> basic) with DOMAIN\user (and challenge response works). If I go through the
> peers I have to login with only the user - if I add the domain it doesn't
> work at _all_. When I try challenge response it naturally doesn't work as
> the username gets passed with no domain...

Could you paste the relevant lines in the three boxes' squid.conf?

> Is the fix for this as simple as it seems? Or is the problem more
> complicated. I'd really like to get this working...

Do you want the two peers to be directly accessed? If the purpose is for
them to only cache, you might want to distinguish roles: main cache does
auth + logging + request routing, the others do caching (you might want
use CARP to balance the parents to maximize efficiency). If so, it would
be enough for you to use a 'src' type acl on the parents locked on the
main cache ip and log usernames only on the main cache log.

        Kinkie
Received on Sat Jan 29 2005 - 02:29:00 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:36 MST