myocella wrote:
> I've 2 proxy servers chained together. Both authenticates against
> different AD domains.
> The downstream proxy is running on Windows (squid/2.5.STABLE1-CVS)
> supporting only
> basic auth (nt_auth.exe). This proxy server has a cache_peer basic
> auth setup to the upstream
> proxy:
>
> cache_peer upstream.proxy 3128 0 no-query
> login=UPSTREAM_DOMAIN\dummyuser:password
>
> The upstream is running on RHEL (squid/2.7.STABLE7) supporting
> NTLM,Basic with AD using this
> guide http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory,
> plus
> wb_info.pl for the group lookup.
>
> The users in UPSTREAM_DOMAIN can browse Internet using upstream proxy.
>
> However, the downstream proxy users can't browse the Internet. Their
> browser prompt for username
> and password twice - the first time it showed the downstream Realm
> which makes sense, but the
> second prompt showed the upstream Realm!.
>
> In the access.log file on downstream, it showed the authentication
> successfully with username.
> x.x.x.x - downstream_domain\user [09/Oct/2009:12:58:59] "GET
> http://www.google.com/ HTTP/1.0" 200 240 TCP_MISS:FIRST_UP_PARENT
>
> But the access.log file on the upstream proxy showed 407 with the
> "UPSTREAM_DOMAIN\dummyuser",
> which is correct.
No this is NOT correct.
It means the auth credentials UPSTREAM_DOMAIN\dummyuser:password sent to
upstream were checked and failed.
>
> Does anyone has any idea how to resolve this problem?
>
* Send the correct login to upstream.
* Fix whatever in upstream is causing the login to be denied.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14Received on Fri Oct 09 2009 - 07:08:28 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT