xor wrote:
Hello,
I have installed squid3 with authorisation in the windows2003 domain, with libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories (http://ftp.ru.debian.org/debian/).
The proxy clients working under WinXP with browser IE6 or IE7 pass authorisation normally, without superfluous requests of a login/password.
But those who uses Mozilla Firefox browser, at visiting of the sites especially containing JavaScript scenaries, often receive request of a login, password and domain for authorisation in proxy. If this request to reject (with pressed "cancel"), the client receives standard page of cache access denied. But if after that to press to "refresh", the page is loaded without login/password request, and all works normally before occurrence of the next of authorisation request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.
Please define what you mean by "containing JavaScript scenaries"? how is
this relevant to the HTTP requests?
Check that firefox has not saved previous passwords for the user or
another. This can cause issues as the known passwords are used first
every time.
With "debug_options ALL,1 29,6 28,6" cache.log gets a trace of the auth
and ACL actions. Check that to see what is going on.
You can expect to see some holdup while auth details are requested
from the browser whether or not the popup appears. You can see for those
checks whether is right to be needed or not though.
Some unrelated notes inline to the config...
Configs:
###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src "/etc/squid3/acl/bad_pat_servers_ip"
I find it rather confusing that you call this a "servers_ip" and indeed
a pattern list yet use src which tests _client_ IP.
The name of the ACL sounds like you mean it to be a destination check of
some sort.
acl microsoft_activation dstdomain "/etc/squid3/acl/microsoft_activation"
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com liveupdate.symantecliveupdate.com
acl good_sites dstdomain "/etc/squid3/acl/good_sites"
acl bad_pattern url_regex "/etc/squid3/acl/bad_pattern"
acl bad_sites dstdomain "/etc/squid3/acl/bad_sites"
acl odvk url_regex "/etc/squid3/acl/odvk"
acl odnokl_sites dstdomain "/etc/squid3/acl/odnokl_sites"
acl odnokl_users proxy_auth "/etc/squid3/acl/odnokl_users"
acl ip_users src "/etc/squid3/acl/ip_users"
acl AuthUsers proxy_auth "/etc/squid3/acl/users"
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_access deny all
icp_port 3130
Combined with the "icp_access deny all" I find this really weird.
The default action in Squid-3 is not to listen for ICP at all and to
deny all as well. I think you want to remove the icp_* configuration
entirely.
Same for the htcp_access line further up.
forwarded_for off
coredump_dir /var/spool/squid3
###smb.conf
[global]
workgroup = PATERSON
realm = PATERSON.RU
password server = SRV-MSK11 SRV-MSK12
server string = %h server
wins support = yes
wins server = 192.168.2.11
dns proxy = no
interfaces = 192.168.60.60 eth0
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = +
winbind use default domain = No
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
Best regards, Ehenov Roman.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
