Search squid archive

Re: Squid + Kerberos + Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Can you send me the following;

fqdn
hostname
klist -kt   squid.keytab  ( If you use MIT Kerberos)


Does you startup script set the KRB5_KTNAME environment variable ?

Can you do a successful kinit -k squid.keytab  HTTP/hostname ?

Can you add a -d to squid_kerb_auth and send me the output ?

Did you use the fqdn in IE  to point to squid ?

Regards
Markus
"Truth Seeker" <truth_seeker_3535@xxxxxxxxx> wrote in message news:177962.48305.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Amos. I followed that link and done the steps completely. But it is not working for me. PLease look in to the following details and kindly guide me to achieve the goal. 

the following informations are herewith;
1. squid.conf
2. debugged info from cache.log

contents of my squid.conf

grep -v ^# /etc/squid/squid.conf | grep -v "^$"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
### For ACtive Directory Inegration
auth_param negotiate program  /usr/lib/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
debug_options ALL,1 33,2 28,9
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid
contents of cache.log while accessing from a windows client who is a member of our domain. 

2009/06/02 21:38:06.486| aclCheckFast: list: 0x8a8ff60
2009/06/02 21:38:06.486| ACLChecklist::preCheck: 0xbfb8ae94 checking 'ident_lookup_access deny all' 
2009/06/02 21:38:06.486| ACLList::matches: checking all
2009/06/02 21:38:06.486| ACL::checklistMatches: checking 'all'
2009/06/02 21:38:06.486| aclMatchIp: '192.168.4.139' found
2009/06/02 21:38:06.486| ACL::ChecklistMatches: result for 'all' is 1
2009/06/02 21:38:06.486| ACLList::matches: result is true
2009/06/02 21:38:06.486| aclmatchAclList: 0xbfb8ae94 returning true (AND list satisfied) 2009/06/02 21:38:06.486| ACLChecklist::markFinished: 0xbfb8ae94 checklist processing finished 
2009/06/02 21:38:06.486| ACLChecklist::~ACLChecklist: destroyed 0xbfb8ae94
2009/06/02 21:38:06.487| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access allow manager localhost' 
2009/06/02 21:38:06.487| ACLList::matches: checking manager
2009/06/02 21:38:06.487| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.487| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.487| ACLList::matches: result is false
2009/06/02 21:38:06.487| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.487| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.487| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny manager' 
2009/06/02 21:38:06.487| ACLList::matches: checking manager
2009/06/02 21:38:06.487| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.487| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.487| ACLList::matches: result is false
2009/06/02 21:38:06.487| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.487| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.487| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny !Safe_ports' 
2009/06/02 21:38:06.487| ACLList::matches: checking !Safe_ports
2009/06/02 21:38:06.487| ACL::checklistMatches: checking 'Safe_ports'
2009/06/02 21:38:06.487| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2009/06/02 21:38:06.487| ACLList::matches: result is false
2009/06/02 21:38:06.488| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.488| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.488| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny CONNECT !SSL_ports' 
2009/06/02 21:38:06.488| ACLList::matches: checking CONNECT
2009/06/02 21:38:06.488| ACL::checklistMatches: checking 'CONNECT'
2009/06/02 21:38:06.488| ACL::ChecklistMatches: result for 'CONNECT' is 0
2009/06/02 21:38:06..488| ACLList::matches: result is false
2009/06/02 21:38:06.488| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.488| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.488| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny !auth' 
2009/06/02 21:38:06.488| ACLList::matches: checking !auth
2009/06/02 21:38:06..488| ACL::checklistMatches: checking 'auth'
2009/06/02 21:38:06.488| aclMatchAcl: returning 0 sending authentication challenge. 
2009/06/02 21:38:06.488| ACL::ChecklistMatches: result for 'auth' is 0
2009/06/02 21:38:06..488| ACLList::matches: result is true
2009/06/02 21:38:06.488| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.488| ACLChecklist::checkForAsync: requiring Proxy Auth header.. 2009/06/02 21:38:06.488| ACLChecklist::markFinished: 0x8d9c188 checklist processing finished 2009/06/02 21:38:06.488| aclmatchAclList: async=1 nodeMatched=1 async_in_progress=0 lastACLResult() = 1 finished() = 1 2009/06/02 21:38:06.488| ACLChecklist::check: 0x8d9c188 match found, calling back with 2 
2009/06/02 21:38:06.488| ACLChecklist::checkCallback: 0x8d9c188 answer=2
2009/06/02 21:38:06.488| aclGetDenyInfoPage: got called for auth
2009/06/02 21:38:06.488| aclGetDenyInfoPage: no match
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| aclCheckFast: list: 0
2009/06/02 21:38:06.489| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| aclCheckFast: list: 0
2009/06/02 21:38:06.489| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| aclCheckFast: list: 0
2009/06/02 21:38:06.489| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188
2009/06/02 21:38:06.523| aclCheckFast: list: 0x8a8ff60
2009/06/02 21:38:06.523| ACLChecklist::preCheck: 0xbfb8ae94 checking 'ident_lookup_access deny all' 
2009/06/02 21:38:06.523| ACLList::matches: checking all
2009/06/02 21:38:06.523| ACL::checklistMatches: checking 'all'
2009/06/02 21:38:06.523| aclMatchIp: '192.168.4.139' found
2009/06/02 21:38:06.523| ACL::ChecklistMatches: result for 'all' is 1
2009/06/02 21:38:06.523| ACLList::matches: result is true
2009/06/02 21:38:06.523| aclmatchAclList: 0xbfb8ae94 returning true (AND list satisfied) 2009/06/02 21:38:06.523| ACLChecklist::markFinished: 0xbfb8ae94 checklist processing finished 
2009/06/02 21:38:06.523| ACLChecklist::~ACLChecklist: destroyed 0xbfb8ae94
2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access allow manager localhost' 
2009/06/02 21:38:06.525| ACLList::matches: checking manager
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny manager' 
2009/06/02 21:38:06.525| ACLList::matches: checking manager
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny !Safe_ports' 
2009/06/02 21:38:06.525| ACLList::matches: checking !Safe_ports
2009/06/02 21:38:06..525| ACL::checklistMatches: checking 'Safe_ports'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny CONNECT !SSL_ports' 
2009/06/02 21:38:06.525| ACLList::matches: checking CONNECT
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'CONNECT'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'CONNECT' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny !auth' 
2009/06/02 21:38:06.525| ACLList::matches: checking !auth
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'auth'
2009/06/02 21:38:06.525| aclMatchAcl: returning 0 sending credentials to helper. 
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'auth' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is true
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.525| ACLChecklist::asyncInProgress: 0x8d9c188 async set to 1 2009/06/02 21:38:06.525| ACLChecklist::checkForAsync: checking password via authenticator 2009/06/02 21:38:06.525| aclmatchAclList: async=1 nodeMatched=1 async_in_progress=1 lastACLResult() = 1 finished() = 0 2009/06/02 21:38:06.526| ACLChecklist::asyncInProgress: 0x8d9c188 async set to 0 2009/06/02 21:38:06.526| ACLChecklist::preCheck: 0x8d9c188 checking 'http_access deny !auth' 
2009/06/02 21:38:06.526| ACLList::matches: checking !auth
2009/06/02 21:38:06.526| ACL::checklistMatches: checking 'auth'
2009/06/02 21:38:06.526| aclMatchAcl: returning 0 sending authentication challenge. 
2009/06/02 21:38:06.526| ACL::ChecklistMatches: result for 'auth' is 0
2009/06/02 21:38:06.526| ACLList::matches: result is true
2009/06/02 21:38:06.526| aclmatchAclList: 0x8d9c188 returning false (AND list entry failed to match) 2009/06/02 21:38:06.526| ACLChecklist::checkForAsync: requiring Proxy Auth header. 2009/06/02 21:38:06.526| ACLChecklist::markFinished: 0x8d9c188 checklist processing finished 2009/06/02 21:38:06.526| aclmatchAclList: async=1 nodeMatched=1 async_in_progress=0 lastACLResult() = 1 finished() = 1 2009/06/02 21:38:06.526| ACLChecklist::check: 0x8d9c188 match found, calling back with 2 
2009/06/02 21:38:06.526| ACLChecklist::checkCallback: 0x8d9c188 answer=2
2009/06/02 21:38:06.526| aclGetDenyInfoPage: got called for auth
2009/06/02 21:38:06..526| aclGetDenyInfoPage: no match
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.527| aclCheckFast: list: 0
2009/06/02 21:38:06.527| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.527| aclCheckFast: list: 0
2009/06/02 21:38:06.527| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188



-
--
---
Always try to find truth!!!


--- On Tue, 6/2/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:


From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Subject: Re:  Squid + Kerberos + Active Directory
To: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx>
Cc: "Squid maillist" <squid-users@xxxxxxxxxxxxxxx>
Date: Tuesday, June 2, 2009, 2:53 PM
Truth Seeker wrote:
> Dear Pro's
>
> I am trying to configure a squid proxy in Windows 2003
Active
> Directory Environment. I need to make the migration
from MS ISA Proxy
> to Squid 3.0 Stable13 on CentOS 5.2
>
> My primary goal is; 1. authenticate users without
asking
> username/password (i mean like how a normal windows
client will
> behave when he connects to internet through MS ISA
Proxy in a Active
> Directory environment - which will not prompt
username/password
> because of the Kerberos) by using the kerberos to
communicate with
> the Win 2k3 Domain Controller.
>
> 2. Without any downtime.
>
>
> Am i dreaming about this... ??? is this a workable
target??? Is there
> any issue in this environment???
>
> Awaiting your quick feedbacks ...
>

Possible.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

maybe even easy of you know what you are doing regarding
Kerberos.

Amos
-- Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux