On Tue, 2 Jun 2009 11:48:51 -0700 (PDT), Truth Seeker <truth_seeker_3535@xxxxxxxxx> wrote: > Thanks Amos. I followed that link and done the steps completely. But it is > not working for me. PLease look in to the following details and kindly > guide me to achieve the goal. > > the following informations are herewith; > 1. squid.conf > 2. debugged info from cache.log > > contents of my squid.conf > > grep -v ^# /etc/squid/squid.conf | grep -v "^$" > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > ### For ACtive Directory Inegration > auth_param negotiate program /usr/lib/squid/squid_kerb_auth > auth_param negotiate children 10 > auth_param negotiate keep_alive on > acl auth proxy_auth REQUIRED > http_access deny !auth > http_access allow auth So only authenticated users can use the proxy from anywhere. > http_access deny all ... nobody else can use it at all. Following http_access are never matched. > http_access allow localhost > http_access deny all > icp_access allow localnet > icp_access deny all > htcp_access allow localnet > htcp_access deny all > http_port 8080 > hierarchy_stoplist cgi-bin ? > access_log /var/log/squid/access.log squid > debug_options ALL,1 33,2 28,9 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern (cgi-bin|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > icp_port 3130 > coredump_dir /var/spool/squid > > > > contents of cache.log while accessing from a windows client who is a member > of our domain. > The trace shows two requests arriving and being checked, they get as far as "deny !auth" and squid sends back a 407 auth-required challenge sent to the browser. If these are the same request it looks like the browser does not handle kerberos. <snip trace> > > > - > -- > --- > Always try to find truth!!! > > > --- On Tue, 6/2/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > >> From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >> Subject: Re: Squid + Kerberos + Active Directory >> To: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx> >> Cc: "Squid maillist" <squid-users@xxxxxxxxxxxxxxx> >> Date: Tuesday, June 2, 2009, 2:53 PM >> Truth Seeker wrote: >> > Dear Pro's >> > >> > I am trying to configure a squid proxy in Windows 2003 >> Active >> > Directory Environment. I need to make the migration >> from MS ISA Proxy >> > to Squid 3.0 Stable13 on CentOS 5.2 >> > >> > My primary goal is; 1. authenticate users without >> asking >> > username/password (i mean like how a normal windows >> client will >> > behave when he connects to internet through MS ISA >> Proxy in a Active >> > Directory environment - which will not prompt >> username/password >> > because of the Kerberos) by using the kerberos to >> communicate with >> > the Win 2k3 Domain Controller. >> > >> > 2. Without any downtime. >> > >> > >> > Am i dreaming about this... ??? is this a workable >> target??? Is there >> > any issue in this environment??? >> > >> > Awaiting your quick feedbacks ... >> > >> >> Possible. >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >> >> maybe even easy of you know what you are doing regarding >> Kerberos. >> >> Amos >> -- Please be using >> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 >> Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1 >>
