Re: Re: Re: Squid + Kerberos + Active Directory

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

> <truth_seeker_3535@xxxxxxxxx> wrote in message 
> news:549528.19551.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> Dear Markus,
>
> First of all i disabled the "debug_options ALL,1 33,2 28,9" in squid.conf. 
> Then when i reloaded the squid service, i was looking in all the log files 
> where it will reflect anything about squid_kerb_auth. I found in two places 
> about this information. Please have a look at it;
>
> in /var/log/messages;
> Jun 6 11:49:30 linuxproxy squid[8577]: Squid Parent: child process 8579 
> started
>
> and in /var/log/squid/cache.log;
> 2009/06/06 18:15:28| Reconfiguring Squid Cache (version 3.0.STABLE13)...
> 2009/06/06 18:15:28| FD 21 Closing HTTP connection
> 2009/06/06 18:15:28| FD 23 Closing ICP connection
> 2009/06/06 18:15:28| Processing Configuration File: /etc/squid/squid.conf 
> (depth 0)
> 2009/06/06 18:15:28| Initializing https proxy context
> 2009/06/06 18:15:28| User-Agent logging is disabled.
> 2009/06/06 18:15:28| Referer logging is disabled.
> 2009/06/06 18:15:28| DNS Socket created at 0.0.0.0, port 32776, FD 9
> 2009/06/06 18:15:28| Adding nameserver 192.168.0.111 from /etc/resolv.conf
> 2009/06/06 18:15:28| Adding nameserver 192.168.0.12 from /etc/resolv.conf
> 2009/06/06 18:15:28| helperStatefulOpenServers: Starting 10 
> 'squid_kerb_auth' processes

good

> 2009/06/06 18:15:28| Accepting HTTP connections at 0.0.0.0, port 8080, FD 
> 21.
> 2009/06/06 18:15:28| Accepting ICP messages at 0.0.0.0, port 3130, FD 23.
> 2009/06/06 18:15:28| HTCP Disabled.
> 2009/06/06 18:15:28| Loaded Icons.
> 2009/06/06 18:15:28| Ready to serve requests.
>
>
> Then the output of ps is;
> [root@linuxproxy ~]# ps -ef | grep squid_kerb_auth
> squid 9474 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9475 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9476 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9477 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9478 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9479 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9480 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9481 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9482 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> squid 9483 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
> root 9485 7946 0 18:15 pts/1 00:00:00 grep squid_kerb_auth
> [root@linuxproxy ~]#

looks very good

> So i think we can say that squid_kerb_auth is working in the system.
>
>
> the following is my squid.conf;
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl auth proxy_auth REQUIRED
> http_access deny !auth
> http_access allow auth
> http_access allow localhost
> http_access deny all
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet
> htcp_access deny all
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icp_port 3130
> coredump_dir /var/spool/squid
>
>
> Still if i browse, i will get the error "cache access denied" and the 
> following are the details in the log files;
>
> in squid/access.log;
> 1244303002.590      0 192.168.4.139 TCP_DENIED/407 2866 GET 
> http://google.com/ - NONE/- text/html
> 1244303021.209      0 192.168.4.222 TCP_DENIED/407 2175 CONNECT 
> mail.google.com:443 - NONE/- text/html
> 1244303021.222      0 192.168.4.222 TCP_DENIED/407 2175 CONNECT 
> mail.google.com:443 - NONE/- text/html
>
> in squid/store.log;
> 1244303002.590 RELEASE -1 FFFFFFFF 893DDA4586FEA28E3D7CC6A9AF02FF06  407 
> 1244303002         0        -1 text/html 2393/2393 GET http://google.com/
> 1244303021.209 RELEASE -1 FFFFFFFF 4860F9392E667CA248F079F4475457A6  407 
> 1244303021         0        -1 text/html 1702/1702 CONNECT 
> mail.google.com:443
> 1244303021.222 RELEASE -1 FFFFFFFF DB4AC6E80A21A7065675FE615D788ED2  407 
> 1244303021         0        -1 text/html 1702/1702 CONNECT 
> mail.google.com:443
>
>
> in squid/cache.log;
> NOTHING. as you asked i didnnt played anything with cache option in 
> squid.conf (you can also see above my squid.conf)

That looks like the browser doesn't use negotiate. Can you capture the 
traffic between the client and squid ? Can you also check if the browser has 
linuxproxy.panasonic.com as proxy configured (e.g. NOT linuxproxy only) ?


> Kindly advice...

Regards
Markus