Harley Jackson Willmott wrote:
2009/7/28 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Harley Jackson Willmott wrote:
2009/7/27 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott
<open.harley@xxxxxxxxx> wrote:
Hey all.
I've done lots of searching and haven't been able to find examples of
this particular scenario so I'm putting it to you guys for help.
Basically, my boss has me setting up a Squid server for our company's
primarily Microsoft-based network (We use Active Directory). We've
already got a proxy server set up running Webmarshal. Webmarshal takes
care of all the filtering stuff based on Active Directory membership.
I'm implementing a Squid server to both cache (obviously) and to
throttle certain users using delay pools.
The original plan was to have Squid in front of Webmarshal, which
means Squid needs to be able to pass the AD credentials to Webmarshal.
The server itself is running Ubuntu 9.04 Server with
Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our
AD domain through Likewise-Open. I'd like to create ACLs based on
user/group membership in AD, but IPs are fine if that isn't possible.
The main thing is that I -need- the credentials passed to Webmarshal
so that the user isn't prompted to enter their username and password
into their browser (this is how it acts prior to pointing it to
Squid).
Is this possible with my version of Squid? I've been trying to follow
examples and documentation on the web, but frequently run into
conflicting and/or outdated information. If so, can someone help me
out with an example or something? If not, should I just be putting
Squid behind Webmarshal?
Behind would be the quickest fix.
Or you could go the whole way and configure Squid AD authentication with
groups access control to completely replace WebMarshall. Squid bundles a
few external ACL helpers that check group access. The rest is up to how
you
set what access controls.
Amos
Thanks, Amos, I mulled it over a bit and talked to the boss and we've
put Squid in front of Webmarshal
I got Squid up and running but was getting a massive headache trying
to make it pass credentials to Webmarshal. The problem was revealed to
me by another thread on this mailing list that mentioned this would
only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7
and it passes credentials to Webmarshal fine now! Delay pools are
working great too (it's funny being happy about seeing the internet
moving slowly)
However, I'm faced with another problem. I still need to set up ACLs
in Squid that are based on Active Directory groups. The box is in our
domain with Samba and Winbind and wbinfo, wbinfo_group.pl and
ntlm_auth all work flawlessly.
Unfortunately, after I add the lines for ntlm authentication, my
browser (even IE) prompts me for username and password a few times and
then sends me to a Cache Access Denied page. My access.log also does
not show any usernames/groups.
I've played around with the lines a bit but here is how they stand at
the moment:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm mushmusic
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl authedusers proxy_auth REQUIRED
http_access allow authedusers
Any advice?
Cheers :)
You also need persistent connections enabled, and connection-auth= flags on
any cache_peer lines.
http://www.squid-cache.org/Versions/v2/2.7/cfgman/
See these settings:
* client_persistent_connections
* server_persistent_connections
* persistent_connection_after_error
* detect_broken_pconn
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
Current Beta Squid 3.1.0.12
Thanks again! I managed to get ntlm_auth working, with ACLs based on
the user's AD groups to decide different bucket sizes and speeds
without the browser prompting.
I had disabled the passing of credentials to Webmarshal beforehand to
isolate what I was working on and now that I've gotten ntlm_auth
working, I re-enabled it. Unfortunately, I am prompted for credentials
again. This time, however, entering the credentials seem to work (as
opposed to just prompting me over and over again before).
If I'm _only_ passing credentials or _only_ authenticating for Squid,
then everything works swimmingly. However, having both at once causes
it to prompt the user at the browser. Can I only have one or the other
or is there a solution that allows Squid to authenticate as well as
pass creds to Webmarshal?
Cheers
Harley
At a guess I'd say the Webmarshal is not finding the NTLM token passed
back enough and kicking off its own challenge sequence.
Maybe the all-hack will work here....
Setting "all" ACL as the last on each authentication line causes Squid
to not send the auth chellenge. This breaks any deny lines, but if the
auth is only on "allow" stuff it can work.
NP: You will also have to create a category for non-authenticated
requests. Which are prior to the Webmarshal challenge but MUST still go
through to get the auth challenge happening.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
Current Beta Squid 3.1.0.12