2009/7/29 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Harley Jackson Willmott wrote: >> >> 2009/7/28 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>> >>> Harley Jackson Willmott wrote: >>>> >>>> 2009/7/27 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>>> >>>>> On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott >>>>> <open.harley@xxxxxxxxx> wrote: >>>>>> >>>>>> Hey all. >>>>>> >>>>>> I've done lots of searching and haven't been able to find examples of >>>>>> this particular scenario so I'm putting it to you guys for help. >>>>>> >>>>>> Basically, my boss has me setting up a Squid server for our company's >>>>>> primarily Microsoft-based network (We use Active Directory). We've >>>>>> already got a proxy server set up running Webmarshal. Webmarshal takes >>>>>> care of all the filtering stuff based on Active Directory membership. >>>>>> >>>>>> I'm implementing a Squid server to both cache (obviously) and to >>>>>> throttle certain users using delay pools. >>>>>> >>>>>> The original plan was to have Squid in front of Webmarshal, which >>>>>> means Squid needs to be able to pass the AD credentials to Webmarshal. >>>>>> The server itself is running Ubuntu 9.04 Server with >>>>>> Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our >>>>>> AD domain through Likewise-Open. I'd like to create ACLs based on >>>>>> user/group membership in AD, but IPs are fine if that isn't possible. >>>>>> The main thing is that I -need- the credentials passed to Webmarshal >>>>>> so that the user isn't prompted to enter their username and password >>>>>> into their browser (this is how it acts prior to pointing it to >>>>>> Squid). >>>>>> >>>>>> Is this possible with my version of Squid? I've been trying to follow >>>>>> examples and documentation on the web, but frequently run into >>>>>> conflicting and/or outdated information. If so, can someone help me >>>>>> out with an example or something? If not, should I just be putting >>>>>> Squid behind Webmarshal? >>>>> >>>>> Behind would be the quickest fix. >>>>> >>>>> Or you could go the whole way and configure Squid AD authentication >>>>> with >>>>> groups access control to completely replace WebMarshall. Squid bundles >>>>> a >>>>> few external ACL helpers that check group access. The rest is up to how >>>>> you >>>>> set what access controls. >>>>> >>>>> Amos >>>>> >>>>> >>>> Thanks, Amos, I mulled it over a bit and talked to the boss and we've >>>> put Squid in front of Webmarshal >>>> >>>> I got Squid up and running but was getting a massive headache trying >>>> to make it pass credentials to Webmarshal. The problem was revealed to >>>> me by another thread on this mailing list that mentioned this would >>>> only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7 >>>> and it passes credentials to Webmarshal fine now! Delay pools are >>>> working great too (it's funny being happy about seeing the internet >>>> moving slowly) >>>> However, I'm faced with another problem. I still need to set up ACLs >>>> in Squid that are based on Active Directory groups. The box is in our >>>> domain with Samba and Winbind and wbinfo, wbinfo_group.pl and >>>> ntlm_auth all work flawlessly. >>>> Unfortunately, after I add the lines for ntlm authentication, my >>>> browser (even IE) prompts me for username and password a few times and >>>> then sends me to a Cache Access Denied page. My access.log also does >>>> not show any usernames/groups. >>>> >>>> I've played around with the lines a bit but here is how they stand at >>>> the moment: >>>> >>>> auth_param ntlm program /usr/bin/ntlm_auth >>>> --helper-protocol=squid-2.5-ntlmssp >>>> auth_param ntlm children 30 >>>> auth_param ntlm keep_alive on >>>> >>>> auth_param basic program /usr/bin/ntlm_auth >>>> --helper-protocol=squid-2.5-basic >>>> auth_param basic children 5 >>>> auth_param basic realm mushmusic >>>> auth_param basic credentialsttl 2 hours >>>> auth_param basic casesensitive off >>>> >>>> acl authedusers proxy_auth REQUIRED >>>> http_access allow authedusers >>>> >>>> Any advice? >>>> Cheers :) >>> >>> You also need persistent connections enabled, and connection-auth= flags >>> on >>> any cache_peer lines. >>> >>> http://www.squid-cache.org/Versions/v2/2.7/cfgman/ >>> See these settings: >>> * client_persistent_connections >>> * server_persistent_connections >>> * persistent_connection_after_error >>> * detect_broken_pconn >>> >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 >>> Current Beta Squid 3.1.0.12 >>> >> >> Thanks again! I managed to get ntlm_auth working, with ACLs based on >> the user's AD groups to decide different bucket sizes and speeds >> without the browser prompting. >> I had disabled the passing of credentials to Webmarshal beforehand to >> isolate what I was working on and now that I've gotten ntlm_auth >> working, I re-enabled it. Unfortunately, I am prompted for credentials >> again. This time, however, entering the credentials seem to work (as >> opposed to just prompting me over and over again before). >> >> If I'm _only_ passing credentials or _only_ authenticating for Squid, >> then everything works swimmingly. However, having both at once causes >> it to prompt the user at the browser. Can I only have one or the other >> or is there a solution that allows Squid to authenticate as well as >> pass creds to Webmarshal? >> >> Cheers >> Harley > > At a guess I'd say the Webmarshal is not finding the NTLM token passed back > enough and kicking off its own challenge sequence. > > Maybe the all-hack will work here.... > > Setting "all" ACL as the last on each authentication line causes Squid to > not send the auth chellenge. This breaks any deny lines, but if the auth is > only on "allow" stuff it can work. > > NP: You will also have to create a category for non-authenticated requests. > Which are prior to the Webmarshal challenge but MUST still go through to get > the auth challenge happening. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17 > Current Beta Squid 3.1.0.12 > I have to admit I'm a little confused. Still very new to Squid and I'm not entirely sure what you mean :P Particularly the category part and what goes where. This is how my current config stands, if that helps: --- access_log /opt/squid/var/logs/access.log squid http_port 3128 client_persistent_connections on server_persistent_connections on persistent_connection_after_error on detect_broken_pconn on icp_port 3130 visible_hostname tmg04 acl CONNECT method CONNECT acl all src 0/0 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp all auth_param ntlm children 30 all auth_param ntlm keep_alive on all auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic all auth_param basic children 5 all auth_param basic realm mushmusic all auth_param basic credentialsttl 2 hours all auth_param basic casesensitive off all external_acl_type ad_group %LOGIN /opt/squid/libexec/wbinfo_group.pl acl girly external ad_group girl http_access allow girly http_access allow all cache_effective_user squid delay_pools 1 delay_class 1 2 delay_parameters 1 8000/128000 8000/128000 cache_peer 192.168.5.11 parent 8085 0 no-query default login=PASS never_direct allow all --- There's obvious stuff not in to do with caching, etc, but I'm worrying about that later as it's trivial (IMO) compared to getting it working with Microsoft's crazy old systems. Harley
