Search squid archive

Re: Squid_kerb_ldap intermittently failing auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Can you run both squid_kerb_ldap and squid_kerb_auth with -d. It should give a lot more details to find out why it happens

Markus

"Mark deJong" <dejongm@xxxxxxxxx> wrote in message news:AANLkTikvdJu6+ysyWkDN7VxYzYTS4RtDJGF7ccNzmqyb@xxxxxxxxxxxxxxxxx
Hello,
I'm having an issue with squid_kerb_auth. It seems not all proxy
requests are getting serviced. When falling back on NTLM the requests
come though fine.

My guess is subsequent GET requests made over Proxy_KeepAlive sessions
are not getting serviced. I confirmed this on a trace using Wireshark
where the client requests a page but Squid doesn't come back with an
answer. Is this a known issue?

I'm currently running squid3-3.1.6 and have seen this behavior both
with the include squid_kerb_auth and a seperately compiled binary.

squid.conf follows:


http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid/access.log combined



auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d  -s
HTTP/dc32-wgw01.nix.DOM.LOCAL@xxxxxxxxxxxxxx
auth_param negotiate children 30
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

external_acl_type AD_US_TEMPS ttl=3600  negative_ttl=3600  %LOGIN
/usr/bin/squid_kerb_ldap -d -g temps@xxxxxxxxxxxx
external_acl_type AD_US_ITDEPT ttl=3600  negative_ttl=3600  %LOGIN
/usr/bin/squid_kerb_ldap -d -g ITDept@xxxxxxxxxxxx





refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320



acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl firefox_browser browser Firefox

acl UnrestrictedUsers external AD_US_ITDEPT
acl TempUsers external AD_US_TEMPS
acl AuthorizedUsers proxy_auth REQUIRED


acl hq-dmz src 10.50.192.0/24
acl hq-servers src 10.50.64.0/23 10.50.4.0/24
acl hq-services src 10.50.8.0/24 10.50.2.0/24
acl hq-dev src 10.50.66.0/24

acl ie_urls dstdomain "/etc/squid/ie_urls.allow"

acl service_urls dstdomain "/etc/squid/service_urls.allow"
acl dev_urls dstdomain "/etc/squid/dev_urls.allow"
acl hq-servers_urls dstdomain "/etc/squid/servers_urls.allow"
acl temp_urls dstdomain "/etc/squid/temp_urls.allow"

acl SSL_ports port 443
acl CONNECT method CONNECT


http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


http_access allow hq-servers hq-servers_urls
http_access deny hq-servers

http_access allow hq-services service_urls
http_access deny hq-services

http_access allow hq-dev dev_urls
http_access deny hq-dev


http_access allow TempUsers temp_urls
http_access deny TempUsers all

http_access allow UnrestrictedUsers
http_access deny UnrestrictedUsers all

http_access deny !AuthorizedUsers
http_access allow all
http_access deny all


http_reply_access allow all
icp_access allow all
cache_mgr support@xxxxxxxxx
coredump_dir /var/spool/squid



Thanks,
M. de Jong





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux