Hi guys, I have a Little problema that can?t resolve. I?ve configured our squid server to authenticate using Kerberos agains a Windows 2008 R2 native domain? All the tests I?ve done seems that the authentification is correct? and then I?ve modified the squid.conf file to use this type of auth o non of our servers. But every time I try to navigate to some permitted urls, the login window appears, ? and if we try to insert credentials, nothing happens.. The logs for this connections says that the user is authenticated? but still gets a TCP_DENIED ==> /var/log/squid/cache.log <== 2012/10/25 21:47:57| squid_kerb_auth: DEBUG: Got 'YR YIIG0QYGKw.........DowWOKUFfVkRV' from squid (length: 2335). 2012/10/25 21:47:57| squid_kerb_auth: DEBUG: Decode 'YIIG0QYGKw.........DowWOKUFfVkRV' (decoded length: 1749). ==> /var/log/squid/access.log <== 1351194477.443 8 10.0.10.112 TCP_DENIED/407 6805 GET http://www.google.es/ user1@DOMAIN.LOCAL NONE/- text/html ==> /var/log/squid/cache.log <== 2012/10/25 21:47:57| squid_kerb_auth: DEBUG: AF oYG2MIG...........yNG8nGs6Tuc= user1@DOMAIN.LOCAL 2012/10/25 21:47:57| squid_kerb_auth: INFO: User user1@DOMAIN.LOCAL authenticated ==> /var/log/squid/access.log <== 1351194477.634 0 10.0.10.112 TCP_DENIED/407 6839 GET http://www.google.es/favicon.ico user1@DOMAIN.LOCAL NONE/- text/html This is a part of our squid.conf file where are defined the authentification methods and acls: acl websites dstdomain "/etc/squid/allowed_websites" #--------------------------------------------------------------------------- --------------------------- auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s HTTP/proxy.domain.local #auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s HTTP/proxy.domain.local@DOMAIN.LOCAL auth_param negotiate children 10 auth_param negotiate keep_alive on # Fallback to LDAP if Kerberos fails #auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h dc.company.lan -D "cn=squid,ou=users_special,dc=$ #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRE #external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /usr/lib64/squid/squid_kerb_ldap -g InternetAccess_ASTEIN_FULL #acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP #http_access allow LDAP_GROUP_CHECK #------------------------------------------------------- http_access deny XENAPP02 !ad_auth http_access allow websites XENAPP02 ad_auth http_access allow LAN !XENAPP02 http_access allow localhost # And finally deny all other access to this proxy http_access deny all Any ideas? Víctor Viudez victor@xxxxxxxxx
