Search squid archive

Re: Problems with Group detection with ADS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 21/05/2014 8:00 p.m., Puschmann, Sven wrote:
> Hi Folks,
> 
> i've installed an new SQUID Server for our Holding Company (same ActiveDirectory Forest, but another Domain) and I have an little Problem with it.
> 
> Here's the Auth and ACL External Config from both Servers (running and newly installed)
> 
> Running Config (Part):
> ===================================================================================
> ### Kerberos
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> ### NTLM
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME>
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> 
> ### BASIC
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC  DNS Name>
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
> 
> ################################
> ### Access Regeldefinitionen ###
> ################################
> acl auth proxy_auth REQUIRED
> 
> external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
> external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail
> external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,spyware,violence,virusinfected,warez,webmail
> 
> acl Full external testForNTGroup RZ-PXY-Full
> acl Standard external testForNTGroup RZ-PXY-Standard
> acl Blocked external testForNTGroup RZ-PXY-Blocked
> acl StandardSocial external testForNTGroup RZ-PXY-SocialMedia
> acl StandardVideo external testForNTGroup RZ-PXY-Videoportale
> acl StandardAdvanced external testForNTGroup RZ-PXY-StandardAdvanced
> ===================================================================================
> 
> Problem Config (same part):
> ===================================================================================
> ### Kerberos
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> ### NTLM
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME>
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> 
> ### BASIC
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS NAME>
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
> 
> ################################
> ### Access Regeldefinitionen ###
> ################################
> acl auth proxy_auth REQUIRED
> 
> external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
> external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,blog,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,social_networks,spyware,violence,virusinfected,warez,webmail
> external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail
> 
> acl Full external testForNTGroup pxy-full
> acl Standard external testForNTGroup pxy-standard
> acl Blocked external testForNTGroup pxy-blocked
> acl StandardSocial external testForNTGroup pxy-socialmedia
> acl StandardVideo external testForNTGroup pxy-videoportale
> acl StandardAdvanced external testForNTGroup pxy-standardadvanced
> ===================================================================================
> 
> The Problem is:
> If the User Connects via the Hostname to the Proxy Server he lands in de Last "Deny All" ACL because the Proxy Server cannot determine the Users Group Correctly. But if I set the Proxy via the direct IP Address everything is okay.
> On the running SQUID (first config sniplet) there is no such Problem.
> 
> Here are some Debug Outputs (same output in the running SQUID):
> =================================================
> wbinfo -t
> checking the trust secret for domain <DOMAIN-NAME> via RPC calls succeeded
> 
> echo "<DOMAIN-NAME>\user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl
> OK
> 
> echo "user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl
> OK
> =================================================
> 

So NTLM and Basic user names work.

How about Kerberos credentials?  (user.name@DOMAIN-NAME)


> Has anybody an Idea what might be the Problem? I'm really confused about the Situation that it's okay via IP-Address and not okay via DNS Name.  The DNS Resolution is in function (fromm any Client)
> 

* Squid version(s)?

* Samba version?

* is there anything different about the IPs the proxy hostname resolves
to on each site?

* are the Kerberos keytabs for proxy by-hostname correctly installed on
the clients machine in the new location?
 - compare the sets available to users at each location and see if there
is a difference.


Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux