Search squid archive

Re: Squid + AD + Kerb auth question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Joao,
 
   OK now you use the authentication rule.
 
   How did you create the keytab ?   Does the hostname match the keytab entry ?
 
  Can you run the helper with –d to get more debug ?
 
Markus
 
 
Sent: Thursday, March 19, 2015 12:41 AM
Subject: Re: Squid + AD + Kerb auth question
 
gettin access denied now
 
watch the logs
 
 
==> /var/log/squid/squid.out <==
 
==> /var/log/squid/access.log <==
1426725527.219      1 192.168.1.251 TCP_DENIED/407 4509 GET http://www.eset.com.br/download/business - NONE/- text/html
 
==> /var/log/squid/cache.log <==
2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. '
 
guess my SOO isnt working right?
 
2015-03-18 20:46 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Joao
 
Then you hit
 
http_access allow localnet
 
and not
 
http_access allow ad_auth
 
Comment out the following line in squid.conf
 
http_access allow localnet
 
and try again.
 
Markus
 
Sent: Wednesday, March 18, 2015 11:38 PM
Subject: Re: Squid + AD + Kerb auth question
 
yes, I'm using localnet, this is a virtual test lab enviorment, here are some log entries
 
1426694349.225  59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - DIRECT/216.58.222.35 -
1426694352.258  62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - DIRECT/216.58.222.46 -
1426694613.543  58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 -
 
when I looked at the access.log manual pages I saw that if squid cant get user info, he uses the - sign on the access, and we can see it there, but why he cant get the user info?
 
 
2015-03-18 20:20 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Hi,
 
  From which network do you surf ?  From localnet ?
 
  Can you send sample log entries ?
 
Markus
 
Sent: Wednesday, March 18, 2015 9:18 PM
Subject: Re: Squid + AD + Kerb auth question
 
squid.conf
 
visible_hostname proxy.joznet.local
 
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
 
acl ad_auth proxy_auth REQUIRED
 
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
 
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
 
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
 
http_access allow manager localhost
http_access deny manager
 
http_access deny !Safe_ports
 
http_access deny CONNECT !SSL_ports
 
http_access allow localnet
http_access allow localhost
http_access allow ad_auth
http_access deny all
 
http_port 3128
 
hierarchy_stoplist cgi-bin ?
 
coredump_dir /var/spool/squid
 
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
 
****************************************************************************************
krb5.conf
 
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = JOZNET.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
 
; for Windows 2008 with AES
 
;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 
; for MIT/Heimdal kdc no need to restrict encryption type
 
[realms]
JOZNET.LOCAL = {
  kdc = srvjoznt.joznet.local:88
  admin_server = srvjoznt.joznet.local:749
  default_domain = joznet.local
}
 
[domain_realm]
.joznet.local= JOZNET.LOCAL
joznet.local= JOZNET.LOCAL
 
[pam]
debuf = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
 
 
2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
How does the config file look like ? 
 
Markus
 
"Joao Paulo Monticelli Gaspar" <jaumshock@xxxxxxxxx> wrote in message news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg@xxxxxxxxxxxxxx...
Hey people
 
I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites...
 
is possible to show that info with this setup, or by any other setup use maintain the SOO?
 
Thx in advance.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux