Search squid archive

Re: Fwd: NTLM LDAP authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 16.11.2015 14:29, Matej Kotras wrote:
Hi guys

I've managed squid to work with AD, and authorize users based on what AD group they are in. I use Squid-Analyzer for doing reports from access.log. I've found 2 anomalies with authorization so far. In access log, I see that user is authorized based on his PC name(not desired) and not on the user account name. I've just enabled debugging on negotiate wrapper, so I will monitor these logs also.

But in the meantime, have you got any idea why could this happen ?

PC NAME AUTH:
1447562119.348      0 10.13.34.31 TCP_DENIED/407 3834 CONNECT clients2.google.com:443 -             HIER_NONE/- text/html
1447562119.374      2 10.13.34.31 TCP_DENIED/407 4094 CONNECT clients2.google.com:443 -             HIER_NONE/- text/html
1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -

USER NAME AUTH:
1447562039.176      0 10.13.34.31 TCP_DENIED/407 3850 CONNECT lyncwebext.inventec.com:443 -         HIER_NONE/- text/html
1447562039.215     27 10.13.34.31 TCP_DENIED/407 4110 CONNECT lyncwebext.inventec.com:443 -         HIER_NONE/- text/html
1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -
Does't seem like you have working GSS-SPNEGO scheme. Unless you have username fields in log with realm set which yyou didn't post here.


Squid.conf
#########################################
# Enable KERBEROS authentication #
#########################################

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off


#########################################
# Enable NTLM authentication #
#########################################

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
#auth_param ntlm children 10
#auth_param ntlm keep_alive off
So you disable the explicit NTLM authentication. That's bad. This far you only have GSS-SPNEGO failover to NTLM.


#########################################
# ENABLE LDAP AUTH #
#########################################

auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h icz-dc-1.icz.inventec
auth_param basic children 10
auth_param basic realm Please enter user name to access the internet
auth_param basic credentialsttl 1 hour
This is pure basic.

external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50 children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

The part with http_access is missing, it's hard to tell why you have TCP_MISS for machine accounts.

Eugene.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux