Thank you for your response, as this is my first try with Squid, and fairly newb in Linux.
I do not understand at all differences between basic/ntlm/gss-spnego auths so I will do my homework and read about them. I've managed to get this working after few weeks of "trial and error" method (I know, I know, but I gotta start somewhere rite) following multiple guides.
The commented lines are not supposed to be here, sorry. I've been testing log outputs and functionality of auth helpers when commenting some. I attach my squid.conf in email.
Thank you
On Mon, Nov 16, 2015 at 3:19 PM, Eugene M. Zheganin <emz@xxxxxxxxxxxxx> wrote:
On 16.11.2015 14:29, Matej Kotras wrote:
Does't seem like you have working GSS-SPNEGO scheme. Unless you have username fields in log with realm set which yyou didn't post here.Hi guys
I've managed squid to work with AD, and authorize users based on what AD group they are in. I use Squid-Analyzer for doing reports from access.log. I've found 2 anomalies with authorization so far. In access log, I see that user is authorized based on his PC name(not desired) and not on the user account name. I've just enabled debugging on negotiate wrapper, so I will monitor these logs also.
But in the meantime, have you got any idea why could this happen ?
PC NAME AUTH:
1447562119.348 0 10.13.34.31 TCP_DENIED/407 3834 CONNECT clients2.google.com:443 - HIER_NONE/- text/html1447562119.374 2 10.13.34.31 TCP_DENIED/407 4094 CONNECT clients2.google.com:443 - HIER_NONE/- text/html1447562239.350 119976 10.13.34.31 TCP_MISS/200 4200 CONNECT clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -
USER NAME AUTH:
1447562039.176 0 10.13.34.31 TCP_DENIED/407 3850 CONNECT lyncwebext.inventec.com:443 - HIER_NONE/- text/html1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT lyncwebext.inventec.com:443 - HIER_NONE/- text/html1447562041.118 2702 10.13.34.31 TCP_MISS/200 6213 CONNECT lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -
So you disable the explicit NTLM authentication. That's bad. This far you only have GSS-SPNEGO failover to NTLM.
Squid.conf
#########################################
# Enable KERBEROS authentication ##########################################
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAMEauth_param negotiate children 20 startup=0 idle=1auth_param negotiate keep_alive off
########################################## Enable NTLM authentication ##########################################
#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ICZ#auth_param ntlm children 10#auth_param ntlm keep_alive off
This is pure basic.
########################################## ENABLE LDAP AUTH ##########################################
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h icz-dc-1.icz.inventecauth_param basic children 10auth_param basic realm Please enter user name to access the internetauth_param basic credentialsttl 1 hour
The part with http_access is missing, it's hard to tell why you have TCP_MISS for machine accounts.
external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50 children-startup=10 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
Eugene.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Attachment:
squid.conf
Description: Binary data
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
