On 10/12/2015 3:25 a.m., Verónica Ovando wrote: > Hi. I have Squid 3.5 running over Debian 8. > > I am using AD authentication. This is part of my squid.conf: > > #auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.com > auth_param ntlm program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param ntlm keep_alive off > > auth_param basic program /usr/local/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Servidor proxy-cache de mi Dominio > auth_param basic credentialsttl 2 hours > > external_acl_type AD_Grupos ttl=10 children=10 %LOGIN > /usr/lib/squid3/ext_wbinfo_group_acl -d > > acl AD_Standard external Grupos_AD Standard > acl AD_Exceptuados external Grupos_AD Exceptuados > acl AD_Bloqueados external Grupos_AD Bloqueados > > acl face url_regex -i "/etc/squid3/facebook" > acl gob url_regex -i "/etc/squid3/gubernamentales" > > http_access allow AD_Standard > http_access allow AD_Exceptuados face > http_access allow AD_Exceptuados gob > http_access deny AD_Bloqueados > http_access deny all > > > When a users that belongs to AD_Bloqueados is asked for the AD user and > password (of course he/she needs one that belongs to AD_Standard or > AD_Exceptuados). The first login check is for "AD_Standard". Users initial login is checked for that group membership ... then a 407 *re-login* is requested if they are part of AD_Bloqueados. All users are logged in, just to check the group. So "deny all" at the end never actually happens unless the user is part of some 5th or 6th group (for example "Administrators" or "Domain Servers"). When you are authenticating based on *group* instead of the user/password things get really weird. > When I try to use one of those users I cannot > authenticate correctly. the popup appears many times until I cancel it. > But sometimes it works. I use all the browsers to do the tests (IE, > Mozilla and the latest Chrome). With Chrome I get good results, but as I > said, it works sometimes. > > Because sometimes I login with users not in the domain and I need to > access to internet, I cannot use the 'all' directive in the end of the > line of 'http_access deny AD_Bloqueados.' Which means that whenever that group AD_Bloqueados matches the user will have to *re-login*. Popups etc are expected in such events, because the browser has what it thinks are fine credentials to use. But has just been informed that its known set of credentials were invalid. They almost all panic at that point and do a popup. Note that the browser does not get told *why* the rejection (it might be a random attacker, so that info is privileged). Just that the credentials are not usable. > > I will appreciate a lot any help you can give me. I highly recommend that you do it like this: acl auth proxy_auth REQUIRED http_access deny !auth http_access allow AD_Standard http_access allow face AD_Exceptuados http_access allow gob AD_Exceptuados http_access deny all Why: * that !auth will ensure that users are only authenticated once and the 407 request lookup cycles all happen predictably at that first line instead of interleaved within the group checks. * the line ordering change of face/gob ACLs will greatly reduce the time and CPU spent on helper lookups for non-face and non-gob traffic. (up to 50% reduction in proxy caused latency). Note that you dont even need to check group AD_Bloqueados. The "deny all" at the end rejects that groups access along with all other undefined groups. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users