On 22/07/2016 2:09 a.m., Nilesh Gavali wrote: > HI All; > > Squid integration with AD kerberos auth was working properly for me. Today > faced issue, as users are getting login prompt while accessing Proxy. > Not sure what went wrong. here is my configuration and also cache.log o/p. > Need urgent help. > > ============================================================== > # > # Recommended minimum configuration: > #### AD SSO Integration ##### > auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s > HTTP/proxy02.ABCD.gov.eu@xxxxxxxxxxx -d > auth_param negotiate children 10 > auth_param negotiate keep_alive on > #auth_param basic credentialsttl 2 hours > acl ad_auth proxy_auth REQUIRED > > #### AD Group membership #### > > external_acl_type AD_Group ttl=300 negative_ttl=0 %LOGIN > /usr/lib64/squid/squid_ldap_group -P -R -b "DC=ABCD,DC=GOV,DC=EU" -D > svcproxy -W /etc/squid/pswd/pswd -f > "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=EU))" > -h ABCD.GOV.EU -s sub -v 3 -d > > acl AVWSUS external AD_Group lgOnlineUpdate > acl windowsupdate dstdomain "/etc/squid/sitelist/infra_update_site" > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 ::1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > > # Example rule allowing access from your local networks. > # Adapt to list your (internal) IP networks from where browsing > # should be allowed > acl AVSRVR src xx.xx.8.123 # Cloud SEPM Server > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > # > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # Recommended minimum Access Permission configuration: > # > # Only allow cachemgr access from localhost > http_access allow manager localhost > http_access deny manager > > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # We strongly recommend the following be uncommitted to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > > http_access allow AVSRVR windowsupdate > http_access allow AVWSUS windowsupdate > http_access deny all If the "deny all" above is actually what you want, then remove all the following http_access rules. If the "allow ad_auth" below is what you want, then remove the above "allow ... windowsupdate" and "deny all" lines - checking groups is pointless if any authenticated client is allowed. > http_access allow ad_auth > > # And finally deny all other access to this proxy > http_access deny all > Cache.log- > ==================================== > 2016/07/21 14:52:53| squid_kerb_auth: ERROR: gss_accept_sec_context() > failed: Unspecified GSS failure. Minor code may provide more information. > 2016/07/21 14:52:53| authenticateNegotiateHandleReply: Error validating > user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. ' > =================================== Perhapse your Keytab entry expired or got updated in AD without the Squid machine one being updated ? > > Also observed Squid_ldap_group helper throwing ERR when checking user > group membership. but user is part of the said group in AD. If the user account credentials are not being identified as valid by the auth_param helper, there is no "user" to be part of any group check by the external ACL helper. > > ======================================================================== > #/usr/lib64/squid/squid_ldap_group -P -R -b "DC=ABCD,DC=GOV,DC=EU" -D > svcproxy -W /etc/squid/pswd/pswd -f > "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=EU))" > -h ABCD.GOV.EU -s sub -v 3 -d > 853438 lgOnlineUpdate > Connected OK > group filter > '(&(objectclass=person)(userPrincipalName=853438)(memberof=cn=lgOnlineUpdate,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=EU))', > searchbase 'DC=ABCD,DC=GOV,DC=EU' > ERR > ========================================== > Tried with any recent version of Squid and/or helper? yours seem to be many years outdated. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
