Ok, we can discussed the issue in Two part 1. For Windows AD Authentication & SSO and 2. Linux server unable to access via squid proxy.
For First point-
Requirement to have SSO for accessing internet via squid proxy and based on user's AD group membership allow access to specific sites only. I believe current configuration of squid is working as expected.
For Second point -
Point I would like to highlight here is, the Linux server IWCCP01 is not part of domain at all. Hence the below error as squid configured for AD_auth. So how can we allow Linux server or non domain machine to access specific sites?
> Error 407 is "proxy auth required", so the proxy is expecting authentication
> for some reason.
====================================
> Can you confirm that the hostname vseries-test.bottomline.com is contained in
> your site file /etc/squid/sitelist/dbs_allowed_site ?
YES, we have entry as .bottomline.com , which work fine when access via windows machine having proxy enabled for that user.
==============================
> Can you temporarily change the line "http_access allow IWCCP01 allowedsite" to
> "http_access allow IWCCP01" and see whether the machine then gets access?
I made the changes as suggested but still it is giving same Error 407.
========================================
If that works, please list the output of the command:
grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
o/p of above command as below -
[root@Proxy02 ~]# grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
.bottomline.com
[root@Proxy02 ~]#
=======================================
Thanks & Regards
Nilesh Suresh Gavali
Message: 2
Date: Wed, 5 Oct 2016 00:11:08 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid - AD kerberos auth and Linux Server
proxy access not working
Message-ID: <d35ad0ca-761d-60e3-c594-04697110afdc@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8
On 4/10/2016 11:36 p.m., Antony Stone wrote:
> On Tuesday 04 October 2016 at 12:28:44, Nilesh Gavali wrote:
>
>> Hello Antony;
>> I have double checked the current working configuration of my squid.conf
>> and it has same settings which I posted earlier. somehow it is working for
>> us.
>
> I'm not saying the whole thing won't work; I'm saying there is no point in
> having a line "http_access allow ad_auth" following the line "http_access deny
> all". The ad_auth line can never be invoked.
Not knowing why authentication works is dangerous. You might have been
allowing non-authenticated traffic and invalid user accounts through.
The only reason it does "work" is that the ACL called "USERS" is _not_
actually checking user logins. It is a group checking ACL which requires
authentication to happen before it can be checked.
In this specific case invalid logins cannot be a member of the group. So
they will not get through the proxy.
However, people who accidentally type the user/password wrong, or whose
machines automatically login with an account not a member of the group
will not be allowed any way to try again short of shutting down their
browser or maybe even logging out of the machine and trying from another
one.
That may or may not be a problem for you.
>
>> below is the error from access.log file.
>>
>> 1475518342.279 0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
>> vseries-test.bottomline.com:443 - NONE/- text/html
>
> Error 407 is "proxy auth required", so the proxy is expecting authentication
> for some reason.
>
> Can you confirm that the hostname vseries-test.bottomline.com is contained in
> your site file /etc/squid/sitelist/dbs_allowed_site ?
>
> Can you temporarily change the line "http_access allow IWCCP01 allowedsite" to
> "http_access allow IWCCP01" and see whether the machine then gets access?
>
If that works, please list the output of the command:
grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
Amos
*******************************************
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
