On 31/05/19 10:28 am, Ilias Clifton wrote: >>>>> Sent: Wednesday, May 29 2019 6:42 >>>>> From: Ilias Clifton >>>>> >>>>> I have Squid 3.5.27 running on Ubuntu 18.04.2, and have been unsuccesfull in being able to authenticate users via ldap (kerberos is working well) >>>>> >>>>> What else can I do for troubleshooting? >>>>> >> >> What I do is take one of the access.log lines and read through the squid.conf (whole thing) to see what squid would do with that transaction. Most 40* status problems are with http_access ordering, so quickly spotted. >> >> If you can provide those details in full im happy to do so for you. Or someone experienced with a similar config may spot the issue. >> > > > See squid.conf below.. Any other config files you need to see? > This seems sufficient for config. A few possible issues are visible already, noted below. If fixing those does not work an access.log line will be needed to do the troubleshooting sequence check I mentioned. > The users authenticating via ldap on phones are in an Active directory group listed in the file /etc/squid/full_access.txt - They do get full internet access when authenticating via kerberos. > > I've checked they are entering the correct passwords - although there are special characters in the passwords eg. `^( - Not sure if that could make a difference. Like I said, it works when running basic_ldap_auth on the command line. > > ### cache manager > cache_mgr proxy@xxxxxxxxxx > > auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -r -s GSS_C_NO_NAME > auth_param negotiate children 10 startup=2 idle=1 > auth_param negotiate keep_alive on > > auth_param basic program /usr/lib/squid/basic_ldap_auth -d -R -b "DC=domain,DC=com" -D proxyuser@xxxxxxxxxx -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h dc.domain.com > auth_param basic children 10 startup=2 idle=1 > auth_param basic realm Internet Proxy > auth_param basic credentialsttl 10 minutes > Ah. Sorry I overlooked this mention of Kerberos existing in your initial mail. This adds something else to check on. HTTP auth is negotiated starting with the scheme. Clients are required to attempt the most secure auth scheme from the servers initial 407 response. That means any client which supports Negotiate is required to use it - no Basic for them. One thing about Negotiate is that Kerberos keytabs can be setup on some clients or types of client (ie all iPhones, all Android etc) in a way that makes it not work when all others do. Another thing is that clients can also try to use it for Negotiate/NTLM flavour of auth. Which is not supported by your proxy. So you do need to check a cache.log trace made with "debug_options 11,2" to verify that the clients are actually attempting to use Basic or Kerberos flavour of Negotiate. > external_acl_type memberof %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=com" -D proxyuser@xxxxxxxxxx -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy, DC=domain, DC=com))" -h dc.domain.com > I see a whitespace in the -f parameter string "OU=Proxy, DC=domain" section. Squid-3 does not support whitespace in helper command line parameters. So that alone may be the problem. > ### acl for proxy auth and ldap authorizations > acl auth proxy_auth REQUIRED > acl BlockedAccess external memberof "/etc/squid/blocked_access.txt" > acl StandardAccess external memberof "/etc/squid/standard_access.txt" > acl FullAccess external memberof "/etc/squid/full_access.txt" > > acl allowedsites dstdomain "/etc/squid/allowedsites.txt" > acl blockedsites dstdomain "/etc/squid/blockedsites.txt" > > acl macaddresses arp "/etc/squid/macaddresses.txt" > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > NP: current recommendation/default is to have the manager ACL test after the localhost one, like so: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny manager > # allow unauthenticated access to macaddresses in list > http_access allow macaddresses > http_access deny !auth NP: all users are guaranteed to be logged in from this point onwards. So any use of "auth" ACL in later http_access lines and (most) other directives should be pointless. Making those lines more suspect for issues when troubleshooting. > http_access deny BlockedAccess all > > http_access allow allowedsites > http_access allow FullAccess auth > If you want clients to re-login whenever they fail the FullAccess group check then just remove the auth on this line. ==> please be aware that the repeated 407 you report seeing is how re-login shows up. Though best-case does only one 407 loop, there is no limitation on how many can actually happen. Safari is known to never stop trying the non-working credentials. If you do not want re-logins to happen then replace "auth" with "all" > http_access deny blockedsites > http_access allow StandardAccess auth > Same here. > http_access deny all > > cache_mem 1024 MB > cache_dir aufs /var/spool/squid 27648 16 256 > > ### logging > ccess_log /var/log/squid/access.log squid > err_page_stylesheet /etc/squid/errorpage.css > error_directory /etc/squid/error_pages > > ### squid Debian defaults > http_port 3128 > hierarchy_stoplist cgi-bin ? > coredump_dir /var/spool/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users