Dear all,
I have the following setup :
# ../sbin/squid -v /usr/local/squid/etc
Squid Cache: Version 5.0.0-VCS
Service Name: squid
configure options: '--with-logdir=/var/log/squid' '--enable-auth-basic=LDAP,PAM,SMB,RADIUS' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-digest=LDAP,eDirectory' '--with-default-user=proxy'
# /usr/local/squid/etc
I have a huge range in terms of network, but awkwardly, the authentication/ACL and everything works well in one given subnet but not on the others. The users in the other subnets are not able to surf the internet, and this without any specific logs from the proxy side ( the most significant part of the config could be seen below). Any request from these users just times out.
#debug_options 29,9
#dns_nameservers 192.168.0.9 192.168.0.4
#connect_timeout 1 minute
debug_options ALL,9 11,3 20,3
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm /usr/local/samba/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BCM --kerberos /usr/local/squid/libexec/ext_kerberos_sid_group_acl -d -s GSS_C_NO_NAME
auth_param negotiate children 60
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/local/samba/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=KATANA
auth_param ntlm children 60
auth_param ntlm keep_alive off
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 60
auth_param basic credentialsttl 4 hours
##
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -R -b "dc=KATANA,dc=LOCAL" -D simpleuser@katana.local -W /usr/local/squid/etc/pass.txt -f sAMAccountName=%s -h 192.168.111.4
auth_param basic children 60
auth_param basic realm Banky Foibe
auth_param basic credentialsttl 1 minute
acl local0 dst 172.16.0.0/12
acl local1 dst 192.168.0.0/16
http_access allow local0 all
http_access allow local1 all
cache deny local1
cache deny local0
redirector_access deny local0
redirector_access deny local1
http_access deny !auth
http_access allow auth
#http_access deny all
http_port 8080
I can’t really understand the issue, from the affected networks:
- The user is able to ping the proxy and access its port 8080 (through telnet / netcat)
- The request is able to reach the proxy but the in the access_log the “user” is missing
1563455060.396 1 192.168.230.195 TCP_DENIED/407 4714 GET http://api.bing.com/qsml.aspx? - HIER_NONE/- text/html
- TCP_DENIED/407, requesting the user to go through the authentication phase is presented by the proxy to the user’s browser but nothing happens. I thought that if the timer set to Kerberos, NTLM expires, a pop up should appear but nothing (from wireshark)
GET http://www.bing.com/favicon.ico HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: www.bing.com
Proxy-Connection: Keep-Alive
HTTP/1.1 407 Proxy Authentication Required
Server: squid/5.0.0-VCS
Mime-Version: 1.0
Date: Thu, 18 Jul 2019 10:01:53 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3733
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Negotiate
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="KATANA - PERIMETER"
X-Cache: MISS from katana_proxy
Via: 1.1 lichtquanta (squid/5.0.0-VCS)
Connection: close
- On cache.log there is nothing that could mean something, just a bunch of ARP error. Tried to debug the section 29 for authentication … but nothing. Checked the IE internet options, just in case the windows authentication profile is no ticked … but it is there.
I am lost so any help would really be appreciated.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
