Hi Everyone,
I've got Squid 4.10 on Ubuntu 20.10 LTS
I try to upgrade my server to Ubuntu 22.04 LTS
But the users couldn't get internet no more.
Here is the log in /var/log/squid/access.log :
1668004454.050 0 172.22.200.1 TCP_DENIED/407 3951 CONNECT
drive.google.com:443 - HIER_NONE/- text/html
1668004454.052 0 172.22.200.1 TCP_DENIED/407 3951 CONNECT
drive.google.com:443 - HIER_NONE/- text/html
1668004454.057 0 172.22.200.1 TCP_DENIED/407 3951 CONNECT
drive.google.com:443 - HIER_NONE/- text/html
1668004454.063 1 172.22.200.1 TCP_DENIED/407 4454 CONNECT
drive.google.com:443 - HIER_NONE/- text/html
1668004454.076 10 172.22.200.1 NONE_NONE/500 0 CONNECT
drive.google.com:443 infoe HIER_NONE/- -
And on the client :
ERR_TUNNEL_CONNECTION_FAILED
According to this page :
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
The cause is due to challenge-response process of NTLM
How can I solve it ?
Regards
Bertrand Friconneau
-------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my config file of squid :
dns_v4_first on
visible_hostname squid
error_directory /usr/share/squid/errors/French
cache_dir ufs /data/squid/spool 5000 16 256
#cache_mem 256 MB
cache_mem 512 MB
coredump_dir /data/squid/spool
cache_store_log none
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 250
auth_param ntlm keep_alive off
acl sitebypass dstdomain
"/var/lib/squidguard/db/exception/bypassite/bypassite.url"
acl tor dst "/etc/squid/tor"
acl administrationzone src 172.21.0.0/16
acl informatiquezone src 172.28.0.0/16
acl secuzone src 172.18.0.0/16
acl srvzone src 172.20.0.0/16
acl url_exe url_regex -i \.[Mm][Ss][Ii]$ \.[Dd][Ll][Ll]$
acl ntlm proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow sitebypass
http_access deny tor
http_access deny url_exe
http_access allow administrationzone
#http_access allow pedagozone
#http_access allow xibozone
http_access allow informatiquezone
http_access allow secuzone
http_access allow srvzone
http_access allow ntlm
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 8080
url_rewrite_program /usr/bin/squidGuard -P -c
/etc/squidguard/squidGuard.conf
url_rewrite_children 75
coredump_dir /var/spool/squid
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
max_filedescriptors 65536
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my config file of samba :
[global]
workgroup = STEMARIEAIZENAY
security = ADS
realm = STEMARIE-AIZENAY.LOCAL
encrypt passwords = yes
winbind separator = +
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config STEMARIEAIZENAY:backend = rid
idmap config STEMARIEAIZENAY:range = 10000-70000
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
winbind use default domain = yes
template homedir = /home/homes/%U
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is the krb5.conf file :
[libdefaults]
default_realm = STEMARIE-AIZENAY.LOCAL
dns_lookup_kdc = no
dns_lookup_realm = no
#ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
STEMARIE-AIZENAY.LOCAL = {
kdc = srv-ad.stemarie-aizenay.local
admin_server = srv-ad.stemarie-aizenay.local
default_domain = stemarie-aizenay.local
}
[domain_realm]
.stemarie-aizenay.local = STEMARIE-AIZENAY.LOCAL
stemarie-aizenay.local = STEMARIE-AIZENAY.LOCAL
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users