Update from Squid 4 to Squid 5 :

Bertrand Friconneau <bfriconneau@xxxxxxxxxxxxxxxxxxx> · Wed, 9 Nov 2022 16:50:05 +0100

Hi Everyone,

I've got Squid 4.10 on Ubuntu 20.10 LTS

I try to upgrade my server to Ubuntu 22.04 LTS

But the users couldn't get internet no more.

Here is the log in /var/log/squid/access.log :
1668004454.050      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.052      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.057      0 172.22.200.1 TCP_DENIED/407 3951 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.063      1 172.22.200.1 TCP_DENIED/407 4454 CONNECT 
drive.google.com:443 - HIER_NONE/- text/html
1668004454.076     10 172.22.200.1 NONE_NONE/500 0 CONNECT 
drive.google.com:443 infoe HIER_NONE/- -

And on the client :
ERR_TUNNEL_CONNECTION_FAILED

According to this page : 
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
The cause is due to challenge-response process of NTLM

How can I solve it ?

Regards

Bertrand Friconneau

-------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my config file of squid :

dns_v4_first on
visible_hostname squid

error_directory /usr/share/squid/errors/French

cache_dir ufs /data/squid/spool 5000 16 256
#cache_mem 256 MB
cache_mem 512 MB
coredump_dir /data/squid/spool
cache_store_log none

auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 250

auth_param ntlm keep_alive off

acl sitebypass dstdomain 
"/var/lib/squidguard/db/exception/bypassite/bypassite.url"
acl tor dst "/etc/squid/tor"

acl administrationzone src 172.21.0.0/16
acl informatiquezone src 172.28.0.0/16
acl secuzone src 172.18.0.0/16
acl srvzone src 172.20.0.0/16
acl url_exe url_regex -i \.[Mm][Ss][Ii]$ \.[Dd][Ll][Ll]$
acl ntlm proxy_auth REQUIRED

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow sitebypass
http_access deny tor
http_access deny url_exe
http_access allow administrationzone
#http_access allow pedagozone
#http_access allow xibozone
http_access allow informatiquezone
http_access allow secuzone
http_access allow srvzone
http_access allow ntlm

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localhost

http_access deny all
http_port 8080

url_rewrite_program /usr/bin/squidGuard -P -c 
/etc/squidguard/squidGuard.conf

url_rewrite_children 75

coredump_dir /var/spool/squid
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320

max_filedescriptors 65536

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my config file of samba :

[global]
   workgroup = STEMARIEAIZENAY
   security = ADS
   realm = STEMARIE-AIZENAY.LOCAL
   encrypt passwords = yes
   winbind separator = +
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config STEMARIEAIZENAY:backend  = rid
   idmap config STEMARIEAIZENAY:range  = 10000-70000
   winbind enum users = yes
   winbind enum groups = yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes
   winbind use default domain = yes
   template homedir = /home/homes/%U

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is the krb5.conf file :

[libdefaults]
    default_realm = STEMARIE-AIZENAY.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    #ticket_lifetime = 24h
    default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5
;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5

[realms]
    STEMARIE-AIZENAY.LOCAL = {
        kdc = srv-ad.stemarie-aizenay.local
        admin_server = srv-ad.stemarie-aizenay.local
        default_domain = stemarie-aizenay.local
    }

[domain_realm]
    .stemarie-aizenay.local = STEMARIE-AIZENAY.LOCAL
    stemarie-aizenay.local = STEMARIE-AIZENAY.LOCAL
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users