[squid-users] some staff are randomly prompted for authentication

From: Roger Riggins <roger.riggins@dont-contact.us>
Date: Wed, 27 Jul 2005 12:32:49 -0500

Hi all,

I'm a Linux noob. I've managed to get Linux, Samba, and Squid working
without bugging anybody. I've run into one hiccup that I'm unable to
figure out.

I'm requiring ntlm authentication for Squid which works great, but I've
had a few calls (and experienced it once myself) where Squid is
prompting for authentication after a user has been surfing already.

I'm hoping somebody will have some insight for me!

Thanks!
Roger Riggins

 

Here is my environment:

Red Hat Enterprise Linux ES release 3 (Taroon Update 5)
squid-2.5.STABLE3-6.3E.9
samba-3.0.9-1.3E.3 (connected to AD)
Clients are Windows Server 2003 Citrix sessions

Here are my configs:

************************************************
squid.conf:
************************************************

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all

icp_access allow all
visible_hostname cache01
coredump_dir /var/spool/squid
redirector_bypass off
[root@cache01 public]# vi squid.conf
[root@cache01 public]# cat squid.conf

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl AuthorizedUsers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow all AuthorizedUsers
http_access allow manager localhost
http_access deny manager
http_access allow Safe_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all

icp_access allow all
visible_hostname cache01
coredump_dir /var/spool/squid
redirector_bypass off

************************************************
smb.conf
************************************************

[global]
workgroup = DOMAIN
netbios name = cache01
server string = cache01 cache server
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
password server = *
encrypt passwords = yes
realm = domain.local

[public]
path = /usr/local/public
comment = public share
read only = no

************************************************
nsswitch.conf
************************************************

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

************************************************
krb5.conf
************************************************

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Roger Riggins
Network Administrator
Lutheran Services in Iowa
w: 319.859.3543
c: 319-290-5687
http://www.lsiowa.org

 
Received on Wed Jul 27 2005 - 11:32:51 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:03 MDT