[squid-users] problem with acl from Johann PAVIS on 2007-08-21 (squid-users)

From: Johann PAVIS <jpavis@dont-contact.us>
Date: Tue, 21 Aug 2007 14:17:08 +0200

Hi everyone,
I'm using squid 2.6 with samba authentication. My problem is the
following. When I use a blank login and an existing (or existed) login
as password on browsers, access is granted although it should not. For
example, i had a user "utilisateur" (samba and system accounts) which
worked (it can go on internet) I deleted both system and samba account.
When i use no login and "utilisateur" for password (on firefox for
example), it still works ! Or if i use toto (which is supposed to be a
valid samba account) as password, it works too.

Here is part of my squid.conf. I'm quite sure it's not a smb_auth
program bug because it works in command line (give an error when only
got a password) and i modified the sh script used by it to know when it
is called by squid process (it is not when no login is given).

*** squid.conf ***
auth_param basic program /usr/lib/squid/smb_auth -U 127.0.0.1 -W MYDOMAIN
auth_param basic realm "Entrez votre login et votre mot de passe"
acl Users proxy_auth REQUIRED
acl e2c src a.b.c.d/255.255.254.0
acl austrasie src a.b.c.d/255.255.254.0
acl laxou src a.b.c.d/255.255.254.0
acl longlaville src a.b.c.d/255.255.254.0
acl luneville src a.b.c.d/255.255.254.0
acl nancy src a.b.c.d/255.255.254.0
acl all src 0.0.0.0/0.0.0.0
acl working_hours time MTWHF 08:00-20:00
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21
acl Safe_ports port 20
acl Safe_ports port 1025-65535
http_access allow manager localhost
http_access allow purge localhost
http_access allow localhost
http_access deny !working_hours
http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access deny manager
http_access deny purge
http_access allow Users
http_access allow nancy Users
http_access allow austrasie Users
http_access allow laxou Users
http_access allow longlaville Users
http_access allow luneville Users
http_access deny all
http_reply_access allow all
icp_access allow all
*** end squid.conf ***

My aim is to allow only 'real' authenticated user from my different
subnets, but i don't find out what my mistake is. Thanks for your help.

-- 
Johann Pavis

Received on Tue Aug 21 2007 - 06:17:16 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT