xor wrote:
> Hello,
> I have installed squid3 with authorisation in the windows2003 domain, with libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
> Packages squid3, samba, krb and winbind are taken from official repositories (http://ftp.ru.debian.org/debian/).
>
> The proxy clients working under WinXP with browser IE6 or IE7 pass authorisation normally, without superfluous requests of a login/password.
>
> But those who uses Mozilla Firefox browser, at visiting of the sites especially containing JavaScript scenaries, often receive request of a login, password and domain for authorisation in proxy. If this request to reject (with pressed "cancel"), the client receives standard page of cache access denied. But if after that to press to "refresh", the page is loaded without login/password request, and all works normally before occurrence of the next of authorisation request.
> This effect observed on the firefox browsers only.
> Incr. or decr. of auth_param ntlm children parameters don't helped.
Please define what you mean by "containing JavaScript scenaries"? how is
this relevant to the HTTP requests?
Check that firefox has not saved previous passwords for the user or
another. This can cause issues as the known passwords are used first
every time.
With "debug_options ALL,1 29,6 28,6" cache.log gets a trace of the auth
and ACL actions. Check that to see what is going on.
You can expect to see some holdup while auth details are requested
from the browser whether or not the popup appears. You can see for those
checks whether is right to be needed or not though.
Some unrelated notes inline to the config...
>
> Configs:
>
> ###squid.conf
> auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 50
> auth_param ntlm keep_alive on
> authenticate_cache_garbage_interval 1 minute
> authenticate_ttl 2 minutes
> authenticate_ip_ttl 2 minutes
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 81 8080 8081 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 5222
> acl Safe_ports port 443 # https
> acl PURGE method PURGE
> acl CONNECT method CONNECT
> acl bad_pat_servers_ip src "/etc/squid3/acl/bad_pat_servers_ip"
I find it rather confusing that you call this a "servers_ip" and indeed
a pattern list yet use src which tests _client_ IP.
The name of the ACL sounds like you mean it to be a destination check of
some sort.
> acl microsoft_activation dstdomain "/etc/squid3/acl/microsoft_activation"
> acl ip_symantec_ftp src 192.168.2.11
> acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com liveupdate.symantecliveupdate.com
> acl good_sites dstdomain "/etc/squid3/acl/good_sites"
> acl bad_pattern url_regex "/etc/squid3/acl/bad_pattern"
> acl bad_sites dstdomain "/etc/squid3/acl/bad_sites"
> acl odvk url_regex "/etc/squid3/acl/odvk"
> acl odnokl_sites dstdomain "/etc/squid3/acl/odnokl_sites"
> acl odnokl_users proxy_auth "/etc/squid3/acl/odnokl_users"
> acl ip_users src "/etc/squid3/acl/ip_users"
> acl AuthUsers proxy_auth "/etc/squid3/acl/users"
> http_access allow manager localhost
> http_access deny manager
> http_access allow PURGE localhost
> http_access deny PURGE
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow microsoft_activation
> http_access deny bad_pat_servers_ip
> http_access allow ip_symantec_ftp ftp_symantec
> http_access allow good_sites ip_users
> http_access allow good_sites AuthUsers
> http_access allow odnokl_sites odnokl_users
> http_access deny bad_pattern
> http_access deny bad_sites
> http_access deny odvk
> http_access allow ip_users
> http_access allow AuthUsers
> http_access allow localhost
> http_access deny all
> htcp_access deny all
> http_port 192.168.60.60:3128
> hierarchy_stoplist cgi-bin ?
> cache_mem 256 MB
> cache_dir ufs /var/spool/squid3 1024 16 256
> access_log /var/log/squid3/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icp_access deny all
> icp_port 3130
Combined with the "icp_access deny all" I find this really weird.
The default action in Squid-3 is not to listen for ICP at all and to
deny all as well. I think you want to remove the icp_* configuration
entirely.
Same for the htcp_access line further up.
> forwarded_for off
> coredump_dir /var/spool/squid3
>
> ###smb.conf
> [global]
> workgroup = PATERSON
> realm = PATERSON.RU
> password server = SRV-MSK11 SRV-MSK12
> server string = %h server
> wins support = yes
> wins server = 192.168.2.11
> dns proxy = no
> interfaces = 192.168.60.60 eth0
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> security = ads
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> invalid users = root
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> case sensitive = No
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum groups = yes
> winbind enum users = yes
> winbind separator = +
> winbind use default domain = No
> [homes]
> comment = Home Directories
> browseable = no
> read only = yes
> create mask = 0700
> directory mask = 0700
> valid users = %S
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
>
> Best regards, Ehenov Roman.
>
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7Received on Mon May 18 2009 - 10:52:33 MDT
This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT