[squid-users] Re: Squid + Kerberos + Active Directory from Markus Moeller on 2009-06-02 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 2 Jun 2009 20:56:46 +0100

Can you send me the following;

fqdn
hostname
klist -kt squid.keytab ( If you use MIT Kerberos)

Does you startup script set the KRB5_KTNAME environment variable ?

Can you do a successful kinit -k squid.keytab HTTP/hostname ?

Can you add a -d to squid_kerb_auth and send me the output ?

Did you use the fqdn in IE to point to squid ?

Regards
Markus

"Truth Seeker" <truth_seeker_3535_at_yahoo.com> wrote in message
news:177962.48305.qm_at_web43409.mail.sp1.yahoo.com...

Thanks Amos. I followed that link and done the steps completely. But it is
not working for me. PLease look in to the following details and kindly guide
me to achieve the goal.

the following informations are herewith;
1. squid.conf
2. debugged info from cache.log

contents of my squid.conf

grep -v ^# /etc/squid/squid.conf | grep -v "^$"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
### For ACtive Directory Inegration
auth_param negotiate program /usr/lib/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
debug_options ALL,1 33,2 28,9
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid

contents of cache.log while accessing from a windows client who is a member
of our domain.

2009/06/02 21:38:06.486| aclCheckFast: list: 0x8a8ff60
2009/06/02 21:38:06.486| ACLChecklist::preCheck: 0xbfb8ae94 checking
'ident_lookup_access deny all'
2009/06/02 21:38:06.486| ACLList::matches: checking all
2009/06/02 21:38:06.486| ACL::checklistMatches: checking 'all'
2009/06/02 21:38:06.486| aclMatchIp: '192.168.4.139' found
2009/06/02 21:38:06.486| ACL::ChecklistMatches: result for 'all' is 1
2009/06/02 21:38:06.486| ACLList::matches: result is true
2009/06/02 21:38:06.486| aclmatchAclList: 0xbfb8ae94 returning true (AND
list satisfied)
2009/06/02 21:38:06.486| ACLChecklist::markFinished: 0xbfb8ae94 checklist
processing finished
2009/06/02 21:38:06.486| ACLChecklist::~ACLChecklist: destroyed 0xbfb8ae94
2009/06/02 21:38:06.487| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access allow manager localhost'
2009/06/02 21:38:06.487| ACLList::matches: checking manager
2009/06/02 21:38:06.487| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.487| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.487| ACLList::matches: result is false
2009/06/02 21:38:06.487| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.487| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.487| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny manager'
2009/06/02 21:38:06.487| ACLList::matches: checking manager
2009/06/02 21:38:06.487| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.487| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.487| ACLList::matches: result is false
2009/06/02 21:38:06.487| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.487| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.487| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny !Safe_ports'
2009/06/02 21:38:06.487| ACLList::matches: checking !Safe_ports
2009/06/02 21:38:06.487| ACL::checklistMatches: checking 'Safe_ports'
2009/06/02 21:38:06.487| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2009/06/02 21:38:06.487| ACLList::matches: result is false
2009/06/02 21:38:06.488| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.488| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.488| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny CONNECT !SSL_ports'
2009/06/02 21:38:06.488| ACLList::matches: checking CONNECT
2009/06/02 21:38:06.488| ACL::checklistMatches: checking 'CONNECT'
2009/06/02 21:38:06.488| ACL::ChecklistMatches: result for 'CONNECT' is 0
2009/06/02 21:38:06..488| ACLList::matches: result is false
2009/06/02 21:38:06.488| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.488| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.488| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny !auth'
2009/06/02 21:38:06.488| ACLList::matches: checking !auth
2009/06/02 21:38:06..488| ACL::checklistMatches: checking 'auth'
2009/06/02 21:38:06.488| aclMatchAcl: returning 0 sending authentication
challenge.
2009/06/02 21:38:06.488| ACL::ChecklistMatches: result for 'auth' is 0
2009/06/02 21:38:06..488| ACLList::matches: result is true
2009/06/02 21:38:06.488| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.488| ACLChecklist::checkForAsync: requiring Proxy Auth
header..
2009/06/02 21:38:06.488| ACLChecklist::markFinished: 0x8d9c188 checklist
processing finished
2009/06/02 21:38:06.488| aclmatchAclList: async=1 nodeMatched=1
async_in_progress=0 lastACLResult() = 1 finished() = 1
2009/06/02 21:38:06.488| ACLChecklist::check: 0x8d9c188 match found, calling
back with 2
2009/06/02 21:38:06.488| ACLChecklist::checkCallback: 0x8d9c188 answer=2
2009/06/02 21:38:06.488| aclGetDenyInfoPage: got called for auth
2009/06/02 21:38:06.488| aclGetDenyInfoPage: no match
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.488| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.488| aclCheckFast: list: 0
2009/06/02 21:38:06.488| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| aclCheckFast: list: 0
2009/06/02 21:38:06.489| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| aclCheckFast: list: 0
2009/06/02 21:38:06.489| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| aclCheckFast: list: 0
2009/06/02 21:38:06.489| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188
2009/06/02 21:38:06.489| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188
2009/06/02 21:38:06.523| aclCheckFast: list: 0x8a8ff60
2009/06/02 21:38:06.523| ACLChecklist::preCheck: 0xbfb8ae94 checking
'ident_lookup_access deny all'
2009/06/02 21:38:06.523| ACLList::matches: checking all
2009/06/02 21:38:06.523| ACL::checklistMatches: checking 'all'
2009/06/02 21:38:06.523| aclMatchIp: '192.168.4.139' found
2009/06/02 21:38:06.523| ACL::ChecklistMatches: result for 'all' is 1
2009/06/02 21:38:06.523| ACLList::matches: result is true
2009/06/02 21:38:06.523| aclmatchAclList: 0xbfb8ae94 returning true (AND
list satisfied)
2009/06/02 21:38:06.523| ACLChecklist::markFinished: 0xbfb8ae94 checklist
processing finished
2009/06/02 21:38:06.523| ACLChecklist::~ACLChecklist: destroyed 0xbfb8ae94
2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access allow manager localhost'
2009/06/02 21:38:06.525| ACLList::matches: checking manager
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny manager'
2009/06/02 21:38:06.525| ACLList::matches: checking manager
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'manager'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'manager' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny !Safe_ports'
2009/06/02 21:38:06.525| ACLList::matches: checking !Safe_ports
2009/06/02 21:38:06..525| ACL::checklistMatches: checking 'Safe_ports'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny CONNECT !SSL_ports'
2009/06/02 21:38:06.525| ACLList::matches: checking CONNECT
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'CONNECT'
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'CONNECT' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is false
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.525| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2009/06/02 21:38:06.525| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny !auth'
2009/06/02 21:38:06.525| ACLList::matches: checking !auth
2009/06/02 21:38:06.525| ACL::checklistMatches: checking 'auth'
2009/06/02 21:38:06.525| aclMatchAcl: returning 0 sending credentials to
helper.
2009/06/02 21:38:06.525| ACL::ChecklistMatches: result for 'auth' is 0
2009/06/02 21:38:06.525| ACLList::matches: result is true
2009/06/02 21:38:06.525| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.525| ACLChecklist::asyncInProgress: 0x8d9c188 async set
to 1
2009/06/02 21:38:06.525| ACLChecklist::checkForAsync: checking password via
authenticator
2009/06/02 21:38:06.525| aclmatchAclList: async=1 nodeMatched=1
async_in_progress=1 lastACLResult() = 1 finished() = 0
2009/06/02 21:38:06.526| ACLChecklist::asyncInProgress: 0x8d9c188 async set
to 0
2009/06/02 21:38:06.526| ACLChecklist::preCheck: 0x8d9c188 checking
'http_access deny !auth'
2009/06/02 21:38:06.526| ACLList::matches: checking !auth
2009/06/02 21:38:06.526| ACL::checklistMatches: checking 'auth'
2009/06/02 21:38:06.526| aclMatchAcl: returning 0 sending authentication
challenge.
2009/06/02 21:38:06.526| ACL::ChecklistMatches: result for 'auth' is 0
2009/06/02 21:38:06.526| ACLList::matches: result is true
2009/06/02 21:38:06.526| aclmatchAclList: 0x8d9c188 returning false (AND
list entry failed to match)
2009/06/02 21:38:06.526| ACLChecklist::checkForAsync: requiring Proxy Auth
header.
2009/06/02 21:38:06.526| ACLChecklist::markFinished: 0x8d9c188 checklist
processing finished
2009/06/02 21:38:06.526| aclmatchAclList: async=1 nodeMatched=1
async_in_progress=0 lastACLResult() = 1 finished() = 1
2009/06/02 21:38:06.526| ACLChecklist::check: 0x8d9c188 match found, calling
back with 2
2009/06/02 21:38:06.526| ACLChecklist::checkCallback: 0x8d9c188 answer=2
2009/06/02 21:38:06.526| aclGetDenyInfoPage: got called for auth
2009/06/02 21:38:06..526| aclGetDenyInfoPage: no match
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.526| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.526| aclCheckFast: list: 0
2009/06/02 21:38:06.526| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.527| aclCheckFast: list: 0
2009/06/02 21:38:06.527| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.527| aclCheckFast: list: 0
2009/06/02 21:38:06.527| aclCheckFast: no matches, returning: 1
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c21c
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188
2009/06/02 21:38:06.527| ACLChecklist::~ACLChecklist: destroyed 0x8d9c188

--
---
Always try to find truth!!!
--- On Tue, 6/2/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> From: Amos Jeffries <squid3_at_treenet.co.nz>
> Subject: Re: [squid-users] Squid + Kerberos + Active Directory
> To: "Truth Seeker" <truth_seeker_3535_at_yahoo.com>
> Cc: "Squid maillist" <squid-users_at_squid-cache.org>
> Date: Tuesday, June 2, 2009, 2:53 PM
> Truth Seeker wrote:
> > Dear Pro's
> >
> > I am trying to configure a squid proxy in Windows 2003
> Active
> > Directory Environment. I need to make the migration
> from MS ISA Proxy
> > to Squid 3.0 Stable13 on CentOS 5.2
> >
> > My primary goal is; 1. authenticate users without
> asking
> > username/password (i mean like how a normal windows
> client will
> > behave when he connects to internet through MS ISA
> Proxy in a Active
> > Directory environment - which will not prompt
> username/password
> > because of the Kerberos) by using the kerberos to
> communicate with
> > the Win 2k3 Domain Controller.
> >
> > 2. Without any downtime.
> >
> >
> > Am i dreaming about this... ??? is this a workable
> target??? Is there
> > any issue in this environment???
> >
> > Awaiting your quick feedbacks ...
> >
>
> Possible.
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
> maybe even easy of you know what you are doing regarding
> Kerberos.
>
> Amos
> -- Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
> Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
>

Received on Tue Jun 02 2009 - 19:57:13 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 03 2009 - 12:00:02 MDT