Re: [squid-users] Squid + Kerberos + Active Directory

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Jun 2009 11:16:50 +1200

On Tue, 2 Jun 2009 11:48:51 -0700 (PDT), Truth Seeker
<truth_seeker_3535_at_yahoo.com> wrote:
> Thanks Amos. I followed that link and done the steps completely. But it
is
> not working for me. PLease look in to the following details and kindly
> guide me to achieve the goal.
>
> the following informations are herewith;
> 1. squid.conf
> 2. debugged info from cache.log
>
> contents of my squid.conf
>
> grep -v ^# /etc/squid/squid.conf | grep -v "^$"
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> ### For ACtive Directory Inegration
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl auth proxy_auth REQUIRED
> http_access deny !auth
> http_access allow auth

So only authenticated users can use the proxy from anywhere.

> http_access deny all

... nobody else can use it at all.
Following http_access are never matched.

> http_access allow localhost
> http_access deny all
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet
> htcp_access deny all
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> debug_options ALL,1 33,2 28,9
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icp_port 3130
> coredump_dir /var/spool/squid
>
>
>
> contents of cache.log while accessing from a windows client who is a
member
> of our domain.
>

The trace shows two requests arriving and being checked, they get as far as
"deny !auth" and squid sends back a 407 auth-required challenge sent to the
browser. If these are the same request it looks like the browser does not
handle kerberos.

<snip trace>
>
>
> -
> --
> ---
> Always try to find truth!!!
>
>
> --- On Tue, 6/2/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>> Subject: Re: [squid-users] Squid + Kerberos + Active Directory
>> To: "Truth Seeker" <truth_seeker_3535_at_yahoo.com>
>> Cc: "Squid maillist" <squid-users_at_squid-cache.org>
>> Date: Tuesday, June 2, 2009, 2:53 PM
>> Truth Seeker wrote:
>> > Dear Pro's
>> >
>> > I am trying to configure a squid proxy in Windows 2003
>> Active
>> > Directory Environment. I need to make the migration
>> from MS ISA Proxy
>> > to Squid 3.0 Stable13 on CentOS 5.2
>> >
>> > My primary goal is; 1. authenticate users without
>> asking
>> > username/password (i mean like how a normal windows
>> client will
>> > behave when he connects to internet through MS ISA
>> Proxy in a Active
>> > Directory environment - which will not prompt
>> username/password
>> > because of the Kerberos) by using the kerberos to
>> communicate with
>> > the Win 2k3 Domain Controller.
>> >
>> > 2. Without any downtime.
>> >
>> >
>> > Am i dreaming about this... ??? is this a workable
>> target??? Is there
>> > any issue in this environment???
>> >
>> > Awaiting your quick feedbacks ...
>> >
>>
>> Possible.
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> maybe even easy of you know what you are doing regarding
>> Kerberos.
>>
>> Amos
>> -- Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
>> Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
>>
Received on Tue Jun 02 2009 - 23:16:56 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 04 2009 - 12:00:02 MDT