Re: [squid-users] Re: Squid_kerb_ldap intermittently failing auth

From: Mark deJong <dejongm_at_gmail.com>
Date: Tue, 17 Aug 2010 18:00:46 -0400

Hello Markus,
It turns out it was an issue with ipv6. I recompiled and that fixed
the problem. Thanks for getting back!

Best,
Mark

On Tue, Aug 17, 2010 at 3:39 PM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Can you run both squid_kerb_ldap and squid_kerb_auth with -d. It should give
> a lot more details to find out why it happens
>
> Markus
>
> "Mark deJong" <dejongm_at_gmail.com> wrote in message
> news:AANLkTikvdJu6+ysyWkDN7VxYzYTS4RtDJGF7ccNzmqyb_at_mail.gmail.com...
>>
>> Hello,
>> I'm having an issue with squid_kerb_auth. It seems not all proxy
>> requests are getting serviced. When falling back on NTLM the requests
>> come though fine.
>>
>> My guess is subsequent GET requests made over Proxy_KeepAlive sessions
>> are not getting serviced. I confirmed this on a trace using Wireshark
>> where the client requests a page but Squid doesn't come back with an
>> answer. Is this a known issue?
>>
>> I'm currently running squid3-3.1.6 and have seen this behavior both
>> with the include squid_kerb_auth and a seperately compiled binary.
>>
>> squid.conf follows:
>>
>>
>> http_port 8080
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> acl apache rep_header Server ^Apache
>> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
>> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>>
>> access_log /var/log/squid/access.log combined
>>
>>
>>
>> auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d  -s
>> HTTP/dc32-wgw01.nix.DOM.LOCAL_at_USHS.DOM.LOCAL
>> auth_param negotiate children 30
>> auth_param negotiate keep_alive on
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 30
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>> auth_param ntlm use_ntlm_negotiate on
>>
>> external_acl_type AD_US_TEMPS ttl=3600  negative_ttl=3600  %LOGIN
>> /usr/bin/squid_kerb_ldap -d -g temps_at_US.DOM.LOCAL
>> external_acl_type AD_US_ITDEPT ttl=3600  negative_ttl=3600  %LOGIN
>> /usr/bin/squid_kerb_ldap -d -g ITDept_at_US.DOM.LOCAL
>>
>>
>>
>>
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>>
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>>
>> acl firefox_browser browser Firefox
>>
>> acl UnrestrictedUsers external AD_US_ITDEPT
>> acl TempUsers external AD_US_TEMPS
>> acl AuthorizedUsers proxy_auth REQUIRED
>>
>>
>> acl hq-dmz src 10.50.192.0/24
>> acl hq-servers src 10.50.64.0/23 10.50.4.0/24
>> acl hq-services src 10.50.8.0/24 10.50.2.0/24
>> acl hq-dev src 10.50.66.0/24
>>
>> acl ie_urls dstdomain "/etc/squid/ie_urls.allow"
>>
>> acl service_urls dstdomain "/etc/squid/service_urls.allow"
>> acl dev_urls dstdomain "/etc/squid/dev_urls.allow"
>> acl hq-servers_urls dstdomain "/etc/squid/servers_urls.allow"
>> acl temp_urls dstdomain "/etc/squid/temp_urls.allow"
>>
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>>
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>>
>> http_access allow hq-servers hq-servers_urls
>> http_access deny hq-servers
>>
>> http_access allow hq-services service_urls
>> http_access deny hq-services
>>
>> http_access allow hq-dev dev_urls
>> http_access deny hq-dev
>>
>>
>> http_access allow TempUsers temp_urls
>> http_access deny TempUsers all
>>
>> http_access allow UnrestrictedUsers
>> http_access deny UnrestrictedUsers all
>>
>> http_access deny !AuthorizedUsers
>> http_access allow all
>> http_access deny all
>>
>>
>> http_reply_access allow all
>> icp_access allow all
>> cache_mgr support_at_DOM.LOCAL
>> coredump_dir /var/spool/squid
>>
>>
>>
>> Thanks,
>> M. de Jong
>>
>
>
>
Received on Tue Aug 17 2010 - 22:00:53 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 18 2010 - 12:00:03 MDT