[squid-users] Authenticated or not? from Victor Viudez on 2012-10-25 (squid-users)

From: Victor Viudez <victor_at_despi.com>
Date: Thu, 25 Oct 2012 22:19:36 +0200

Hi guys,

I have a Little problema that can’t resolve.

I’ve configured our squid server to authenticate using Kerberos agains a
Windows 2008 R2 native domain…

All the tests I’ve done seems that the authentification is correct… and then
I’ve modified the squid.conf file to use this type of auth o non of our
servers.

But every time I try to navigate to some permitted urls, the login window
appears, … and if we try to insert credentials, nothing happens..

The logs for this connections says that the user is authenticated… but still
gets a TCP_DENIED

==> /var/log/squid/cache.log <==
2012/10/25 21:47:57| squid_kerb_auth: DEBUG: Got 'YR
YIIG0QYGKw.........DowWOKUFfVkRV' from squid (length: 2335).
2012/10/25 21:47:57| squid_kerb_auth: DEBUG: Decode
'YIIG0QYGKw.........DowWOKUFfVkRV' (decoded length: 1749).

==> /var/log/squid/access.log <==
1351194477.443 8 10.0.10.112 TCP_DENIED/407 6805 GET
http://www.google.es/ user1@DOMAIN.LOCAL NONE/- text/html

==> /var/log/squid/cache.log <==
2012/10/25 21:47:57| squid_kerb_auth: DEBUG: AF
oYG2MIG...........yNG8nGs6Tuc= user1_at_DOMAIN.LOCAL
2012/10/25 21:47:57| squid_kerb_auth: INFO: User user1_at_DOMAIN.LOCAL
authenticated

==> /var/log/squid/access.log <==
1351194477.634 0 10.0.10.112 TCP_DENIED/407 6839 GET
http://www.google.es/favicon.ico user1@DOMAIN.LOCAL NONE/- text/html

This is a part of our squid.conf file where are defined the authentification
methods and acls:

acl websites dstdomain "/etc/squid/allowed_websites"

#---------------------------------------------------------------------------
---------------------------
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy.domain.local
#auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy.domain.local_at_DOMAIN.LOCAL
auth_param negotiate children 10
auth_param negotiate keep_alive on

# Fallback to LDAP if Kerberos fails
#auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h dc.company.lan -D
"cn=squid,ou=users_special,dc=$
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours

acl ad_auth proxy_auth REQUIRE

#external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/usr/lib64/squid/squid_kerb_ldap -g InternetAccess_ASTEIN_FULL
#acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP
#http_access allow LDAP_GROUP_CHECK
#-------------------------------------------------------

http_access deny XENAPP02 !ad_auth
http_access allow websites XENAPP02 ad_auth

http_access allow LAN !XENAPP02
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

Any ideas?

Víctor Viudez
victor_at_despi.com
Received on Thu Oct 25 2012 - 20:17:45 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 26 2012 - 12:00:04 MDT