Re: [squid-users] Problems with Group detection with ADS from Amos Jeffries on 2014-05-21 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 21 May 2014 20:22:00 +1200

On 21/05/2014 8:00 p.m., Puschmann, Sven wrote:
> Hi Folks,
>
> i've installed an new SQUID Server for our Holding Company (same ActiveDirectory Forest, but another Domain) and I have an little Problem with it.
>
> Here's the Auth and ACL External Config from both Servers (running and newly installed)
>
> Running Config (Part):
> ===================================================================================
> ### Kerberos
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
>
> ### NTLM
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME>
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
> ### BASIC
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS Name>
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
>
> ################################
> ### Access Regeldefinitionen ###
> ################################
> acl auth proxy_auth REQUIRED
>
> external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
> external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail
> external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,spyware,violence,virusinfected,warez,webmail
>
> acl Full external testForNTGroup RZ-PXY-Full
> acl Standard external testForNTGroup RZ-PXY-Standard
> acl Blocked external testForNTGroup RZ-PXY-Blocked
> acl StandardSocial external testForNTGroup RZ-PXY-SocialMedia
> acl StandardVideo external testForNTGroup RZ-PXY-Videoportale
> acl StandardAdvanced external testForNTGroup RZ-PXY-StandardAdvanced
> ===================================================================================
>
> Problem Config (same part):
> ===================================================================================
> ### Kerberos
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME> --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
>
> ### NTLM
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=<DOMAIN-NAME>
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
>
> ### BASIC
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=<DOMAIN-FQDN>,dc=<DOMAIN-TLD>" -D squid@<DOMAIN-FQDN>.<DOMAIN-TLD> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h <DC DNS NAME>
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
>
> ################################
> ### Access Regeldefinitionen ###
> ################################
> acl auth proxy_auth REQUIRED
>
> external_acl_type testForNTGroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
> external_acl_type urlblacklist_lookup ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,blog,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,social_networks,spyware,violence,virusinfected,warez,webmail
> external_acl_type urlblacklist_lookup_soc ttl=60 %URI /usr/local/bin/url_lookup adult,aggressive,artnudes,chat,dating,desktopsillies,dialers,drugs,filehosting,gambling,games,hacking,instantmessaging,mail,mixed_adult,naturism,onlineauctions,onlinegames,phishing,porn,proxy,ringtones,sexuality,sexualityeducation,socialnetworking,spyware,violence,virusinfected,warez,webmail
>
> acl Full external testForNTGroup pxy-full
> acl Standard external testForNTGroup pxy-standard
> acl Blocked external testForNTGroup pxy-blocked
> acl StandardSocial external testForNTGroup pxy-socialmedia
> acl StandardVideo external testForNTGroup pxy-videoportale
> acl StandardAdvanced external testForNTGroup pxy-standardadvanced
> ===================================================================================
>
> The Problem is:
> If the User Connects via the Hostname to the Proxy Server he lands in de Last "Deny All" ACL because the Proxy Server cannot determine the Users Group Correctly. But if I set the Proxy via the direct IP Address everything is okay.
> On the running SQUID (first config sniplet) there is no such Problem.
>
> Here are some Debug Outputs (same output in the running SQUID):
> =================================================
> wbinfo -t
> checking the trust secret for domain <DOMAIN-NAME> via RPC calls succeeded
>
> echo "<DOMAIN-NAME>\user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl
> OK
>
> echo "user.name pxy-standard" | /usr/lib/squid3/wbinfo_group.pl
> OK
> =================================================
>

So NTLM and Basic user names work.

How about Kerberos credentials? (user.name_at_DOMAIN-NAME)

> Has anybody an Idea what might be the Problem? I'm really confused about the Situation that it's okay via IP-Address and not okay via DNS Name. The DNS Resolution is in function (fromm any Client)
>

* Squid version(s)?

* Samba version?

* is there anything different about the IPs the proxy hostname resolves
to on each site?

* are the Kerberos keytabs for proxy by-hostname correctly installed on
the clients machine in the new location?
- compare the sets available to users at each location and see if there
is a difference.

Amos
Received on Wed May 21 2014 - 08:22:08 MDT

This archive was generated by hypermail 2.2.0 : Wed May 21 2014 - 12:00:05 MDT