[squid-users] Re: NTLM Authenticator Reserved status problem

2009-01-13 Thread Razvan Grigore 
Also, I want to add that I was using the samba suite 3.0.28-1.el5_2.1
with Centos 5.2
Today I upgraded to samba 3.2.7-0.23 and still the same problem.

Squid seems to run fine, but samba NTLM helpers are going to R state one by one.
Should I try using ntlm_auth from squid instead of the one from samba3 suite?

Thanks,
Razvan

On Tue, Jan 13, 2009 at 8:58 AM, Razvan Grigore estet...@gmail.com wrote:
 Hello all,

 After I started my NTLM squid3.0STABLE10 configuration in production,
 I noticed in cache manager that after about 30 min, some of the ntlm_auth
 helper is going in R state, one by one at 10 min interval and they
 never comes back.
 This is explained by R = RESERVED or DEFERRED in help note.

 If I reload configuration, new helpers are opened, and the reserved ones
 are changing status to RS, but they are never stopped until I completely
 restart squid, or manually kill the PID's.

 What is the problem? There are no other problems with working configuration.

 Razvan

[squid-users] NTLM Authenticator with big requests number

2009-01-12 Thread Razvan Grigore 
From: Serassio Guido guido.seras...@dont-contact.us
Date: Fri, 24 Jun 2005 09:37:06 +0200

Hi,

This behaviour is correct by Microsoft NTLM design. When negotiated,
NTLM authentication cannot be cached:
You are using use_ntlm_negotiate on, so every Challenge/Response
request must be handled from Winbind.

When using use_ntlm_negotiate on, max_challenge_reuses and
max_challenge_lifetime are not (and cannot be) used.

This is the only stable configuration using NTLM, disabling
use_ntlm_negotiate is a worst option.

Regards

Guido


Hello,

I want to know if this is true. I have Squid 3.0.STABLE10 on Centos
and I successfully implemented an NTLM transparent authenticator for
my proxy users.

The problem is that my NTLM auth helper has very intense activity
compared with my external acl helpers.

Here's the details:

NTLM Authenticator Statistics:
program: /usr/bin/ntlm_auth
number running: 10 of 10
requests sent: 5539
replies received: 5539
queue length: 0
avg service time: 0 msec


while:

External ACL Statistics: ad_group
Cache size: 155
program: /usr/lib/squid/squid_ldap_group
number running: 5 of 5
requests sent: 230
replies received: 230
queue length: 0
avg service time: 3 msec

and

External ACL Statistics: host_ad_group
Cache size: 112
program: /usr/lib/squid/hostname.pl
number running: 5 of 5
requests sent: 162
replies received: 162
queue length: 0
avg service time: 50 msec


So I think the external ACL's can successffuly cache the requests
while the ntlm auth can't.

I specified in squid.conf

authenticate_ttl 1 hour
authenticate_ip_ttl 30 minutes

and at the external acls ttl=1800.

What is the problem? And how can I reduce the AD query number?

Thank you!
Razvan

[squid-users] NTLM Authenticator Reserved status problem

2009-01-12 Thread Razvan Grigore 
Hello all,

After I started my NTLM squid3.0STABLE10 configuration in production,
I noticed in cache manager that after about 30 min, some of the ntlm_auth
helper is going in R state, one by one at 10 min interval and they
never comes back.
This is explained by R = RESERVED or DEFERRED in help note.

If I reload configuration, new helpers are opened, and the reserved ones
are changing status to RS, but they are never stopped until I completely
restart squid, or manually kill the PID's.

What is the problem? There are no other problems with working configuration.

Razvan

Re: [squid-users] NTLM Auth for workstation not users

2008-12-08 Thread Razvan Grigore 
Thank you Rolf. I did the same thing. Reverse lookup for the hostname.
This setup needs a working samba package (already working if using NTLM Auth)

 You appear not to understand the real concepts behind authentication and
 authorization

Amos, I think you didn't get what I mean, because i managed to make it work
I attached the perl script. Actually it's very fast. I also included a
timeout alarm of 1 sec for nmblookup.

My relevant squid.conf part:

-

external_acl_type host_ad_group children=3 ttl=60 %SRC
/usr/lib/squid/hostname.pl

acl internet_users external ad_group o-ro-cod-internet
acl internet_hosts external host_ad_group o-ro-cod-internet

http_access deny !authenticated all

http_access deny !internet_users !internet_hosts all

http_access allow authenticated

-

This way, i only allow authenticated users, but to access the internet
they need either to be member of the internet group, or their
workstation to be included in the internet group. This was needed
because we have a computer / office dedicated for internet access, and
everybody can use it.

Hope it helps somebody, and maybe it will be included in future relases.

On Fri, Dec 5, 2008 at 3:56 AM, Rolf Loudon [EMAIL PROTECTED] wrote:
 Hello

 We do authentication by user and by workstation.  Our business rules dictate
 a scenario like yours, where certain users gets access excepting certain
 workstations where any user is able to gain access, and several variations.

 In Active Directory we have user groups and workstation groups. We keep them
 in separate groups as mixing types of objects in the one group is apparently
 not recommended.

 For user auth its the usual helper setup querying AD via an LDAP look up
 supplying user/pass and group membership.

 For workstation auth we wrote a simple short shell script that takes %SRC as
 an input and then uses dig to work out the name via a reverse lookup (the
 script actually does a bit more checking in case multiple answers are
 returned and having to determine - by a forward lookup - which name is the
 correct one for the address supplied).

 The output of that script produces a computer name which we use as the input
 to squid_ldap_group along with the name of the relevant workstation group.
  The output of that helper query then tells us whether the computer is in a
 certain group and thus we can accept/deny or combine with other values such
 as a user's membership of some other group and so on.

 Works fine with the notable requirement that dns lookups must be current and
 in-addr.arpa zones are setup and consistent.

 regards

 r.






 Razvan Grigore wrote:

 What you are looking for is winbind helper. It runs as an external ACL.
 Any other approach will also need to run an external ACL, so the answer
 to
 your seconds question is yes and the example is winbind.


 The winbind helper is declared like this:
 external_acl_type ad_group children=3 ttl=120 %LOGIN
 /usr/lib/squid/wbinfo_group.pl
 I pass to it only the username. What I want is allow ANY username
 (even if it's not member of Internet AD group) who is logged on a
 computer member of this Internet group. I guess i have to pass the
 %SRC variable to a external helper and user nmblookup to get the
 computer name and then i'm stuck.
 Any ideas?
 Razvan

 You appear not to understand the real concepts behind authentication and
 authorization

 You can authenticate a username/password pair, regardless of location.
 (standard login)

 THEN you can use the username/password to retrieve and verify a particular
 group for the username/password  (winbind group external ACL).

 THEN you can also verify a location with one of the username/password or
 username/password/group   tuplets.

 You cannot use AD _user_ groups to assign a group membership to a
 _location_ while ignoring username.


 For the setup you are now describing the secure way to do it is to ignore
 username completely and use the location (source IP) in an ACL. As has been
 mentioned several times already.

 You can _additional_ to that, to force users to login correctly (anyone
 with valid username/password pair) before the external ACL gets run. But
 even then the external ACL MUST ignore the login details it gets.

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
  Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1


#!/usr/bin/perl
#
# external_acl helper for Squid to verify NT Domain group
# membership of a computername using his IP address
#
# Author:
#   Razvan Grigore [EMAIL PROTECTED]
#
# Version history:
#   2008-12-05 Razvan Grigore [EMAIL PROTECTED]
#   Initial release

# Disable output buffering
$|=1;

#
# Find out IP's hostname
#
sub getname {
local($ip) = @_;
$SIG{ALRM} = sub { die(); };
eval {
$hostname = ;
alarm 1;
$hostname = `/usr/bin/nmblookup

Re: [squid-users] NTLM Auth for workstation not users

2008-12-04 Thread Razvan Grigore 

 What you are looking for is winbind helper. It runs as an external ACL.
 Any other approach will also need to run an external ACL, so the answer to
 your seconds question is yes and the example is winbind.



The winbind helper is declared like this:

external_acl_type ad_group children=3 ttl=120 %LOGIN
/usr/lib/squid/wbinfo_group.pl

I pass to it only the username. What I want is allow ANY username
(even if it's not member of Internet AD group) who is logged on a
computer member of this Internet group. I guess i have to pass the
%SRC variable to a external helper and user nmblookup to get the
computer name and then i'm stuck.

Any ideas?
Razvan

[squid-users] NTLM Auth for workstation not users

2008-12-03 Thread Razvan Grigore 
Hello,

I successfully implemented a working solution with squid 3.0STABLE10,
NTLM Auth  samba.
I have an AD group with users that are allowed to access the internet.

What is demanded now by my company is to add to that internet group
some computer accounts, that will have access to the proxy no matter
what user is logged on them.

Now, from AD point of view, it's easy to add the computer name to that
group. The problem is with squid acl's. Can you please give me an
example as how I should get it working? Or external acl is the answer
here? If yes, can you also give me an example?

Thank you!
Razvan

Re: [squid-users] NTLM Auth for workstation not users

2008-12-03 Thread Razvan Grigore 
As I already told you I don't want to make list with IPs, i want to
allow computers based on AD group, for one-place-administration.

I can try an external acl with nslookup or nmblookup. Do you have
other sugestion?

On Wed, Dec 3, 2008 at 11:50 PM, Tom Porch [EMAIL PROTECTED] wrote:
 Or reservations in DHCP rather than setting on each workstation

 
 From: Kinkie [EMAIL PROTECTED]
 Sent: 03 December 2008 21:34
 To: Razvan Grigore
 Cc: squid-users@squid-cache.org
 Subject: Re: [squid-users] NTLM Auth for workstation not users

 On Wed, Dec 3, 2008 at 8:13 PM, Razvan Grigore [EMAIL PROTECTED] wrote:
 Hello,

 I successfully implemented a working solution with squid 3.0STABLE10,
 NTLM Auth  samba.
 I have an AD group with users that are allowed to access the internet.

 What is demanded now by my company is to add to that internet group
 some computer accounts, that will have access to the proxy no matter
 what user is logged on them.

 Now, from AD point of view, it's easy to add the computer name to that
 group. The problem is with squid acl's. Can you please give me an
 example as how I should get it working? Or external acl is the answer
 here? If yes, can you also give me an example?

 Give those computers static IP address and list those IP address in an
 allowed ACL.


 --
/kinkie

[squid-users] problem with reply_body_max_size and external ACL

2008-11-13 Thread Razvan Grigore 
Hello,

I recently updated to squid3.0/STABLE10 and I'm trying to configure a
working solution integrated with MS Active directory.

Group checking is working fine, but reply_body_max_size is not working
with my external acl helper.

here's the relevant config part:

external_acl_type ad_group children=3 ttl=120 %LOGIN
/usr/lib/squid/wbinfo_group.pl

acl limitadownload external ad_group o-ro-cod-internet-limitadownload

acl intranet src 10.61.0.0/16

if i try:

reply_body_max_size 15 MB intranet
reply_body_max_size 500 KB all

It works as expected.

however, if i try:

reply_body_max_size 15 MB limitadownload all (even without all)
reply_body_max_size 500 KB all

it's not working at all, it gives me 500 kb limit.

I should mention that wbinfo_group.pl is giving me OK in command promt
when checking the group membership.

What should I do?

[squid-users] transparent proxy bypass https traffic

2008-03-22 Thread Razvan Grigore 
Hello,

I'm using squid 2.6.STABLE6 on CentOS. I succesfully configured squid
both as a transparent proxy and normal proxy that's working fine on
http and https in normal mode, but on transparent mode https is a
challenge.

http_port 3128
http_port 3129 transparent

i'm redirecting with iptables like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
80 -m mark --mark 0x0 -j REDIRECT --to-port 3129

I have 2 types of clients, that are accessing internet through squid
or directly.

How can i bypass squid for https traffic ONLY for squid users?

I tried like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
443 -m mark --mark 0x0 -j REDIRECT --to-port 3129

but it gives:

2008/03/22 16:54:41| parseHttpRequest: Requestheader contains NULL characters
2008/03/22 16:54:41| parseHttpRequest: Unsupported method ''
2008/03/22 16:54:41| clientReadRequest: FD 19 (10.x.x.3:1104) Invalid Request

I think that i can make iptables rules for every ip in squid for
allowing direct https, but i want to avoid this.

is squid 3 capable through ssl bump for allowing https traffic without
braking the certificate? or at least without notiffing the user.

Thank you!