Re: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

2021-09-20 Thread Amos Jeffries 

On 21/09/21 11:49 am, David Touzeau wrote:


When edge, chrome and IE try to establish a session, Squid claim

2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating 
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}


This let us understanding that these 3 browsers try NTLM instead of a 
Basic Authentication.


I did not know why these browsers using NTLM as they did not connected 
to the Windows domain


Unlike Kerberos, NTLM does not require the machine to be connected to a 
domain to have credentials. AFAIK the browser still has access to the 
localhost user credentials for use in NTLM. Or the machine may even be 
trying to use the Basic auth credentials as LM tokens with NTLM scheme.




Why squid never get the Basic Authentication credentials. ?



That is a Browser decision. All Squid can do is offer the schemes it 
supports and they have to choose which is used.



Did i miss something ?


With Squid-5 you can use the auth_schemes directive to workaround issues 
like this.

 


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome

2021-09-20 Thread David Touzeau 

Hi all

i have setup Kerberos authentication with Windows 2019 domain using 
Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x)
In some cases, some computers are not joined to the domain and ween need 
to allow authenticate on Squid


To allow this,  Basic Authentication is defined in Squid  and we expect 
that browsers prompt a login to be authenticated and access to Internet


But the behavior is strange.

On a computer outside the windows domain:
Firefox is be able to be successfully authenticated to squid using basic 
auth.
Edge, Chrome and IE still try ujsing NTLM method and are allways 
rejected with a 407


When edge, chrome and IE try to establish a session, Squid claim

2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating 
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}


This let us understanding that these 3 browsers try NTLM instead of a 
Basic Authentication.


I did not know why these browsers using NTLM as they did not connected 
to the Windows domain

Why squid never get the Basic Authentication credentials. ?

Did i miss something ?

Here it is my configuration.

auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s 
GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab
auth_param negotiate children 20 startup=5 idle=1 concurrency=0 
queue-size=80 on-persistent-overload=ERR

auth_param negotiate keep_alive on

auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b 
"DC=articatech,DC=int" -D "administra...@articatech.int" -W 
/etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10

auth_param basic children 3
auth_param basic realm Active Directory articatech.int
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds

acl AUTHENTICATED proxy_auth REQUIRED

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 5.1 for Debian Bullseye (amd64/i386/sources)

2021-09-20 Thread Amos Jeffries 

On 21/09/21 1:03 am, L.P.H. van Belle wrote:

And i have the Debian Bullseye packages also online.

My changelog compaired to the Debian Unstable.

  squid (5.1-1.1bullseye1) bullseye; urgency=medium

* Non-maintainer upload.
* Used sources from squid-cache.org build : squid-5.1-20210804-r1f9e52827
* Lowered previous version 5.1-2 back to 5.1-1
* d/patches, added fix-typos.patch found by Lintian.
* d/watch, change http to https


What URI are you using here exactly?
 The www.squid-cache.org website does not provide https:// URLs.



* d/*.tmp-file to *.tmp-files, Linitian predicated warnings on tmp-file
* d/rules switched lines 160-161, made the build more consistent.
  - lowered this line: dh_installsystemd -psquid-openssl --name=squid



Would you be able to send me a copy of the diff/patch for these please? 
I will see how much can be pulled into Debian official fr the v5.2 packages.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 5.1 for Debian Bullseye (amd64/i386/sources)

2021-09-20 Thread L . P . H . van Belle 
And i have the Debian Bullseye packages also online. 

My changelog compaired to the Debian Unstable. 

 squid (5.1-1.1bullseye1) bullseye; urgency=medium

   * Non-maintainer upload.
   * Used sources from squid-cache.org build : squid-5.1-20210804-r1f9e52827
   * Lowered previous version 5.1-2 back to 5.1-1
   * d/patches, added fix-typos.patch found by Lintian.
   * d/watch, change http to https
   * d/*.tmp-file to *.tmp-files, Linitian predicated warnings on tmp-file
   * d/rules switched lines 160-161, made the build more consistent.
 - lowered this line: dh_installsystemd -psquid-openssl --name=squid


Setting up my repo.
wget -O- https://apt.van-belle.nl/louis-van-belle.gpg-key.asc |\
gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/louis-van-belle.gpg > 
/dev/null

# set your arch , options amd64 or i386

deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/louis-van-belle.gpg] 
http://apt.van-belle.nl/debian/ bullseye-squid51 main" \
 | sudo tee -a /etc/apt/sources.list.d/van-belle.list


Enjoy people and thank you Amos for these fast changes.


Louis

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About Squid 4, AD, Kerberos and AD group auth.

2021-09-20 Thread Hernan Saltiel 
Hi Amos!
Thanks a lot for your response.
I already checked this page, it talks about using negotiate_kerberos_auth
when having Squid 3.2 or newer, but there is no place in the document with
an example about how to use it.
Then I went to the manpage for this command (negotiate_kerberos_auth man
page - squid | ManKier ),
where I can see three lines talking about how to add this to squid.conf.
But I don't know if I do need to follow a procedure to configure winbind,
Samba, or any other thing, and how to configure squid.conf to work with
groups, and their permissions.
Is there any place with full examples on using that config?
Thanks again, and best regards,

HeCSa.



On Mon, Sep 20, 2021 at 3:10 AM Amos Jeffries  wrote:

> On 20/09/21 5:32 am, Hernan Saltiel wrote:
> >  If you know about this, and can point me out to some URL I'm not
> > seeing, I'll thank you.
>
> Please see the FAQ written by that helpers author
> 
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
HeCSa
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ubuntu 20.04 LTS repository for Squid 5.1 (rebuilt from sources in Debian unstable)

2021-09-20 Thread Rafael Akchurin 
Hello everyone,

Online repository with latest Squid 5.1 (rebuilt from sources in Debian 
unstable) for Ubuntu 20.04 LTS 64-bit is available at 
https://squid51.diladele.com/.
Github repo  
https://github.com/diladele/squid-ubuntu/tree/squid-51/src/ubuntu20 contains 
the scripts we used to make this compilation.

Here are simple instructions how to use the repo. For more information see 
readme at https://github.com/diladele/squid-ubuntu .

# add diladele apt key
wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -

# add new repo
echo "deb https://squid51.diladele.com/ubuntu/ focal main" \
> /etc/apt/sources.list.d/squid51.diladele.com.list

# and install
apt-get update && apt-get install -y \
squid-common \
squid-openssl \
squidclient \
libecap3 libecap3-dev

Hope you will find this useful.

Best regards,
Rafael Akchurin
Diladele B.V.

--
The same Squid 5.1 will be part of upcoming Web Safety 7.7 planned for release 
in December, 2021.
Download the latest virtual appliance from 
https://www.diladele.com/download.html

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About Squid 4, AD, Kerberos and AD group auth.

2021-09-20 Thread Amos Jeffries 

On 20/09/21 5:32 am, Hernan Saltiel wrote:
     If you know about this, and can point me out to some URL I'm not 
seeing, I'll thank you.


Please see the FAQ written by that helpers author



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users