[squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

2009-05-18 Thread xor 
Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially 
containing JavaScript scenaries, often receive request of a login, password and 
domain for authorisation in proxy. If this request to reject (with pressed 
cancel), the client receives standard page of cache access denied. But if 
after that to press to refresh, the page is loaded without login/password 
request, and all works normally before occurrence of the next of authorisation 
request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.

Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src /etc/squid3/acl/bad_pat_servers_ip
acl microsoft_activation dstdomain /etc/squid3/acl/microsoft_activation
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain /etc/squid3/acl/good_sites
acl bad_pattern url_regex /etc/squid3/acl/bad_pattern
acl bad_sites dstdomain /etc/squid3/acl/bad_sites
acl odvk url_regex /etc/squid3/acl/odvk
acl odnokl_sites dstdomain /etc/squid3/acl/odnokl_sites
acl odnokl_users proxy_auth /etc/squid3/acl/odnokl_users
acl ip_users src /etc/squid3/acl/ip_users
acl AuthUsers proxy_auth /etc/squid3/acl/users
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320
icp_port 3130
forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* 
%n\n *password\supdated\ssuccessfully* .
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   case sensitive = No
   idmap uid = 1-2
   idmap gid = 1-2
   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +
   winbind use default domain = No
[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Best regards, Ehenov Roman.

_ 
Авторский фотоальбом Андрея Оборина и Михаила Семенова
   http://www.oborin.ru/book/Home.html

Re: [squid-users] Authentication problem. Squid3+ntlm_auth+Firefox.

2009-05-18 Thread Amos Jeffries 

xor wrote:

Hello,
I have installed squid3 with authorisation in the windows2003 domain, with 
libraries kerberos5 and samba + winbind. OS Debian Lenny 5.0.1.
Packages squid3, samba, krb and winbind are taken from official repositories 
(http://ftp.ru.debian.org/debian/).

The proxy clients working under WinXP with browser IE6 or IE7 pass 
authorisation normally, without superfluous requests of a login/password.

But those who uses Mozilla Firefox browser, at visiting of the sites especially containing 
JavaScript scenaries, often receive request of a login, password and domain for authorisation in 
proxy. If this request to reject (with pressed cancel), the client receives standard 
page of cache access denied. But if after that to press to refresh, the page is loaded 
without login/password request, and all works normally before occurrence of the next of 
authorisation request.
This effect observed on the firefox browsers only.
Incr. or decr. of auth_param ntlm children parameters don't helped.


Please define what you mean by containing JavaScript scenaries? how is 
this relevant to the HTTP requests?


Check that firefox has not saved previous passwords for the user or 
another. This can cause issues as the known passwords are used first 
every time.


With debug_options ALL,1 29,6 28,6 cache.log gets a trace of the auth 
and ACL actions. Check that to see what is going on.
 You can expect to see some holdup while auth details are requested 
from the browser whether or not the popup appears. You can see for those 
checks whether is right to be needed or not though.



Some unrelated notes inline to the config...



Configs:

###squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 minute
authenticate_ttl 2 minutes
authenticate_ip_ttl 2 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 81 8080 8081 # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 5222
acl Safe_ports port 443 # https
acl PURGE method PURGE
acl CONNECT method CONNECT
acl bad_pat_servers_ip src /etc/squid3/acl/bad_pat_servers_ip


I find it rather confusing that you call this a servers_ip and indeed 
a pattern list yet use src which tests _client_ IP.


The name of the ACL sounds like you mean it to be a destination check of 
some sort.



acl microsoft_activation dstdomain /etc/squid3/acl/microsoft_activation
acl ip_symantec_ftp src 192.168.2.11
acl ftp_symantec dstdomain ftp.symantec.com liveupdate.symantec.com 
liveupdate.symantecliveupdate.com
acl good_sites dstdomain /etc/squid3/acl/good_sites
acl bad_pattern url_regex /etc/squid3/acl/bad_pattern
acl bad_sites dstdomain /etc/squid3/acl/bad_sites
acl odvk url_regex /etc/squid3/acl/odvk
acl odnokl_sites dstdomain /etc/squid3/acl/odnokl_sites
acl odnokl_users proxy_auth /etc/squid3/acl/odnokl_users
acl ip_users src /etc/squid3/acl/ip_users
acl AuthUsers proxy_auth /etc/squid3/acl/users
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow microsoft_activation
http_access deny bad_pat_servers_ip
http_access allow ip_symantec_ftp ftp_symantec
http_access allow good_sites ip_users
http_access allow good_sites AuthUsers
http_access allow odnokl_sites odnokl_users
http_access deny bad_pattern
http_access deny bad_sites
http_access deny odvk
http_access allow ip_users
http_access allow AuthUsers
http_access allow localhost
http_access deny all
htcp_access deny all
http_port 192.168.60.60:3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
cache_dir ufs /var/spool/squid3 1024 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern (cgi-bin|\?)0   0%  0
refresh_pattern .   0   20% 4320



icp_access deny all
icp_port 3130


Combined with the icp_access deny all I find this really weird.

The default action in Squid-3 is not to listen for ICP at all and to 
deny all as well. I think you want to remove the icp_* configuration 
entirely.


Same for the htcp_access line further up.


forwarded_for off
coredump_dir /var/spool/squid3

###smb.conf
[global]
   workgroup = PATERSON
   realm = PATERSON.RU
   password server = SRV-MSK11 SRV-MSK12
   server string = %h server
   wins support = yes
   wins server = 192.168.2.11
   dns proxy = no
   interfaces = 192.168.60.60 eth0
   log file = /var/log/samba/log.%m
   log level = 3
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes