On 16.11.2015 14:29, Matej Kotras wrote: > Hi guys > > I've managed squid to work with AD, and authorize users based on what > AD group they are in. I use Squid-Analyzer for doing reports from > access.log. I've found 2 anomalies with authorization so far. In > access log, I see that user is authorized based on his PC name(not > desired) and not on the user account name. I've just enabled debugging > on negotiate wrapper, so I will monitor these logs also. > > But in the meantime, have you got any idea why could this happen ? > > *PC NAME AUTH:* > 1447562119.348 0 10.13.34.31 TCP_DENIED/407 3834 CONNECT > clients2.google.com:443 <http://clients2.google.com:443> - > HIER_NONE/- text/html > 1447562119.374 2 10.13.34.31 TCP_DENIED/407 4094 CONNECT > clients2.google.com:443 <http://clients2.google.com:443> - > HIER_NONE/- text/html > 1447562239.350 119976 10.13.34.31 TCP_MISS/200 4200 CONNECT > clients2.google.com:443 <http://clients2.google.com:443> icz800639-03$ > HIER_DIRECT/173.194.116.231 <http://173.194.116.231> - > > *USER NAME AUTH:* > 1447562039.176 0 10.13.34.31 TCP_DENIED/407 3850 CONNECT > lyncwebext.inventec.com:443 <http://lyncwebext.inventec.com:443> - > HIER_NONE/- text/html > 1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT > lyncwebext.inventec.com:443 <http://lyncwebext.inventec.com:443> - > HIER_NONE/- text/html > 1447562041.118 2702 10.13.34.31 TCP_MISS/200 6213 CONNECT > lyncwebext.inventec.com:443 <http://lyncwebext.inventec.com:443> > icz800639 HIER_DIRECT/10.8.100.165 <http://10.8.100.165> - Does't seem like you have working GSS-SPNEGO scheme. Unless you have username fields in log with realm set which yyou didn't post here.
> > > *Squid.conf* > ######################################### > #Enable KERBEROS authentication# > ######################################### > > auth_param negotiate program /usr/local/bin/negotiate_wrapper -d > --ntlm /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos > /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME > auth_param negotiate children 20 startup=0 idle=1 > auth_param negotiate keep_alive off > > > ######################################### > #Enable NTLM authentication# > ######################################### > > #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=ICZ > #auth_param ntlm children 10 > #auth_param ntlm keep_alive off So you disable the explicit NTLM authentication. That's bad. This far you only have GSS-SPNEGO failover to NTLM. > > > ######################################### > # ENABLE LDAP AUTH# > ######################################### > > auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b > "dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt > -f sAMAccountName=%s -h icz-dc-1.icz.inventec > auth_param basic children 10 > auth_param basic realm Please enter user name to access the internet > auth_param basic credentialsttl 1 hour This is pure basic. > > external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50 > children-startup=10 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl > The part with http_access is missing, it's hard to tell why you have TCP_MISS for machine accounts. Eugene.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users