[squid-users] Authentication Problem

Dima Ermakov demonihin at gmail.com
Thu Dec 3 20:46:54 UTC 2015 

Hi!
I have a problem with authentiation.

I use samba ntlm authentication in my network.

Some users ( not all ) have problems with http traffic.

They see basic authentication request.
If they enter correct domain login and password, they have auth error.
If this users try to open https sites: all works good, they have not any
type of errors.


So we have errors only with unencrypted connections.

I have this error on two servers:
debian8, squid3.4 (from repository)
CentOS7, squid3.3.8 (from repository).

squid servers are domain joined.

System Time on client PC is correct.

Sorry for my bad English.
Thank you, for your help.

Configuration files are in attachment.

-- 
С уважением, Дмитрий Ермаков.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151203/3c8c7fe9/attachment-0001.html>
-------------- next part --------------
# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /var/spool/squid3/ 10000 32 256

http_port 127.0.0.1:4001
cache_mem 1024 MB
visible_hostname it-gw-b.vod.local
http_access allow localhost

access_log /var/log/squid3/access.backend.log
cache_log /var/log/squid3/cache.backend.log

-------------- next part --------------
#Memoty Cache size
cache_mem 256 MB

maximum_object_size_in_memory 1024 KB

cache_peer 127.0.0.1 parent 4001 0 default name=it-squid-b.vod.local
never_direct allow all

visible_hostname it-gw-f.vod.local

######AUTHENTICATION BLOCK#############
#Authentication Programs
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=5 idle=5
auth_param ntlm keep_alive on

#authenticate_ttl 1 hour
#authenticate_cache_garbage_interval 1 hour


auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic credentialsttl 600 second
auth_param basic children 60 startup=5 idle=5



#Need Auth
acl AuthorizedUsers proxy_auth REQUIRED

#Unlim speed users
acl unlim_group src "/etc/squid/acl/unlim_group"

#Check group membership
external_acl_type testforGroup   children-max=30 children-startup=5  %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl
acl internet_G external testforGroup Internet_group
acl internet_SG external testforGroup Internet_super_group

########## END AUTHENTICATION BLOCK #########


####### Speed Limits Block ###########
delay_pools 3

#Limit for internet super group
delay_class 1 4

#Limit for internet group
delay_class 2 4

# No Speed Limit - unlim
delay_class 3 4

delay_parameters 1 -1/-1 -1/-1 -1/-1 -1/-1
delay_parameters 2 -1/-1 -1/-1 -1/-1 125000/125000
delay_parameters 3 -1/-1 -1/-1 -1/-1 64000/64000


delay_access 1 allow unlim_group
#delay_access 1 allow unlim_domains
delay_access 1 deny all

delay_access 2 allow internet_SG
delay_access 2 deny all

delay_access 3 allow internet_G
delay_access 3 deny all

############ End Speed Limits Block ###########3


#################### ACL Control Block ##################

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
####http_access allow localnet

http_access allow unlim_group
http_access allow internet_SG
http_access allow internet_G

#http_access allow unlim_group


# And finally deny all other access to this proxy
http_access allow localhost

http_access deny all

#####################3 End ACL Control Block ##############

# Squid normally listens to port 3128
http_port 8080
##https_port 8080

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-site.png
Type: image/png
Size: 13518 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151203/3c8c7fe9/attachment-0001.png>
-------------- next part --------------
#
# Recommended minimum configuration:
#

####SNMP
#if ${process_number} = 2
##   snmp_port 3401
#endif
acl zabbix src 192.168.4.19/32
acl snmppublic snmp_community public
snmp_access allow snmppublic zabbix
snmp_access allow snmppublic localhost
snmp_access deny all

####### END SNMP



pid_filename /var/run/squid3/squid.pid

### Set local DNS as DNS for squid
dns_nameservers 127.0.0.1 192.168.4.23 192.168.4.1 192.168.4.2

#DNS V4
dns_v4_first on

#### SMP support
###workers 4

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/18 # RFC1918 possible internal network
acl localnet src 192.168.4.0/23 # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443 #https
acl SSL_ports port 8445 #it-smtp.vod.local
acl SSL_ports port 8443 #it-ubiquiti.vod.local

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 93 # Teh-Ekspert
acl CONNECT method CONNECT



#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# Only allow cachemgr access from localhost

acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
####acl localhost src 127.0.0.1/32 ::1/128
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
###http_access allow localhost manager
acl sqstat src 192.168.4.19/32


http_access allow manager localhost
http_access allow manager sqstat
http_access deny manager

#cachemgr_passwd dm3ZcN7kDI12 all

#snmp_port 3401
cpu_affinity_map process_numbers=1,2,3,4,5,6 cores=1,2,3,4,5,6
workers 5
if ${process_number} = 1
   	include /etc/squid3/backend.conf
	snmp_port 3401
else
	include /etc/squid3/frontend.conf
endif


# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3


#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

More information about the squid-users mailing list