[squid-users] Fwd: NTLM LDAP authentication problem

Eugene M. Zheganin emz at norma.perm.ru
Mon Nov 16 14:19:28 UTC 2015 

On 16.11.2015 14:29, Matej Kotras wrote:
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what
> AD group they are in. I use Squid-Analyzer for doing reports from
> access.log. I've found 2 anomalies with authorization so far. In
> access log, I see that user is authorized based on his PC name(not
> desired) and not on the user account name. I've just enabled debugging
> on negotiate wrapper, so I will monitor these logs also.
>
> But in the meantime, have you got any idea why could this happen ?
>
> *PC NAME AUTH:*
> 1447562119.348      0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
> clients2.google.com:443 <http://clients2.google.com:443> -            
> HIER_NONE/- text/html
> 1447562119.374      2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
> clients2.google.com:443 <http://clients2.google.com:443> -            
> HIER_NONE/- text/html
> 1447562239.350 119976 10.13.34.31 TCP_MISS/200   4200 CONNECT
> clients2.google.com:443 <http://clients2.google.com:443> icz800639-03$
> HIER_DIRECT/173.194.116.231 <http://173.194.116.231> -
>
> *USER NAME AUTH:*
> 1447562039.176      0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
> lyncwebext.inventec.com:443 <http://lyncwebext.inventec.com:443> -    
>     HIER_NONE/- text/html
> 1447562039.215     27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
> lyncwebext.inventec.com:443 <http://lyncwebext.inventec.com:443> -    
>     HIER_NONE/- text/html
> 1447562041.118   2702 10.13.34.31 TCP_MISS/200   6213 CONNECT
> lyncwebext.inventec.com:443 <http://lyncwebext.inventec.com:443>
> icz800639 HIER_DIRECT/10.8.100.165 <http://10.8.100.165> -
Does't seem like you have working GSS-SPNEGO scheme. Unless you have
username fields in log with realm set which yyou didn't post here.

>
>
> *Squid.conf*
> #########################################
> #Enable KERBEROS authentication#
> #########################################
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos
> /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
>
> #########################################
> #Enable NTLM authentication#
> #########################################
>
> #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
> #auth_param ntlm children 10
> #auth_param ntlm keep_alive off
So you disable the explicit NTLM authentication. That's bad. This far
you only have GSS-SPNEGO failover to NTLM.
>
>
> #########################################
> # ENABLE LDAP AUTH#
> #########################################
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "dc=icz,dc=inventec" -D squid at icz.inventec -W /etc/squid/ldappass.txt
> -f sAMAccountName=%s -h icz-dc-1.icz.inventec
> auth_param basic children 10
> auth_param basic realm Please enter user name to access the internet
> auth_param basic credentialsttl 1 hour
This is pure basic.
>
> external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
> children-startup=10  %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>
The part with http_access is missing, it's hard to tell why you have
TCP_MISS for machine accounts.

Eugene.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151116/23bfdeed/attachment-0001.html>

More information about the squid-users mailing list