[squid-users] Active Directory Authentication failing at the browser

dolson at ihcrc.org dolson at ihcrc.org
Tue Nov 17 20:36:43 UTC 2015 

Thank you for your help Amos,

I think I am a little further, but I'm still having some issues.

I updated my proxy address from the IP to the FQDN and this removed the login page that I previously mentioned, but I still could not get to any external websites.  Internal sites work working correctly.  I have attached the screen shot of the message.

I have followed the new links that you provided and changed the permissions on the /var/lib/samba/winbindd_privileged file as directed, and tested winbind using the instructions and everything is working.

Per your suggestion, I upgraded Firefox to 4.2.  What was really interesting is, when I used the link from the About Firefox window, I was able to access the Mozilla website, and download the file with no errors on the webpage in the browser, but continue to get it if I now go to the site by entering the address in the address bar.

I have included below excerpts from the access.log and cache.log files from the last attempts to see if you or someone else can help me understand the information in the files so I can see where the problem may be.

Access.log:

1447788372.600      7 10.1.3.56 TCP_DENIED/407 3826 GET http://srv-joomla/portal/ - HIER_NONE/- text/html
1447788372.812     63 10.1.3.56 TCP_MISS/500 6727 GET http://srv-joomla/portal/ dolson at IHCRC.ORG HIER_NONE/- text/html
1447788372.903      0 10.1.3.56 TCP_MISS/500 4085 GET http://www.squid-cache.org/Artwork/SN.png dolson at IHCRC.ORG HIER_NONE/- text/html
1447788373.059      0 10.1.3.56 TCP_MISS/500 4025 GET http://srv-joomla/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
1447788373.106      0 10.1.3.56 TCP_MISS/500 4025 GET http://srv-joomla/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
1447788377.958      0 10.1.3.56 TCP_DENIED/407 3903 POST http://ocsp.digicert.com/ - HIER_NONE/- text/html
1447788378.163     45 10.1.3.56 TCP_MISS/500 6792 POST http://ocsp.digicert.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
1447788378.207      0 10.1.3.56 TCP_MISS/500 4110 POST http://clients1.google.com/ocsp dolson at IHCRC.ORG HIER_NONE/- text/html
1447788378.786      0 10.1.3.56 TCP_MISS/500 4004 GET http://www.google.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
1447788378.832      0 10.1.3.56 TCP_MISS/500 4080 GET http://www.squid-cache.org/Artwork/SN.png dolson at IHCRC.ORG HIER_NONE/- text/html
1447788378.894      0 10.1.3.56 TCP_MISS/500 4037 GET http://www.google.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
1447788379.051      0 10.1.3.56 TCP_MISS/500 4037 GET http://www.google.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
1447788381.219      0 10.1.3.56 TCP_MISS/500 4092 POST http://ocsp.digicert.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
1447788383.357      0 10.1.3.56 TCP_MISS/500 3995 GET http://www.cnn.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
1447788383.516      0 10.1.3.56 TCP_MISS/500 4077 GET http://www.squid-cache.org/Artwork/SN.png dolson at IHCRC.ORG HIER_NONE/- text/html
1447788383.577      0 10.1.3.56 TCP_MISS/500 4028 GET http://www.cnn.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
1447788383.749     15 10.1.3.56 TCP_MISS/500 4028 GET http://www.cnn.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
1447788432.030      0 10.1.3.56 TCP_MISS/500 4092 POST http://ocsp.digicert.com/ dolson at IHCRC.ORG HIER_NONE/- text/html

Cache.log:

2015/11/17 13:26:12| negotiate_wrapper: Got 'YR YIIG1wYGKwYBBQUCoIIGyzCCBsegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBpEEggaNYIIGiQYJKoZIhvcSAQICAQBuggZ4MIIGdKADAgEFoQMCAQ6iBwMFACAAAACjggUKYYIFBjCCBQKgAwIBBaELGwlJSENSQy5PUkeiJjAkoAMCAQKhHTAbGwRIVFRQGxNzcnYtcHJveHkuaWhjcmMub3Jno4IExDCCBMCgAwIBEqEDAgEEooIEsgSCBK5N8UEgQtAEgTJ0R0OYS6YtKBavuB0GEuGvjp75KubI7xOHeQOIyyBc5k6zPCYrxFH0mw0Xu6iHWXVC1wNjFjDUaIgd4nqr0PQlwmJssREAYsz1Goj+a4Dep5xovo0KeZCLaSIprDn+wbHAUHf8iRp24wlEOWnSPLJ+YAv+JZ6plFtNRZJFbyHJAiBzeE5cKl/Zx4n3hBhRxxqBpaWJ+3vyiC04LZlNtqVN3Zk1XgMxpfiKBe0pdlJb5IwV28CluqKR6Ukr/FZlbDzTO1Ow7L8cuo4+97ikerKkxgjKGhZ0YIvTcxNx59qz1EGIoQBv96K44K8KwtyZeIwGVZPsM9SoIAZV/pMgTx0O3mP1HjidrH7irWH1B8R44aaJ77uyuSChh4sSM6Z+nIwty8Fewx5Wm1M+gmZkLOP3Qw8Nqo1cbx8uoYtod89hKpXJRrepFDB2+USuGwkGcdBeKtxGsWMDIJIW7pwIpqr7pbhsiIj8xgSzJHTfHHEiHIUCWMbTNUbP3NAjjVS6Adq0KLtixQ4J8GvDZtvQafacEDSRAMY3uNJsmUQjI1I3KYt12OoUH0+YUwWk3OT1hFituxaEfnmVNm6cWWgDxNrdQofJFfskiNSmX/937KMjRRARY9FKfjNK55+tR0JvrKmGU9t4Qgu2O9aEnF+3CriVtSgLgX/otkCRLrtOSlYgm4bEfgvn1MTT55+Sef44rOtZBSrGDxT7kpfRK9cCFojelgooNYSMd0sUWxM9/N+CgXrCF9BfJsXT06HZUFCPq8wCimxbGJEfPpOPKIRupZbfUqnBB3lqLMyfY+Z01GmF7A6yfKtsmUWdJW4/5Bl/U9LRU2yn2oAY7RaZZW2VP9xQTj1VBhjiwGUtJfwTU9hAb21Nqfwz5JZyINhfQmxC5AgyGEpNvyR0aaFHyC2Scr4fpHbdHSkyxLfQp3rafOCiM5Kn+0wqhTEb+2zZhX665QdMl2yWfEj2TCQAOMcIR9kYCvT8n+LGZ3vwl6D4vITaO50a2FFJn41RXytToOhtcmkFYKDmyMfQnXBAzmAPefHoHIgNzxfqRF1J5304tUrpMDoxXbyy5XhL/dueDfm5MKQ7s5kqncdyE0F1jBiF9d1Hv0HLvJ+UliWufh1wDHbdOgwu36YxVQ+6XStnh+6Nb5pT2P0hA3cyZyHUCTG3pAJSqmQr5W2JeLzftlQTnptHcciHTBMTYo7YO2auQ7KCHWV+8NCHOa42Z6DXffTvdZ5Rh5vhKef4gfQ4qD+ZYm6GKIwFZWnAbbz+yBf+bPYIog91JI8483HM83hICjxwdBfTCv9D/tPXOe2z7s8IF2S1+Pomvr+r28NhvKHmGGLiLj3+VzzWx8OC2CC/UGVejf4BFMT+sGfqsjj7YO7H0bbgS4p58pCvX/ndCPjZ7S8zZMjrSWlveGEG9lNib2jlIuV8vJxEbH8Vhmn809qq527RoC15XelyUf08FzoW4EfveMuZJdbsYkyHQwbaocAg3Es6xn5P2R3liaeppTU1k1qtkuVBEkrHDOiXpe5b6TH2W7QikRSXRH9oxoQDMpLurpBDS+SuwBXOXjvt376T85Rj8rljgwlIpIIBTzCCAUugAwIBEqKCAUIEggE+JcUszidrIDYfoEETkD6avKzl/17NkcuHyRJV+IH/w71nc2zJy2GBPPQiunoIc2eRLtMA2qTzGWxBCZP8h2ykFkMyhhdXidzKOzyfiKnsMH11pQFANoglArU2nXeMjiL2QMmUZg57hKSjGZZTJ/vJN+oZGazH0Vb7rg0QEiID1f5GXDqkiVIkdepuFnffAZEYTTy4o4I2aj8w3gvt+KDw8p70v9mqYY0gwJfmC6GZnRO/RrrAGF48ZwpDgiR2PESHaUP98LIh0Sfo/sknODiUNPlY6S4NKBRoVbihTJWfAl7Fz6R3aIpZeuYAEg3qsE3Tc1Jn9Yv+pkfRkKsWSt9URL//Ly5G2j7gZFtoCkBdKxw+w5yMTJ/6q/ztfE6M54iy+2Zdz06qDkTGmCOQkAcVha0krI+p0ie77U+RG9Zq' from squid (length: 2343).
2015/11/17 13:26:12| negotiate_wrapper: Decode 'YIIG1wYGKwYBBQUCoIIGyzCCBsegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBpEEggaNYIIGiQYJKoZIhvcSAQICAQBuggZ4MIIGdKADAgEFoQMCAQ6iBwMFACAAAACjggUKYYIFBjCCBQKgAwIBBaELGwlJSENSQy5PUkeiJjAkoAMCAQKhHTAbGwRIVFRQGxNzcnYtcHJveHkuaWhjcmMub3Jno4IExDCCBMCgAwIBEqEDAgEEooIEsgSCBK5N8UEgQtAEgTJ0R0OYS6YtKBavuB0GEuGvjp75KubI7xOHeQOIyyBc5k6zPCYrxFH0mw0Xu6iHWXVC1wNjFjDUaIgd4nqr0PQlwmJssREAYsz1Goj+a4Dep5xovo0KeZCLaSIprDn+wbHAUHf8iRp24wlEOWnSPLJ+YAv+JZ6plFtNRZJFbyHJAiBzeE5cKl/Zx4n3hBhRxxqBpaWJ+3vyiC04LZlNtqVN3Zk1XgMxpfiKBe0pdlJb5IwV28CluqKR6Ukr/FZlbDzTO1Ow7L8cuo4+97ikerKkxgjKGhZ0YIvTcxNx59qz1EGIoQBv96K44K8KwtyZeIwGVZPsM9SoIAZV/pMgTx0O3mP1HjidrH7irWH1B8R44aaJ77uyuSChh4sSM6Z+nIwty8Fewx5Wm1M+gmZkLOP3Qw8Nqo1cbx8uoYtod89hKpXJRrepFDB2+USuGwkGcdBeKtxGsWMDIJIW7pwIpqr7pbhsiIj8xgSzJHTfHHEiHIUCWMbTNUbP3NAjjVS6Adq0KLtixQ4J8GvDZtvQafacEDSRAMY3uNJsmUQjI1I3KYt12OoUH0+YUwWk3OT1hFituxaEfnmVNm6cWWgDxNrdQofJFfskiNSmX/937KMjRRARY9FKfjNK55+tR0JvrKmGU9t4Qgu2O9aEnF+3CriVtSgLgX/otkCRLrtOSlYgm4bEfgvn1MTT55+Sef44rOtZBSrGDxT7kpfRK9cCFojelgooNYSMd0sUWxM9/N+CgXrCF9BfJsXT06HZUFCPq8wCimxbGJEfPpOPKIRupZbfUqnBB3lqLMyfY+Z01GmF7A6yfKtsmUWdJW4/5Bl/U9LRU2yn2oAY7RaZZW2VP9xQTj1VBhjiwGUtJfwTU9hAb21Nqfwz5JZyINhfQmxC5AgyGEpNvyR0aaFHyC2Scr4fpHbdHSkyxLfQp3rafOCiM5Kn+0wqhTEb+2zZhX665QdMl2yWfEj2TCQAOMcIR9kYCvT8n+LGZ3vwl6D4vITaO50a2FFJn41RXytToOhtcmkFYKDmyMfQnXBAzmAPefHoHIgNzxfqRF1J5304tUrpMDoxXbyy5XhL/dueDfm5MKQ7s5kqncdyE0F1jBiF9d1Hv0HLvJ+UliWufh1wDHbdOgwu36YxVQ+6XStnh+6Nb5pT2P0hA3cyZyHUCTG3pAJSqmQr5W2JeLzftlQTnptHcciHTBMTYo7YO2auQ7KCHWV+8NCHOa42Z6DXffTvdZ5Rh5vhKef4gfQ4qD+ZYm6GKIwFZWnAbbz+yBf+bPYIog91JI8483HM83hICjxwdBfTCv9D/tPXOe2z7s8IF2S1+Pomvr+r28NhvKHmGGLiLj3+VzzWx8OC2CC/UGVejf4BFMT+sGfqsjj7YO7H0bbgS4p58pCvX/ndCPjZ7S8zZMjrSWlveGEG9lNib2jlIuV8vJxEbH8Vhmn809qq527RoC15XelyUf08FzoW4EfveMuZJdbsYkyHQwbaocAg3Es6xn5P2R3liaeppTU1k1qtkuVBEkrHDOiXpe5b6TH2W7QikRSXRH9oxoQDMpLurpBDS+SuwBXOXjvt376T85Rj8rljgwlIpIIBTzCCAUugAwIBEqKCAUIEggE+JcUszidrIDYfoEETkD6avKzl/17NkcuHyRJV+IH/w71nc2zJy2GBPPQiunoIc2eRLtMA2qTzGWxBCZP8h2ykFkMyhhdXidzKOzyfiKnsMH11pQFANoglArU2nXeMjiL2QMmUZg57hKSjGZZTJ/vJN+oZGazH0Vb7rg0QEiID1f5GXDqkiVIkdepuFnffAZEYTTy4o4I2aj8w3gvt+KDw8p70v9mqYY0gwJfmC6GZnRO/RrrAGF48ZwpDgiR2PESHaUP98LIh0Sfo/sknODiUNPlY6S4NKBRoVbihTJWfAl7Fz6R3aIpZeuYAEg3qsE3Tc1Jn9Yv+pkfRkKsWSt9URL//Ly5G2j7gZFtoCkBdKxw+w5yMTJ/6q/ztfE6M54iy+2Zdz06qDkTGmCOQkAcVha0krI+p0ie77U+RG9Zq' (decoded length: 1755).
2015/11/17 13:26:12| negotiate_wrapper: received Kerberos token
negotiate_kerberos_auth.cc(258): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: DEBUG: Got 'YR YIIG1wYGKwYBBQUCoIIGyzCCBsegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBpEEggaNYIIGiQYJKoZIhvcSAQICAQBuggZ4MIIGdKADAgEFoQMCAQ6iBwMFACAAAACjggUKYYIFBjCCBQKgAwIBBaELGwlJSENSQy5PUkeiJjAkoAMCAQKhHTAbGwRIVFRQGxNzcnYtcHJveHkuaWhjcmMub3Jno4IExDCCBMCgAwIBEqEDAgEEooIEsgSCBK5N8UEgQtAEgTJ0R0OYS6YtKBavuB0GEuGvjp75KubI7xOHeQOIyyBc5k6zPCYrxFH0mw0Xu6iHWXVC1wNjFjDUaIgd4nqr0PQlwmJssREAYsz1Goj+a4Dep5xovo0KeZCLaSIprDn+wbHAUHf8iRp24wlEOWnSPLJ+YAv+JZ6plFtNRZJFbyHJAiBzeE5cKl/Zx4n3hBhRxxqBpaWJ+3vyiC04LZlNtqVN3Zk1XgMxpfiKBe0pdlJb5IwV28CluqKR6Ukr/FZlbDzTO1Ow7L8cuo4+97ikerKkxgjKGhZ0YIvTcxNx59qz1EGIoQBv96K44K8KwtyZeIwGVZPsM9SoIAZV/pMgTx0O3mP1HjidrH7irWH1B8R44aaJ77uyuSChh4sSM6Z+nIwty8Fewx5Wm1M+gmZkLOP3Qw8Nqo1cbx8uoYtod89hKpXJRrepFDB2+USuGwkGcdBeKtxGsWMDIJIW7pwIpqr7pbhsiIj8xgSzJHTfHHEiHIUCWMbTNUbP3NAjjVS6Adq0KLtixQ4J8GvDZtvQafacEDSRAMY3uNJsmUQjI1I3KYt12OoUH0+YUwWk3OT1hFituxaEfnmVNm6cWWgDxNrdQofJFfskiNSmX/937KMjRRARY9FKfjNK55+tR0JvrKmGU9t4Qgu2O9aEnF+3CriVtSgLgX/otkCRLrtOSlYgm4bEfgvn1MTT55+Sef44rOtZBSrGDxT7kpfRK9cCFojelgooNYSMd0sUWxM9/N+CgXrCF9BfJsXT06HZUFCPq8wCimxbGJEfPpOPKIRupZbfUqnBB3lqLMyfY+Z01GmF7A6yfKtsmUWdJW4/5Bl/U9LRU2yn2oAY7RaZZW2VP9xQTj1VBhjiwGUtJfwTU9hAb21Nqfwz5JZyINhfQmxC5AgyGEpNvyR0aaFHyC2Scr4fpHbdHSkyxLfQp3rafOCiM5Kn+0wqhTEb+2zZhX665QdMl2yWfEj2TCQAOMcIR9kYCvT8n+LGZ3vwl6D4vITaO50a2FFJn41RXytToOhtcmkFYKDmyMfQnXBAzmAPefHoHIgNzxfqRF1J5304tUrpMDoxXbyy5XhL/dueDfm5MKQ7s5kqncdyE0F1jBiF9d1Hv0HLvJ+UliWufh1wDHbdOgwu36YxVQ+6XStnh+6Nb5pT2P0hA3cyZyHUCTG3pAJSqmQr5W2JeLzftlQTnptHcciHTBMTYo7YO2auQ7KCHWV+8NCHOa42Z6DXffTvdZ5Rh5vhKef4gfQ4qD+ZYm6GKIwFZWnAbbz+yBf+bPYIog91JI8483HM83hICjxwdBfTCv9D/tPXOe2z7s8IF2S1+Pomvr+r28NhvKHmGGLiLj3+VzzWx8OC2CC/UGVejf4BFMT+sGfqsjj7YO7H0bbgS4p58pCvX/ndCPjZ7S8zZMjrSWlveGEG9lNib2jlIuV8vJxEbH8Vhmn809qq527RoC15XelyUf08FzoW4EfveMuZJdbsYkyHQwbaocAg3Es6xn5P2R3liaeppTU1k1qtkuVBEkrHDOiXpe5b6TH2W7QikRSXRH9oxoQDMpLurpBDS+SuwBXOXjvt376T85Rj8rljgwlIpIIBTzCCAUugAwIBEqKCAUIEggE+JcUszidrIDYfoEETkD6avKzl/17NkcuHyRJV+IH/w71nc2zJy2GBPPQiunoIc2eRLtMA2qTzGWxBCZP8h2ykFkMyhhdXidzKOzyfiKnsMH11pQFANoglArU2nXeMjiL2QMmUZg57hKSjGZZTJ/vJN+oZGazH0Vb7rg0QEiID1f5GXDqkiVIkdepuFnffAZEYTTy4o4I2aj8w3gvt+KDw8p70v9mqYY0gwJfmC6GZnRO/RrrAGF48ZwpDgiR2PESHaUP98LIh0Sfo/sknODiUNPlY6S4NKBRoVbihTJWfAl7Fz6R3aIpZeuYAEg3qsE3Tc1Jn9Yv+pkfRkKsWSt9URL//Ly5G2j7gZFtoCkBdKxw+w5yMTJ/6q/ztfE6M54iy+2Zdz06qDkTGmCOQkAcVha0krI+p0ie77U+RG9Zq' from squid (length: 2343).
negotiate_kerberos_auth.cc(311): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: DEBUG: Decode 'YIIG1wYGKwYBBQUCoIIGyzCCBsegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBpEEggaNYIIGiQYJKoZIhvcSAQICAQBuggZ4MIIGdKADAgEFoQMCAQ6iBwMFACAAAACjggUKYYIFBjCCBQKgAwIBBaELGwlJSENSQy5PUkeiJjAkoAMCAQKhHTAbGwRIVFRQGxNzcnYtcHJveHkuaWhjcmMub3Jno4IExDCCBMCgAwIBEqEDAgEEooIEsgSCBK5N8UEgQtAEgTJ0R0OYS6YtKBavuB0GEuGvjp75KubI7xOHeQOIyyBc5k6zPCYrxFH0mw0Xu6iHWXVC1wNjFjDUaIgd4nqr0PQlwmJssREAYsz1Goj+a4Dep5xovo0KeZCLaSIprDn+wbHAUHf8iRp24wlEOWnSPLJ+YAv+JZ6plFtNRZJFbyHJAiBzeE5cKl/Zx4n3hBhRxxqBpaWJ+3vyiC04LZlNtqVN3Zk1XgMxpfiKBe0pdlJb5IwV28CluqKR6Ukr/FZlbDzTO1Ow7L8cuo4+97ikerKkxgjKGhZ0YIvTcxNx59qz1EGIoQBv96K44K8KwtyZeIwGVZPsM9SoIAZV/pMgTx0O3mP1HjidrH7irWH1B8R44aaJ77uyuSChh4sSM6Z+nIwty8Fewx5Wm1M+gmZkLOP3Qw8Nqo1cbx8uoYtod89hKpXJRrepFDB2+USuGwkGcdBeKtxGsWMDIJIW7pwIpqr7pbhsiIj8xgSzJHTfHHEiHIUCWMbTNUbP3NAjjVS6Adq0KLtixQ4J8GvDZtvQafacEDSRAMY3uNJsmUQjI1I3KYt12OoUH0+YUwWk3OT1hFituxaEfnmVNm6cWWgDxNrdQofJFfskiNSmX/937KMjRRARY9FKfjNK55+tR0JvrKmGU9t4Qgu2O9aEnF+3CriVtSgLgX/otkCRLrtOSlYgm4bEfgvn1MTT55+Sef44rOtZBSrGDxT7kpfRK9cCFojelgooNYSMd0sUWxM9/N+CgXrCF9BfJsXT06HZUFCPq8wCimxbGJEfPpOPKIRupZbfUqnBB3lqLMyfY+Z01GmF7A6yfKtsmUWdJW4/5Bl/U9LRU2yn2oAY7RaZZW2VP9xQTj1VBhjiwGUtJfwTU9hAb21Nqfwz5JZyINhfQmxC5AgyGEpNvyR0aaFHyC2Scr4fpHbdHSkyxLfQp3rafOCiM5Kn+0wqhTEb+2zZhX665QdMl2yWfEj2TCQAOMcIR9kYCvT8n+LGZ3vwl6D4vITaO50a2FFJn41RXytToOhtcmkFYKDmyMfQnXBAzmAPefHoHIgNzxfqRF1J5304tUrpMDoxXbyy5XhL/dueDfm5MKQ7s5kqncdyE0F1jBiF9d1Hv0HLvJ+UliWufh1wDHbdOgwu36YxVQ+6XStnh+6Nb5pT2P0hA3cyZyHUCTG3pAJSqmQr5W2JeLzftlQTnptHcciHTBMTYo7YO2auQ7KCHWV+8NCHOa42Z6DXffTvdZ5Rh5vhKef4gfQ4qD+ZYm6GKIwFZWnAbbz+yBf+bPYIog91JI8483HM83hICjxwdBfTCv9D/tPXOe2z7s8IF2S1+Pomvr+r28NhvKHmGGLiLj3+VzzWx8OC2CC/UGVejf4BFMT+sGfqsjj7YO7H0bbgS4p58pCvX/ndCPjZ7S8zZMjrSWlveGEG9lNib2jlIuV8vJxEbH8Vhmn809qq527RoC15XelyUf08FzoW4EfveMuZJdbsYkyHQwbaocAg3Es6xn5P2R3liaeppTU1k1qtkuVBEkrHDOiXpe5b6TH2W7QikRSXRH9oxoQDMpLurpBDS+SuwBXOXjvt376T85Rj8rljgwlIpIIBTzCCAUugAwIBEqKCAUIEggE+JcUszidrIDYfoEETkD6avKzl/17NkcuHyRJV+IH/w71nc2zJy2GBPPQiunoIc2eRLtMA2qTzGWxBCZP8h2ykFkMyhhdXidzKOzyfiKnsMH11pQFANoglArU2nXeMjiL2QMmUZg57hKSjGZZTJ/vJN+oZGazH0Vb7rg0QEiID1f5GXDqkiVIkdepuFnffAZEYTTy4o4I2aj8w3gvt+KDw8p70v9mqYY0gwJfmC6GZnRO/RrrAGF48ZwpDgiR2PESHaUP98LIh0Sfo/sknODiUNPlY6S4NKBRoVbihTJWfAl7Fz6R3aIpZeuYAEg3qsE3Tc1Jn9Yv+pkfRkKsWSt9URL//Ly5G2j7gZFtoCkBdKxw+w5yMTJ/6q/ztfE6M54iy+2Zdz06qDkTGmCOQkAcVha0krI+p0ie77U+RG9Zq' (decoded length: 1755).
negotiate_kerberos_pac.cc(368): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: INFO: Got PAC data of lengh 608
negotiate_kerberos_pac.cc(186): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: INFO: Found 16 rids
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7192
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 2692
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 1584
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 5144
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7167
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 512
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7733
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7123
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 4495
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 8115
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7641
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 5143
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7154
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 7836
negotiate_kerberos_pac.cc(193): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: Info: Got rid: 1395
negotiate_kerberos_pac.cc(255): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-343818398-1275210071-839522115
negotiate_kerberos_pac.cc(277): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(325): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-343818398-1275210071-839522115-572
negotiate_kerberos_pac.cc(448): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: INFO: Read 604 of 608 bytes 
negotiate_kerberos_auth.cc(426): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyGBwAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyhAoAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyMAYAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyGBQAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoy/xsAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyAAIAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyNR4AAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoy0xsAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyjxEAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoysx8AAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyAQIAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoy2R0AAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyFxQAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoy8hsAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoynB4AAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoycwUAAA== group=AQUAAAAAAAUVAAAAnkB+FFcpAkxDFwoyPAIAAA==
2015/11/17 13:26:12| negotiate_wrapper: Return 'AF oYG2MIGzoAMKAQChCwYJKoZIhvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuARzxylZ3+ogG5LNwRiq7CS7l8pmHqwVZui0pgSu6TmcNWZwwFSOkh4ObnFB2qDL2Cog9vwWQLYxDMnz3Y4jwCO4kyqTd6UWKz39avXtJGITEdRrVXQVQAZBWIHMm2VtuRhMkyTnREoToI97sMxA= dolson at IHCRC.ORG
'
negotiate_kerberos_auth.cc(431): pid=17991 :2015/11/17 13:26:12| negotiate_kerberos_auth: DEBUG: AF oYG2MIGzoAMKAQChCwYJKoZIhvcSAQICooGeBIGbYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuARzxylZ3+ogG5LNwRiq7CS7l8pmHqwVZui0pgSu6TmcNWZwwFSOkh4ObnFB2qDL2Cog9vwWQLYxDMnz3Y4jwCO4kyqTd6UWKz39avXtJGITEdRrVXQVQAZBWIHMm2VtuRhMkyTnREoToI97sMxA= dolson at IHCRC.ORG
2015/11/17 13:26:18| negotiate_wrapper: Got 'YR YIIG1wYGKwYBBQUCoIIGyzCCBsegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBpEEggaNYIIGiQYJKoZIhvcSAQICAQBuggZ4MIIGdKADAgEFoQMCAQ6iBwMFACAAAACjggUKYYIFBjCCBQKgAwIBBaELGwlJSENSQy5PUkeiJjAkoAMCAQKhHTAbGwRIVFRQGxNzcnYtcHJveHkuaWhjcmMub3Jno4IExDCCBMCgAwIBEqEDAgEEooIEsgSCBK5N8UEgQtAEgTJ0R0OYS6YtKBavuB0GEuGvjp75KubI7xOHeQOIyyBc5k6zPCYrxFH0mw0Xu6iHWXVC1wNjFjDUaIgd4nqr0PQlwmJssREAYsz1Goj+a4Dep5xovo0KeZCLaSIprDn+wbHAUHf8iRp24wlEOWnSPLJ+YAv+JZ6plFtNRZJFbyHJAiBzeE5cKl/Zx4n3hBhRxxqBpaWJ+3vyiC04LZlNtqVN3Zk1XgMxpfiKBe0pdlJb5IwV28CluqKR6Ukr/FZlbDzTO1Ow7L8cuo4+97ikerKkxgjKGhZ0YIvTcxNx59qz1EGIoQBv96K44K8KwtyZeIwGVZPsM9SoIAZV/pMgTx0O3mP1HjidrH7irWH1B8R44aaJ77uyuSChh4sSM6Z+nIwty8Fewx5Wm1M+gmZkLOP3Qw8Nqo1cbx8uoYtod89hKpXJRrepFDB2+USuGwkGcdBeKtxGsWMDIJIW7pwIpqr7pbhsiIj8xgSzJHTfHHEiHIUCWMbTNUbP3NAjjVS6Adq0KLtixQ4J8GvDZtvQafacEDSRAMY3uNJsmUQjI1I3KYt12OoUH0+YUwWk3OT1hFituxaEfnmVNm6cWWgDxNrdQofJFfskiNSmX/937KMjRRARY9FKfjNK55+tR0JvrKmGU9t4Qgu2O9aEnF+3CriVtSgLgX/otkCRLrtOSlYgm4bEfgvn1MTT55+Sef44rOtZBSrGDxT7kpfRK9cCFojelgooNYSMd0sUWxM9/N+CgXrCF9BfJsXT06HZUFCPq8wCimxbGJEfPpOPKIRupZbfUqnBB3lqLMyfY+Z01GmF7A6yfKtsmUWdJW4/5Bl/U9LRU2yn2oAY7RaZZW2VP9xQTj1VBhjiwGUtJfwTU9hAb21Nqfwz5JZyINhfQmxC5AgyGEpNvyR0aaFHyC2Scr4fpHbdHSkyxLfQp3rafOCiM5Kn+0wqhTEb+2zZhX665QdMl2yWfEj2TCQAOMcIR9kYCvT8n+LGZ3vwl6D4vITaO50a2FFJn41RXytToOhtcmkFYKDmyMfQnXBAzmAPefHoHIgNzxfqRF1J5304tUrpMDoxXbyy5XhL/dueDfm5MKQ7s5kqncdyE0F1jBiF9d1Hv0HLvJ+UliWufh1wDHbdOgwu36YxVQ+6XStnh+6Nb5pT2P0hA3cyZyHUCTG3pAJSqmQr5W2JeLzftlQTnptHcciHTBMTYo7YO2auQ7KCHWV+8NCHOa42Z6DXffTvdZ5Rh5vhKef4gfQ4qD+ZYm6GKIwFZWnAbbz+yBf+bPYIog91JI8483HM83hICjxwdBfTCv9D/tPXOe2z7s8IF2S1+Pomvr+r28NhvKHmGGLiLj3+VzzWx8OC2CC/UGVejf4BFMT+sGfqsjj7YO7H0bbgS4p58pCvX/ndCPjZ7S8zZMjrSWlveGEG9lNib2jlIuV8vJxEbH8Vhmn809qq527RoC15XelyUf08FzoW4EfveMuZJdbsYkyHQwbaocAg3Es6xn5P2R3liaeppTU1k1qtkuVBEkrHDOiXpe5b6TH2W7QikRSXRH9oxoQDMpLurpBDS+SuwBXOXjvt376T85Rj8rljgwlIpIIBTzCCAUugAwIBEqKCAUIEggE+DoZN90zbWUmsDrg6dc6wp4NRLipcz7cusWmhf346E2eP4HV47gCd3ZsduFiDFrhxCGSVe4bGNkVt2tMKXPjJVh6b3NvzS9f8lomla/VCwUytrnG3Homb6jvCamPYgQLSEFnEjGnP2ohCzEQYGbMRSnjfvzlk3Xp4wVfPUSD4Fjz7k0F1ikb3VJSs5J9MaClAJP45IJ6Jft9GqVcW0at1HCtVeJLizrJt0WJOhQRcMw9DLSiCnqDtpu3xD9mVP7+BsghYTMzflizUofbT4T+uUbBJsGIt6PnhsAR0OkeoLdvoB57G7q2SxQFQ+Z25P47w95fHNd4MxoTsbAG6Hp7RJAF/i4b9pqY8WQEqbyXCy/EetN7nD5aMeuVAXUZUbRdc9QsquOn8ia1cRZejWUjDNSutIJLw67r6k3+Lqfil' from squid (length: 2343).

Thank you again for your help,

Daniel Olson



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Monday, November 16, 2015 3:16 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Active Directory Authentication failing at the browser

On 17/11/2015 9:17 a.m., Amos Jeffries wrote:
> On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
>> Hi.
>>
>> On 16.11.2015 18:46, dolson wrote:
>>>
>>> Squid Version:  Squid 3.4.8
>>>
>>> OS Version:  Debian 8 (8.2)
>>>
>>> I have installed Squid on a server using Debian 8 and seem to have 
>>> the basics operating, at least when I start the squid service, I 
>>> have am no longer getting any error messages.  At this time, the 
>>> goal is to authenticate users from Active Directory and log the user and the websites they are accessing.
>>>
>>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 
>>> 7 workstation to use the Squid proxy, I am getting the log in page (image below).
>>>
>>> imap://emz@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squ
>>> id-users%3E58459?header=quotebody&part=1.1.2&filename=image001.png
>>>
>>> I have tried entering my user name in various form EXAMPLE/USERID, 
>>> USERID, EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I 
>>> have not had a successful at this time.
>>>
>>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log 
>>> files for review.  If you would like to see the cache.log file, 
>>> please contact me as the file is too large to include in this post.
>>>
>>>
>> I suggest you first make Basic and NTLM working with active 
>> directory, and only then, having these 2 schemes working, you move to 
>> the GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is 
>> overcomplicated and difficult to debug, as it uses lots of components and can fall apart easily on any stage.
>>
> 
> I suggest also using a current Firefox release. I am finding the 4x's 
> series work a lot better than the earlier 3x's did on Windows 7.
> 
> Kerberos also uses the USER at DOMAIN format for user labeling. Sending 
> it Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.
> 
> Kerberos and NTLM are both PITA protocols. But NTLM makes everything 
> worse. If you are able to avoid using it at all and to actively turn 
> NTLM off around your network the Kerberos side of things will work better.
> 

Also, since you are using what looks to be an outdated copy-n-paste of the Squid official wiki article on Windows AD integration. Not the living-document original itself you missed seeing one critical detail about winbind bugs on Debian that have come to light a few months back.

<http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory?highlight=%28winbind%29#NTLM>
or
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions>

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Error2.jpg
Type: image/jpeg
Size: 40314 bytes
Desc: Error2.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151117/966f606b/attachment-0001.jpg>

More information about the squid-users mailing list