[squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

Olivier CALVANO o.calvano at gmail.com
Wed Mar 30 08:40:14 UTC 2016


Hi

I use:

## negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 100 startup=10 idle=1
auth_param negotiate keep_alive on

## Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=10 idle=1
auth_param ntlm keep_alive on

## Si echec du NTLM proposer la fenetre d'authentification
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
dc=mydomain,dc=fr -f sAMAccountName=%s -D cn=Proxy,ou=vpn,dc=mydomain,dc=fr
-w "mypass" -t 3 -H 172.16.1.21
auth_param basic children 40 startup=5 idle=1
auth_param basic realm Proxy
#auth_param basic credentialsttl 2 hours
auth_param basic credentialsttl 1 minute


But same problems if i put :

## negotiate kerberos and ntlm authentication
#auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
#auth_param negotiate children 100 startup=10 idle=1
#auth_param negotiate keep_alive on



Yes i have the login/password of the users (on >5000 accounts, we have
10/20 accounts with this problems)


I have a second server but for Hight Availability


Sample of problems with one username
     before 11:17am that's work's
     at 11:17am username don't have access to internet and in logs we have
the error.
     at 07:30pm the username have now internet access ..


regards
Olivier



2016-03-30 9:59 GMT+02:00 Kinkie <gkinkie at gmail.com>:

> Are you using BASIC, ntlm or kerberos?
> Do you know that user's password in order to run some tests?
> Do you have some other proxy or box where you can run some tests?
> AD is a complex system, so the first thing to do is to understand I'd the
> problem is caused by ad, by the system, by something related to the user or
> to the author helper or to squid.
> On Mar 30, 2016 9:50 AM, "Olivier CALVANO" <o.calvano at gmail.com> wrote:
>
>> Anyone know this problems ?
>>
>>
>> 2016-03-29 18:22 GMT+02:00 Olivier CALVANO <o.calvano at gmail.com>:
>>
>>> Hi
>>>
>>> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory
>>> Authentification (tested in negotiate_wrapper but same
>>> problems with ntlm_auth) .
>>>
>>> That's work's very good a time but without reason, a limited user can't
>>> access to internet and i don't know why.
>>>
>>> In the logs, we have:
>>>
>>> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET
>>> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
>>> olivier HIER_NONE/- -
>>> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET
>>> http://yahoo.fr/ olivier HIER_NONE/- -
>>> 1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET
>>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>>> 1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD
>>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>>>
>>>
>>> I don't know why but all logs have "NONE_ABORTED/000"
>>> anyone know this errors ?
>>>
>>>
>>> If, on the same PC, i change the username, that's work ! reconnect with
>>> the old username and the problems start
>>>
>>> regards
>>> Olivier
>>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160330/e0434696/attachment-0001.html>


More information about the squid-users mailing list