[squid-users] Squid - AD kerberos auth and Linux Server proxy access not working

Nilesh Gavali nilesh.gavali at tcs.com
Tue Oct 4 13:49:51 UTC 2016 

Hi Amos;
Ok, we can discussed the issue in Two part  1. For Windows AD 
Authentication & SSO and 2. Linux server unable to access via squid proxy.

For First point-
Requirement to have SSO for accessing internet via squid proxy and based 
on user's AD group membership allow access to specific sites only. I 
believe current configuration of squid is working as expected.

For Second point -
Point I would like to highlight here is, the Linux server IWCCP01 is not 
part of domain at all. Hence the below error as squid configured for 
AD_auth. So how can we allow Linux server or non domain machine to access 
specific sites?

> Error 407 is "proxy auth required", so the proxy is expecting 
authentication 
> for some reason.
====================================
 > Can you confirm that the hostname vseries-test.bottomline.com is 
contained in 
> your site file /etc/squid/sitelist/dbs_allowed_site ?

YES, we have entry as .bottomline.com , which work fine when access via 
windows machine having proxy enabled for that user.
==============================
> Can you temporarily change the line "http_access allow IWCCP01 
allowedsite" to 
> "http_access allow IWCCP01" and see whether the machine then gets 
access?

 I will test this, and update the results.
========================================
If that works, please list the output of the command:
  grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site

o/p of above command as below -

[root at Proxy02 ~]# grep "bottomline.com" 
/etc/squid/sitelist/dbs_allowed_site
.bottomline.com
[root at Proxy02 ~]#

=======================================

Thanks & Regards
Nilesh Suresh Gavali




 
Message: 2
Date: Wed, 5 Oct 2016 00:11:08 +1300
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid - AD kerberos auth and Linux Server
                 proxy access not working
Message-ID: <d35ad0ca-761d-60e3-c594-04697110afdc at treenet.co.nz>
Content-Type: text/plain; charset=utf-8

On 4/10/2016 11:36 p.m., Antony Stone wrote:
> On Tuesday 04 October 2016 at 12:28:44, Nilesh Gavali wrote:
> 
>> Hello Antony;
>> I have double checked the current working configuration of my 
squid.conf
>> and it has same settings which I posted earlier. somehow it is working 
for
>> us.
> 
> I'm not saying the whole thing won't work; I'm saying there is no point 
in 
> having a line "http_access allow ad_auth" following the line 
"http_access deny 
> all".  The ad_auth line can never be invoked.

Not knowing why authentication works is dangerous. You might have been
allowing non-authenticated traffic and invalid user accounts through.

The only reason it does "work" is that the ACL called "USERS" is _not_
actually checking user logins. It is a group checking ACL which requires
authentication to happen before it can be checked.

In this specific case invalid logins cannot be a member of the group. So
they will not get through the proxy.

However, people who accidentally type the user/password wrong, or whose
machines automatically login with an account not a member of the group
will not be allowed any way to try again short of shutting down their
browser or maybe even logging out of the machine and trying from another
one.

That may or may not be a problem for you.

> 
>> below is the error from access.log file.
>>
>> 1475518342.279      0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
>> vseries-test.bottomline.com:443 - NONE/- text/html
> 
> Error 407 is "proxy auth required", so the proxy is expecting 
authentication 
> for some reason.
> 
> Can you confirm that the hostname vseries-test.bottomline.com is 
contained in 
> your site file /etc/squid/sitelist/dbs_allowed_site ?
> 
> Can you temporarily change the line "http_access allow IWCCP01 
allowedsite" to 
> "http_access allow IWCCP01" and see whether the machine then gets 
access?
> 

If that works, please list the output of the command:
  grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site

Amos

*******************************************

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161004/4f9c6b90/attachment.html>

More information about the squid-users mailing list