<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 16.11.2015 14:29, Matej Kotras
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_quote">
          <div dir="ltr"><font color="#444444" face="tahoma, sans-serif">Hi

              guys</font>
            <div><font color="#444444" face="tahoma, sans-serif"><br>
              </font></div>
            <div><font color="#444444" face="tahoma, sans-serif">I've
                managed squid to work with AD, and authorize users based
                on what AD group they are in. I use Squid-Analyzer for
                doing reports from access.log. I've found
                2 anomalies with authorization so far. In access log, I
                see that user is authorized based on his PC name</font><span
style="color:rgb(68,68,68);font-family:tahoma,sans-serif">(not desired)</span><span
style="color:rgb(68,68,68);font-family:tahoma,sans-serif"> and not on
                the user account name. I've just enabled debugging on
                negotiate wrapper, so I will monitor these logs also.</span></div>
            <div><font color="#444444" face="tahoma, sans-serif"><br>
              </font></div>
            <div><font color="#444444" face="tahoma, sans-serif">But in
                the meantime, have you got any idea why could this
                happen ?</font></div>
            <div><font color="#444444" face="tahoma, sans-serif"><br>
              </font></div>
            <div><span
                style="color:rgb(68,68,68);font-family:tahoma,sans-serif"><b>PC

                  NAME AUTH:</b></span><br>
            </div>
            <div><font color="#444444">
                <div>
                  <div>
                    <div><font face="monospace, monospace">1447562119.348

                             0 10.13.34.31 TCP_DENIED/407 3834 CONNECT <a
                          moz-do-not-send="true"
                          href="http://clients2.google.com:443"
                          target="_blank">clients2.google.com:443</a> -
                                    HIER_NONE/- text/html</font></div>
                    <div><font face="monospace, monospace">1447562119.374

                             2 10.13.34.31 TCP_DENIED/407 4094 CONNECT <a
                          moz-do-not-send="true"
                          href="http://clients2.google.com:443"
                          target="_blank">clients2.google.com:443</a> -
                                    HIER_NONE/- text/html</font></div>
                  </div>
                  <div><font face="monospace, monospace">1447562239.350
                      119976 10.13.34.31 TCP_MISS/200   4200 CONNECT <a
                        moz-do-not-send="true"
                        href="http://clients2.google.com:443"
                        target="_blank">clients2.google.com:443</a>
                      icz800639-03$ HIER_DIRECT/<a
                        moz-do-not-send="true"
                        href="http://173.194.116.231" target="_blank">173.194.116.231</a>
                      -</font><br>
                  </div>
                </div>
                <div style="font-family:monospace,monospace"><br>
                </div>
                <div style="font-family:monospace,monospace"><b
                    style="font-family:tahoma,sans-serif">USER NAME
                    AUTH:</b><br>
                </div>
                <div><font face="monospace, monospace">
                    <div>1447562039.176      0 10.13.34.31
                      TCP_DENIED/407 3850 CONNECT <a
                        moz-do-not-send="true"
                        href="http://lyncwebext.inventec.com:443"
                        target="_blank">lyncwebext.inventec.com:443</a>
                      -         HIER_NONE/- text/html</div>
                    <div>1447562039.215     27 10.13.34.31
                      TCP_DENIED/407 4110 CONNECT <a
                        moz-do-not-send="true"
                        href="http://lyncwebext.inventec.com:443"
                        target="_blank">lyncwebext.inventec.com:443</a>
                      -         HIER_NONE/- text/html</div>
                  </font></div>
                <div><font face="monospace, monospace">1447562041.118  
                    2702 10.13.34.31 TCP_MISS/200   6213 CONNECT <a
                      moz-do-not-send="true"
                      href="http://lyncwebext.inventec.com:443"
                      target="_blank">lyncwebext.inventec.com:443</a>
                    icz800639 HIER_DIRECT/<a moz-do-not-send="true"
                      href="http://10.8.100.165" target="_blank">10.8.100.165</a>
                    -</font><br>
                </div>
              </font></div>
          </div>
        </div>
      </div>
    </blockquote>
    <font color="#444444"><font face="monospace, monospace">Does't seem
        like you have working GSS-SPNEGO scheme. Unless you have
        username fields in log with realm set which yyou didn't post
        here.<br>
        <br>
      </font></font>
    <blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_quote">
          <div dir="ltr">
            <div><font color="#444444">
                <div><font face="monospace, monospace"><br>
                  </font></div>
                <div><font face="monospace, monospace"><br>
                  </font></div>
                <div><span style="font-family:monospace,monospace"><b>Squid.conf</b></span><br>
                </div>
                <div><span style="font-family:monospace,monospace">#########################################</span><br>
                </div>
                <div>
                  <div><font face="monospace, monospace">#<span style="white-space:pre-wrap">     </span>Enable

                      KERBEROS authentication<span style="white-space:pre-wrap">        </span>#</font></div>
                  <div><font face="monospace, monospace">#########################################</font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace">auth_param
                      negotiate program /usr/local/bin/negotiate_wrapper
                      -d --ntlm /usr/bin/ntlm_auth --diagnostics
                      --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
                      --kerberos
                      /usr/lib64/squid/negotiate_kerberos_auth -s
                      GSS_C_NO_NAME</font></div>
                  <div><font face="monospace, monospace">auth_param
                      negotiate children 20 startup=0 idle=1</font></div>
                  <div><font face="monospace, monospace">auth_param
                      negotiate keep_alive off</font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace">#########################################</font></div>
                  <div><font face="monospace, monospace">#<span style="white-space:pre-wrap">     </span>Enable

                      NTLM authentication<span style="white-space:pre-wrap">    </span>#</font></div>
                  <div><font face="monospace, monospace">#########################################</font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace">#auth_param
                      ntlm program /usr/bin/ntlm_auth --diagnostics
                      --helper-protocol=squid-2.5-ntlmssp --domain=ICZ</font></div>
                  <div><font face="monospace, monospace">#auth_param
                      ntlm children 10</font></div>
                  <div><font face="monospace, monospace">#auth_param
                      ntlm keep_alive off</font></div>
                </div>
              </font></div>
          </div>
        </div>
      </div>
    </blockquote>
    <font color="#444444"><font face="monospace, monospace">So you
        disable the explicit NTLM authentication. That's bad. This far
        you only have GSS-SPNEGO failover to NTLM.</font></font><br>
    <blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_quote">
          <div dir="ltr">
            <div><font color="#444444">
                <div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace">#########################################</font></div>
                  <div><font face="monospace, monospace"># <span style="white-space:pre-wrap">    </span>ENABLE

                      LDAP AUTH<span style="white-space:pre-wrap">              </span>#</font></div>
                  <div><font face="monospace, monospace">#########################################</font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace">auth_param
                      basic program /usr/lib64/squid/basic_ldap_auth -R
                      -b "dc=icz,dc=inventec" -D <a
                        class="moz-txt-link-abbreviated"
                        href="mailto:squid@icz.inventec"><a class="moz-txt-link-abbreviated" href="mailto:squid@icz.inventec">squid@icz.inventec</a></a>
                      -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h
                      icz-dc-1.icz.inventec</font></div>
                  <div><font face="monospace, monospace">auth_param
                      basic children 10</font></div>
                  <div><font face="monospace, monospace">auth_param
                      basic realm Please enter user name to access the
                      internet</font></div>
                  <div><font face="monospace, monospace">auth_param
                      basic credentialsttl 1 hour</font></div>
                </div>
              </font></div>
          </div>
        </div>
      </div>
    </blockquote>
    This is pure basic.<br>
    <blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_quote">
          <div dir="ltr">
            <div><font color="#444444">
                <div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                  <div><font face="monospace, monospace">external_acl_type

                      ldap_group ttl=3600 negative_ttl=0 children-max=50
                      children-startup=10  %LOGIN
                      /usr/lib64/squid/ext_wbinfo_group_acl</font></div>
                  <div><font face="monospace, monospace"><br>
                    </font></div>
                </div>
              </font></div>
          </div>
        </div>
      </div>
    </blockquote>
    The part with http_access is missing, it's hard to tell why you have
    TCP_MISS for machine accounts.<br>
    <br>
    Eugene.<br>
  </body>
</html>