<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 16.11.2015 14:29, Matej Kotras
wrote:<br>
</div>
<blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr"><font color="#444444" face="tahoma, sans-serif">Hi
guys</font>
<div><font color="#444444" face="tahoma, sans-serif"><br>
</font></div>
<div><font color="#444444" face="tahoma, sans-serif">I've
managed squid to work with AD, and authorize users based
on what AD group they are in. I use Squid-Analyzer for
doing reports from access.log. I've found
2 anomalies with authorization so far. In access log, I
see that user is authorized based on his PC name</font><span
style="color:rgb(68,68,68);font-family:tahoma,sans-serif">(not desired)</span><span
style="color:rgb(68,68,68);font-family:tahoma,sans-serif"> and not on
the user account name. I've just enabled debugging on
negotiate wrapper, so I will monitor these logs also.</span></div>
<div><font color="#444444" face="tahoma, sans-serif"><br>
</font></div>
<div><font color="#444444" face="tahoma, sans-serif">But in
the meantime, have you got any idea why could this
happen ?</font></div>
<div><font color="#444444" face="tahoma, sans-serif"><br>
</font></div>
<div><span
style="color:rgb(68,68,68);font-family:tahoma,sans-serif"><b>PC
NAME AUTH:</b></span><br>
</div>
<div><font color="#444444">
<div>
<div>
<div><font face="monospace, monospace">1447562119.348
0 10.13.34.31 TCP_DENIED/407 3834 CONNECT <a
moz-do-not-send="true"
href="http://clients2.google.com:443"
target="_blank">clients2.google.com:443</a> -
HIER_NONE/- text/html</font></div>
<div><font face="monospace, monospace">1447562119.374
2 10.13.34.31 TCP_DENIED/407 4094 CONNECT <a
moz-do-not-send="true"
href="http://clients2.google.com:443"
target="_blank">clients2.google.com:443</a> -
HIER_NONE/- text/html</font></div>
</div>
<div><font face="monospace, monospace">1447562239.350
119976 10.13.34.31 TCP_MISS/200 4200 CONNECT <a
moz-do-not-send="true"
href="http://clients2.google.com:443"
target="_blank">clients2.google.com:443</a>
icz800639-03$ HIER_DIRECT/<a
moz-do-not-send="true"
href="http://173.194.116.231" target="_blank">173.194.116.231</a>
-</font><br>
</div>
</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div style="font-family:monospace,monospace"><b
style="font-family:tahoma,sans-serif">USER NAME
AUTH:</b><br>
</div>
<div><font face="monospace, monospace">
<div>1447562039.176 0 10.13.34.31
TCP_DENIED/407 3850 CONNECT <a
moz-do-not-send="true"
href="http://lyncwebext.inventec.com:443"
target="_blank">lyncwebext.inventec.com:443</a>
- HIER_NONE/- text/html</div>
<div>1447562039.215 27 10.13.34.31
TCP_DENIED/407 4110 CONNECT <a
moz-do-not-send="true"
href="http://lyncwebext.inventec.com:443"
target="_blank">lyncwebext.inventec.com:443</a>
- HIER_NONE/- text/html</div>
</font></div>
<div><font face="monospace, monospace">1447562041.118
2702 10.13.34.31 TCP_MISS/200 6213 CONNECT <a
moz-do-not-send="true"
href="http://lyncwebext.inventec.com:443"
target="_blank">lyncwebext.inventec.com:443</a>
icz800639 HIER_DIRECT/<a moz-do-not-send="true"
href="http://10.8.100.165" target="_blank">10.8.100.165</a>
-</font><br>
</div>
</font></div>
</div>
</div>
</div>
</blockquote>
<font color="#444444"><font face="monospace, monospace">Does't seem
like you have working GSS-SPNEGO scheme. Unless you have
username fields in log with realm set which yyou didn't post
here.<br>
<br>
</font></font>
<blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><font color="#444444">
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><span style="font-family:monospace,monospace"><b>Squid.conf</b></span><br>
</div>
<div><span style="font-family:monospace,monospace">#########################################</span><br>
</div>
<div>
<div><font face="monospace, monospace">#<span style="white-space:pre-wrap"> </span>Enable
KERBEROS authentication<span style="white-space:pre-wrap"> </span>#</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">auth_param
negotiate program /usr/local/bin/negotiate_wrapper
-d --ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ
--kerberos
/usr/lib64/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME</font></div>
<div><font face="monospace, monospace">auth_param
negotiate children 20 startup=0 idle=1</font></div>
<div><font face="monospace, monospace">auth_param
negotiate keep_alive off</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace">#<span style="white-space:pre-wrap"> </span>Enable
NTLM authentication<span style="white-space:pre-wrap"> </span>#</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">#auth_param
ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ</font></div>
<div><font face="monospace, monospace">#auth_param
ntlm children 10</font></div>
<div><font face="monospace, monospace">#auth_param
ntlm keep_alive off</font></div>
</div>
</font></div>
</div>
</div>
</div>
</blockquote>
<font color="#444444"><font face="monospace, monospace">So you
disable the explicit NTLM authentication. That's bad. This far
you only have GSS-SPNEGO failover to NTLM.</font></font><br>
<blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><font color="#444444">
<div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"># <span style="white-space:pre-wrap"> </span>ENABLE
LDAP AUTH<span style="white-space:pre-wrap"> </span>#</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">auth_param
basic program /usr/lib64/squid/basic_ldap_auth -R
-b "dc=icz,dc=inventec" -D <a
class="moz-txt-link-abbreviated"
href="mailto:squid@icz.inventec"><a class="moz-txt-link-abbreviated" href="mailto:squid@icz.inventec">squid@icz.inventec</a></a>
-W /etc/squid/ldappass.txt -f sAMAccountName=%s -h
icz-dc-1.icz.inventec</font></div>
<div><font face="monospace, monospace">auth_param
basic children 10</font></div>
<div><font face="monospace, monospace">auth_param
basic realm Please enter user name to access the
internet</font></div>
<div><font face="monospace, monospace">auth_param
basic credentialsttl 1 hour</font></div>
</div>
</font></div>
</div>
</div>
</div>
</blockquote>
This is pure basic.<br>
<blockquote
cite="mid:CAO_BajSb5MYAA8ZEiAU1W-TTcFnu67sqPm3UrK6+ZLpRbP2K=g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><font color="#444444">
<div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">external_acl_type
ldap_group ttl=3600 negative_ttl=0 children-max=50
children-startup=10 %LOGIN
/usr/lib64/squid/ext_wbinfo_group_acl</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
</div>
</font></div>
</div>
</div>
</div>
</blockquote>
The part with http_access is missing, it's hard to tell why you have
TCP_MISS for machine accounts.<br>
<br>
Eugene.<br>
</body>
</html>