<div dir="ltr">Thank you for your response, as this is my first try with Squid, and fairly newb in Linux.<div>I do not understand at all differences between basic/ntlm/gss-spnego auths so I will do my homework and read about them. I've managed to get this working after few weeks of "trial and error" method (I know, I know, but I gotta start somewhere rite) following multiple guides.</div><div><br></div><div>The commented lines are not supposed to be here, sorry. I've been testing log outputs and functionality of auth helpers when commenting some. I attach my squid.conf in email.</div><div><br></div><div>Thank you</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 16, 2015 at 3:19 PM, Eugene M. Zheganin <span dir="ltr"><<a href="mailto:emz@norma.perm.ru" target="_blank">emz@norma.perm.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 16.11.2015 14:29, Matej Kotras
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr"><font color="#444444" face="tahoma, sans-serif">Hi
guys</font>
<div><font color="#444444" face="tahoma, sans-serif"><br>
</font></div>
<div><font color="#444444" face="tahoma, sans-serif">I've
managed squid to work with AD, and authorize users based
on what AD group they are in. I use Squid-Analyzer for
doing reports from access.log. I've found
2 anomalies with authorization so far. In access log, I
see that user is authorized based on his PC name</font><span style="color:rgb(68,68,68);font-family:tahoma,sans-serif">(not desired)</span><span style="color:rgb(68,68,68);font-family:tahoma,sans-serif"> and not on
the user account name. I've just enabled debugging on
negotiate wrapper, so I will monitor these logs also.</span></div>
<div><font color="#444444" face="tahoma, sans-serif"><br>
</font></div>
<div><font color="#444444" face="tahoma, sans-serif">But in
the meantime, have you got any idea why could this
happen ?</font></div>
<div><font color="#444444" face="tahoma, sans-serif"><br>
</font></div>
<div><span style="color:rgb(68,68,68);font-family:tahoma,sans-serif"><b>PC
NAME AUTH:</b></span><br>
</div>
<div><font color="#444444">
<div>
<div>
<div><font face="monospace, monospace">1447562119.348
0 10.13.34.31 TCP_DENIED/407 3834 CONNECT <a href="http://clients2.google.com:443" target="_blank">clients2.google.com:443</a> -
HIER_NONE/- text/html</font></div>
<div><font face="monospace, monospace">1447562119.374
2 10.13.34.31 TCP_DENIED/407 4094 CONNECT <a href="http://clients2.google.com:443" target="_blank">clients2.google.com:443</a> -
HIER_NONE/- text/html</font></div>
</div>
<div><font face="monospace, monospace">1447562239.350
119976 10.13.34.31 TCP_MISS/200 4200 CONNECT <a href="http://clients2.google.com:443" target="_blank">clients2.google.com:443</a>
icz800639-03$ HIER_DIRECT/<a href="http://173.194.116.231" target="_blank">173.194.116.231</a>
-</font><br>
</div>
</div>
<div style="font-family:monospace,monospace"><br>
</div>
<div style="font-family:monospace,monospace"><b style="font-family:tahoma,sans-serif">USER NAME
AUTH:</b><br>
</div>
<div><font face="monospace, monospace">
<div>1447562039.176 0 10.13.34.31
TCP_DENIED/407 3850 CONNECT <a href="http://lyncwebext.inventec.com:443" target="_blank">lyncwebext.inventec.com:443</a>
- HIER_NONE/- text/html</div>
<div>1447562039.215 27 10.13.34.31
TCP_DENIED/407 4110 CONNECT <a href="http://lyncwebext.inventec.com:443" target="_blank">lyncwebext.inventec.com:443</a>
- HIER_NONE/- text/html</div>
</font></div>
<div><font face="monospace, monospace">1447562041.118
2702 10.13.34.31 TCP_MISS/200 6213 CONNECT <a href="http://lyncwebext.inventec.com:443" target="_blank">lyncwebext.inventec.com:443</a>
icz800639 HIER_DIRECT/<a href="http://10.8.100.165" target="_blank">10.8.100.165</a>
-</font><br>
</div>
</font></div>
</div>
</div>
</div>
</blockquote>
</span><font color="#444444"><font face="monospace, monospace">Does't seem
like you have working GSS-SPNEGO scheme. Unless you have
username fields in log with realm set which yyou didn't post
here.<br>
<br>
</font></font><span class="">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><font color="#444444">
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><span style="font-family:monospace,monospace"><b>Squid.conf</b></span><br>
</div>
<div><span style="font-family:monospace,monospace">#########################################</span><br>
</div>
<div>
<div><font face="monospace, monospace">#<span style="white-space:pre-wrap"> </span>Enable
KERBEROS authentication<span style="white-space:pre-wrap"> </span>#</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">auth_param
negotiate program /usr/local/bin/negotiate_wrapper
-d --ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ
--kerberos
/usr/lib64/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME</font></div>
<div><font face="monospace, monospace">auth_param
negotiate children 20 startup=0 idle=1</font></div>
<div><font face="monospace, monospace">auth_param
negotiate keep_alive off</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace">#<span style="white-space:pre-wrap"> </span>Enable
NTLM authentication<span style="white-space:pre-wrap"> </span>#</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">#auth_param
ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ICZ</font></div>
<div><font face="monospace, monospace">#auth_param
ntlm children 10</font></div>
<div><font face="monospace, monospace">#auth_param
ntlm keep_alive off</font></div>
</div>
</font></div>
</div>
</div>
</div>
</blockquote>
</span><font color="#444444"><font face="monospace, monospace">So you
disable the explicit NTLM authentication. That's bad. This far
you only have GSS-SPNEGO failover to NTLM.</font></font><span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><font color="#444444">
<div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"># <span style="white-space:pre-wrap"> </span>ENABLE
LDAP AUTH<span style="white-space:pre-wrap"> </span>#</font></div>
<div><font face="monospace, monospace">#########################################</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">auth_param
basic program /usr/lib64/squid/basic_ldap_auth -R
-b "dc=icz,dc=inventec" -D <a href="mailto:squid@icz.inventec" target="_blank"></a><a href="mailto:squid@icz.inventec" target="_blank">squid@icz.inventec</a>
-W /etc/squid/ldappass.txt -f sAMAccountName=%s -h
icz-dc-1.icz.inventec</font></div>
<div><font face="monospace, monospace">auth_param
basic children 10</font></div>
<div><font face="monospace, monospace">auth_param
basic realm Please enter user name to access the
internet</font></div>
<div><font face="monospace, monospace">auth_param
basic credentialsttl 1 hour</font></div>
</div>
</font></div>
</div>
</div>
</div>
</blockquote></span>
This is pure basic.<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">
<div><font color="#444444">
<div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">external_acl_type
ldap_group ttl=3600 negative_ttl=0 children-max=50
children-startup=10 %LOGIN
/usr/lib64/squid/ext_wbinfo_group_acl</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
</div>
</font></div>
</div>
</div>
</div>
</blockquote></span>
The part with http_access is missing, it's hard to tell why you have
TCP_MISS for machine accounts.<span class="HOEnZb"><font color="#888888"><br>
<br>
Eugene.<br>
</font></span></div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>