<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><font face="tahoma, sans-serif" color="#444444">Hi guys</font><div><font face="tahoma, sans-serif" color="#444444"><br></font></div><div><font color="#444444" face="tahoma, sans-serif">I've managed squid to work with AD, and authorize users based on what AD group they are in. I use Squid-Analyzer for doing reports from access.log. I've found 2 anomalies with authorization so far. In access log, I see that user is authorized based on his PC name</font><span style="color:rgb(68,68,68);font-family:tahoma,sans-serif">(not desired)</span><span style="color:rgb(68,68,68);font-family:tahoma,sans-serif"> and not on the user account name. I've just enabled debugging on negotiate wrapper, so I will monitor these logs also.</span></div><div><font color="#444444" face="tahoma, sans-serif"><br></font></div><div><font color="#444444" face="tahoma, sans-serif">But in the meantime, have you got any idea why could this happen ?</font></div><div><font face="tahoma, sans-serif" color="#444444"><br></font></div><div><span style="color:rgb(68,68,68);font-family:tahoma,sans-serif"><b>PC NAME AUTH:</b></span><br></div><div><font color="#444444"><div><div><div><font face="monospace, monospace">1447562119.348 0 10.13.34.31 TCP_DENIED/407 3834 CONNECT <a href="http://clients2.google.com:443" target="_blank">clients2.google.com:443</a> - HIER_NONE/- text/html</font></div><div><font face="monospace, monospace">1447562119.374 2 10.13.34.31 TCP_DENIED/407 4094 CONNECT <a href="http://clients2.google.com:443" target="_blank">clients2.google.com:443</a> - HIER_NONE/- text/html</font></div></div><div><font face="monospace, monospace">1447562239.350 119976 10.13.34.31 TCP_MISS/200 4200 CONNECT <a href="http://clients2.google.com:443" target="_blank">clients2.google.com:443</a> icz800639-03$ HIER_DIRECT/<a href="http://173.194.116.231" target="_blank">173.194.116.231</a> -</font><br></div></div><div style="font-family:monospace,monospace"><br></div><div style="font-family:monospace,monospace"><b style="font-family:tahoma,sans-serif">USER NAME AUTH:</b><br></div><div><font face="monospace, monospace"><div>1447562039.176 0 10.13.34.31 TCP_DENIED/407 3850 CONNECT <a href="http://lyncwebext.inventec.com:443" target="_blank">lyncwebext.inventec.com:443</a> - HIER_NONE/- text/html</div><div>1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT <a href="http://lyncwebext.inventec.com:443" target="_blank">lyncwebext.inventec.com:443</a> - HIER_NONE/- text/html</div></font></div><div><font face="monospace, monospace">1447562041.118 2702 10.13.34.31 TCP_MISS/200 6213 CONNECT <a href="http://lyncwebext.inventec.com:443" target="_blank">lyncwebext.inventec.com:443</a> icz800639 HIER_DIRECT/<a href="http://10.8.100.165" target="_blank">10.8.100.165</a> -</font><br></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><span style="font-family:monospace,monospace"><b>Squid.conf</b></span><br></div><div><span style="font-family:monospace,monospace">#########################################</span><br></div><div><div><font face="monospace, monospace">#<span style="white-space:pre-wrap"> </span>Enable KERBEROS authentication<span style="white-space:pre-wrap"> </span>#</font></div><div><font face="monospace, monospace">#########################################</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME</font></div><div><font face="monospace, monospace">auth_param negotiate children 20 startup=0 idle=1</font></div><div><font face="monospace, monospace">auth_param negotiate keep_alive off</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">#########################################</font></div><div><font face="monospace, monospace">#<span style="white-space:pre-wrap"> </span>Enable NTLM authentication<span style="white-space:pre-wrap"> </span>#</font></div><div><font face="monospace, monospace">#########################################</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=ICZ</font></div><div><font face="monospace, monospace">#auth_param ntlm children 10</font></div><div><font face="monospace, monospace">#auth_param ntlm keep_alive off</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">#########################################</font></div><div><font face="monospace, monospace"># <span style="white-space:pre-wrap"> </span>ENABLE LDAP AUTH<span style="white-space:pre-wrap"> </span>#</font></div><div><font face="monospace, monospace">#########################################</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=icz,dc=inventec" -D squid@icz.inventec -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h icz-dc-1.icz.inventec</font></div><div><font face="monospace, monospace">auth_param basic children 10</font></div><div><font face="monospace, monospace">auth_param basic realm Please enter user name to access the internet</font></div><div><font face="monospace, monospace">auth_param basic credentialsttl 1 hour</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50 children-startup=10 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="tahoma, sans-serif">Thank you</font></div></div></font></div></div>
</div><br></div>