<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hello everyone </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I'm a newbie regarding SQUID and in general on Linux. </p><p class=MsoNormal>I have an Active Directory environment (Windows Server 2012 R2) and a Linux Debian 8 Jessie configured in the same network. </p><p class=MsoNormal>My goal is to install SQUID on Debian, integrate with Active Directory using Kerberos and autohise users to use SQUID based on Active Directory asecurity group membership lookup. </p><p class=MsoNormal>Long story short, I followed the instructions here </p><p class=MsoNormal>http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#Configure_Squid</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>My test environment:<o:p></o:p></b></p><p class=MsoNormal>Active Directory domain: KIDANEMEHRET.LOCAL </p><p class=MsoNormal>test user: KIDANEMEHRET\test-full </p><p class=MsoNormal>Security groups which is member of: "Internet Users Full", "Internet Users Standard" </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Test done<o:p></o:p></b></p><p class=MsoNormal>After having properly configured my test client (Windows 7 joined to the domain), logged on with the test user KIDANEMEHRET\test-full, configured internet explorer to use the proxy, what I get everytime I try to browse the internet is a SQUID page telling me Access Denied. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Quick Analisys<o:p></o:p></b></p><p class=MsoNormal>Having a look at access.log and cache.log (see attached), I understand that user is properly authenticated (I see KIDANEMEHRET\test-full properly written in each log). </p><p class=MsoNormal>For this reason I suspect the problem is in the authorisation part. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I try then to run from terminal the program used in SQUID.CONF to check authorisation (based on the wiki too); note that I'm running with sudo otherwise with standard use I get no access to password file: </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>sudo /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "dc=kidanemehret,dc=local" -D squid@kidanemehret.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,ou=Service Accounts,ou=USR,dc=kidanemehret,dc=local))" -h domcon.kidanemehret.local test-full Internet%20Users%20Full </p><p class=MsoNormal>Do not get any result: waiting for minutes... </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Try to use KIDANEMEHRET\test-full instead of test-full without success. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Most likely the problem is here. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Do you have any suggestion on how to proceed next? </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=IT>Here you can find ACCESS.LOG, CACHE.LOG, KRB5.CONF and SQUID.CONF<o:p></o:p></span></p><p class=MsoNormal><span lang=IT><o:p> </o:p></span></p><p class=MsoNormal><a href="http://1drv.ms/1nHDRXH"><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>http://1drv.ms/1nHDRXH</span></a><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal><span lang=IT style='font-size:12.0pt;font-family:"Times New Roman",serif'>Thanks in advance</span><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div></body></html>