<div dir="ltr"><p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black">Dear all,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">I have the following setup :<u></u><u></u></span></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"># ../sbin/squid -v /usr/local/squid/etc<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">Squid Cache: Version 5.0.0-VCS<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">Service Name: squid<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">configure options: '--with-logdir=/var/log/squid' '--enable-auth-basic=LDAP,PAM,SMB,RADIUS' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-digest=LDAP,eDirectory' '--with-default-user=proxy'<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"># /usr/local/squid/etc<u></u><u></u></span></i></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">I
have a huge range in terms of network, but awkwardly, the
authentication/ACL and everything works well in one given subnet but not
on the others. The
users in the other subnets are not able to surf the internet, and this
without any specific logs from the proxy side ( the most significant
part of the config could be seen below). Any request from these users
just times out. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">#debug_options 29,9<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">#dns_nameservers 192.168.0.9 192.168.0.4<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">#connect_timeout 1 minute<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">debug_options ALL,9 11,3 20,3<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">### negotiate kerberos and ntlm authentication<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm /usr/local/samba/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=BCM --kerberos /usr/local/squid/libexec/ext_kerberos_sid_group_acl -d -s GSS_C_NO_NAME<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param negotiate children 60<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param negotiate keep_alive off<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">### pure ntlm authentication<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param ntlm program /usr/local/samba/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=KATANA<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param ntlm children 60<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param ntlm keep_alive off<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"># warning: basic authentication sends passwords plaintext<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"># a network sniffer can and will discover passwords<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic children 60<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic credentialsttl 4 hours<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">##<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -R -b "dc=KATANA,dc=LOCAL" -D simpleuser@katana.local -W /usr/local/squid/etc/pass.txt
-f sAMAccountName=%s -h 192.168.111.4<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic children 60<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic realm Banky Foibe<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">auth_param basic credentialsttl 1 minute<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">acl local0 dst <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a><u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">acl local1 dst <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">http_access allow local0 all<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">http_access allow local1 all<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">cache deny local1<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">cache deny local0<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">redirector_access deny local0<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">redirector_access deny local1<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US"><u></u> <u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">http_access deny !auth<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">http_access allow auth<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">#http_access deny all<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">http_port 8080</span></i><i><span style="font-family:"Courier New";color:black" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">I can’t really understand the issue, from the affected networks:<u></u><u></u></span></p>
<p class="gmail-m_4079294827417114915MsoListParagraph"><u></u><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">-<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><u></u><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">The user is able to ping the proxy and access its port 8080 (through telnet / netcat)
<u></u><u></u></span></p>
<p class="gmail-m_4079294827417114915MsoListParagraph"><u></u><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">-<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><u></u><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">The request is able to reach the proxy but the in the access_log the
</span><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">“user”
</span></i><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">is missing
<u></u><u></u></span></p>
<p class="MsoNormal"><i><span style="font-family:"Courier New";color:black;background:silver" lang="EN-US">1563455060.396 1 192.168.230.195 TCP_DENIED/407 4714 GET <a href="http://api.bing.com/qsml.aspx" target="_blank">http://api.bing.com/qsml.aspx</a>? - HIER_NONE/- text/html<u></u><u></u></span></i></p>
<p class="gmail-m_4079294827417114915MsoListParagraph"><u></u><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">-<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><u></u><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">TCP_DENIED/407,
requesting the user to go through the authentication phase is presented
by the proxy to the user’s browser but nothing happens.
I thought that if the timer set to Kerberos, NTLM expires, a pop up
should appear but nothing (from wireshark)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)" lang="EN-US">GET <a href="http://www.bing.com/favicon.ico" target="_blank">http://www.bing.com/favicon.ico</a> HTTP/1.1</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)">Accept: */*</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)">UA-CPU: AMD64</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)">Accept-Encoding: gzip, deflate</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)" lang="EN-US">User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)">Host: <a href="http://www.bing.com" target="_blank">www.bing.com</a></span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0);background:rgb(251,237,237)">Proxy-Connection: Keep-Alive</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(127,0,0)"><u></u> <u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">HTTP/1.1 407 Proxy Authentication Required</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Server: squid/5.0.0-VCS</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Mime-Version: 1.0</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Date: Thu, 18 Jul 2019 10:01:53 GMT</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Content-Type: text/html;charset=utf-8</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Content-Length: 3733</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">Vary: Accept-Language</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">Content-Language: en</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">Proxy-Authenticate: Negotiate</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">Proxy-Authenticate: NTLM</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">Proxy-Authenticate: Basic realm="KATANA - PERIMETER"</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)" lang="EN-US">X-Cache: MISS from katana_proxy</span></i><i><span style="font-family:"Courier New"" lang="EN-US"><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Via: 1.1 lichtquanta (squid/5.0.0-VCS)</span></i><i><span style="font-family:"Courier New""><u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><i><span style="font-family:"Courier New";color:rgb(0,0,127);background:rgb(237,237,251)">Connection: close<u></u><u></u></span></i></p>
<p class="MsoNormal" style="margin-left:18pt"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US"><u></u> <u></u></span></p>
<p class="gmail-m_4079294827417114915MsoListParagraph"><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">-<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span style="font-size:13pt;font-family:Garamond,serif;color:black" lang="EN-US">On
cache.log there is nothing that could mean something, just a bunch of
ARP error. Tried to debug the section 29 for authentication … but
nothing.
Checked the IE internet options, just in case the windows
authentication profile is no ticked … but it is there.</span></p><p class="gmail-m_4079294827417114915MsoListParagraph">I am lost so any help would really be appreciated.</p></div>