[squid-users] Squid + AD + Kerb auth question

Markus Moeller huaraz at moeller.plus.com
Wed Mar 18 23:46:42 UTC 2015


Hi Joao

Then you hit

http_access allow localnet


and not

http_access allow ad_auth

Comment out the following line in squid.conf 

http_access allow localnet


and try again.

Markus

From: Joao Paulo Monticelli Gaspar 
Sent: Wednesday, March 18, 2015 11:38 PM
To: Markus Moeller 
Subject: Re: [squid-users] Squid + AD + Kerb auth question

yes, I'm using localnet, this is a virtual test lab enviorment, here are some log entries 

1426694349.225  59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - DIRECT/216.58.222.35 -
1426694352.258  62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - DIRECT/216.58.222.46 -
1426694613.543  58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 -

when I looked at the access.log manual pages I saw that if squid cant get user info, he uses the - sign on the access, and we can see it there, but why he cant get the user info?


2015-03-18 20:20 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:

  Hi,

    From which network do you surf ?  From localnet ? 

    Can you send sample log entries ?

  Markus

  From: Joao Paulo Monticelli Gaspar 
  Sent: Wednesday, March 18, 2015 9:18 PM
  To: Markus Moeller 
  Subject: Re: [squid-users] Squid + AD + Kerb auth question

  squid.conf 

  visible_hostname proxy.joznet.local

  auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
  auth_param negotiate children 10
  auth_param negotiate keep_alive on
  auth_param basic credentialsttl 2 hours

  acl ad_auth proxy_auth REQUIRED

  acl manager proto cache_object
  acl localhost src 127.0.0.1/32 ::1
  acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

  acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
  acl localnet src fc00::/7       # RFC 4193 local private network range
  acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

  acl SSL_ports port 443
  acl Safe_ports port 80 # http
  acl Safe_ports port 21 # ftp
  acl Safe_ports port 443 # https
  acl Safe_ports port 70 # gopher
  acl Safe_ports port 210 # wais
  acl Safe_ports port 1025-65535 # unregistered ports
  acl Safe_ports port 280 # http-mgmt
  acl Safe_ports port 488 # gss-http
  acl Safe_ports port 591 # filemaker
  acl Safe_ports port 777 # multiling http
  acl CONNECT method CONNECT

  http_access allow manager localhost
  http_access deny manager

  http_access deny !Safe_ports


  http_access deny CONNECT !SSL_ports


  http_access allow localnet

  http_access allow localhost
  http_access allow ad_auth
  http_access deny all


  http_port 3128

  hierarchy_stoplist cgi-bin ?


  coredump_dir /var/spool/squid


  refresh_pattern ^ftp: 1440 20% 10080

  refresh_pattern ^gopher: 1440 0% 1440
  refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
  refresh_pattern . 0 20% 4320

  ****************************************************************************************
  krb5.conf

  [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  [libdefaults]
  default_realm = JOZNET.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

  ; for Windows 2008 with AES

  ;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
  ;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
  ;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

  ; for MIT/Heimdal kdc no need to restrict encryption type

  [realms]
  JOZNET.LOCAL = {
    kdc = srvjoznt.joznet.local:88
    admin_server = srvjoznt.joznet.local:749
    default_domain = joznet.local 
  }

  [domain_realm]
  .joznet.local= JOZNET.LOCAL
  joznet.local= JOZNET.LOCAL

  [pam]
  debuf = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false


  2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:

    How does the config file look like ?  

    Markus

    "Joao Paulo Monticelli Gaspar" <jaumshock at gmail.com> wrote in message news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg at mail.gmail.com...
    Hey people 

    I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites...

    is possible to show that info with this setup, or by any other setup use maintain the SOO?

    Thx in advance.

----------------------------------------------------------------------------
    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users


    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users




  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150318/4dc37201/attachment-0001.html>


More information about the squid-users mailing list