[squid-users] Fwd: NTLM LDAP authentication problem
Matej Kotras
matejkotras at gmail.com
Mon Nov 16 14:51:23 UTC 2015
Thank you for your response, as this is my first try with Squid, and fairly
newb in Linux.
I do not understand at all differences between basic/ntlm/gss-spnego auths
so I will do my homework and read about them. I've managed to get this
working after few weeks of "trial and error" method (I know, I know, but I
gotta start somewhere rite) following multiple guides.
The commented lines are not supposed to be here, sorry. I've been testing
log outputs and functionality of auth helpers when commenting some. I
attach my squid.conf in email.
Thank you
On Mon, Nov 16, 2015 at 3:19 PM, Eugene M. Zheganin <emz at norma.perm.ru>
wrote:
> On 16.11.2015 14:29, Matej Kotras wrote:
>
> Hi guys
>
> I've managed squid to work with AD, and authorize users based on what AD
> group they are in. I use Squid-Analyzer for doing reports from access.log.
> I've found 2 anomalies with authorization so far. In access log, I see that
> user is authorized based on his PC name(not desired) and not on the user
> account name. I've just enabled debugging on negotiate wrapper, so I will
> monitor these logs also.
>
> But in the meantime, have you got any idea why could this happen ?
>
> *PC NAME AUTH:*
> 1447562119.348 0 10.13.34.31 TCP_DENIED/407 3834 CONNECT
> clients2.google.com:443 - HIER_NONE/- text/html
> 1447562119.374 2 10.13.34.31 TCP_DENIED/407 4094 CONNECT
> clients2.google.com:443 - HIER_NONE/- text/html
> 1447562239.350 119976 10.13.34.31 TCP_MISS/200 4200 CONNECT
> clients2.google.com:443 icz800639-03$ HIER_DIRECT/173.194.116.231 -
>
> *USER NAME AUTH:*
> 1447562039.176 0 10.13.34.31 TCP_DENIED/407 3850 CONNECT
> lyncwebext.inventec.com:443 - HIER_NONE/- text/html
> 1447562039.215 27 10.13.34.31 TCP_DENIED/407 4110 CONNECT
> lyncwebext.inventec.com:443 - HIER_NONE/- text/html
> 1447562041.118 2702 10.13.34.31 TCP_MISS/200 6213 CONNECT
> lyncwebext.inventec.com:443 icz800639 HIER_DIRECT/10.8.100.165 -
>
> Does't seem like you have working GSS-SPNEGO scheme. Unless you have
> username fields in log with realm set which yyou didn't post here.
>
>
>
> *Squid.conf*
> #########################################
> # Enable KERBEROS authentication #
> #########################################
>
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=ICZ --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s
> GSS_C_NO_NAME
> auth_param negotiate children 20 startup=0 idle=1
> auth_param negotiate keep_alive off
>
>
> #########################################
> # Enable NTLM authentication #
> #########################################
>
> #auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=ICZ
> #auth_param ntlm children 10
> #auth_param ntlm keep_alive off
>
> So you disable the explicit NTLM authentication. That's bad. This far you
> only have GSS-SPNEGO failover to NTLM.
>
>
>
> #########################################
> # ENABLE LDAP AUTH #
> #########################################
>
> auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
> "dc=icz,dc=inventec" -D <squid at icz.inventec>squid at icz.inventec -W
> /etc/squid/ldappass.txt -f sAMAccountName=%s -h icz-dc-1.icz.inventec
> auth_param basic children 10
> auth_param basic realm Please enter user name to access the internet
> auth_param basic credentialsttl 1 hour
>
> This is pure basic.
>
>
> external_acl_type ldap_group ttl=3600 negative_ttl=0 children-max=50
> children-startup=10 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
>
> The part with http_access is missing, it's hard to tell why you have
> TCP_MISS for machine accounts.
>
> Eugene.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151116/6532372d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid.conf
Type: application/octet-stream
Size: 6218 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151116/6532372d/attachment-0001.obj>
More information about the squid-users
mailing list