[squid-users] Active Directory Authentication failing at the browser

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 17 21:14:41 UTC 2015


On 18/11/2015 9:36 a.m., dolson at ihcrc.org wrote:
> Thank you for your help Amos,
> 
> I think I am a little further, but I'm still having some issues.
> 
> I updated my proxy address from the IP to the FQDN and this removed the login page that I previously mentioned, but I still could not get to any external websites.  Internal sites work working correctly.  I have attached the screen shot of the message.
> 
> I have followed the new links that you provided and changed the permissions on the /var/lib/samba/winbindd_privileged file as directed, and tested winbind using the instructions and everything is working.
> 
> Per your suggestion, I upgraded Firefox to 4.2.  What was really interesting is, when I used the link from the About Firefox window, I was able to access the Mozilla website, and download the file with no errors on the webpage in the browser, but continue to get it if I now go to the site by entering the address in the address bar.
> 
> I have included below excerpts from the access.log and cache.log files from the last attempts to see if you or someone else can help me understand the information in the files so I can see where the problem may be.
> 
> Access.log:
> 
> 1447788372.600      7 10.1.3.56 TCP_DENIED/407 3826 GET http://srv-joomla/portal/ - HIER_NONE/- text/html
> 1447788372.812     63 10.1.3.56 TCP_MISS/500 6727 GET http://srv-joomla/portal/ dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788372.903      0 10.1.3.56 TCP_MISS/500 4085 GET http://www.squid-cache.org/Artwork/SN.png dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788373.059      0 10.1.3.56 TCP_MISS/500 4025 GET http://srv-joomla/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788373.106      0 10.1.3.56 TCP_MISS/500 4025 GET http://srv-joomla/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788377.958      0 10.1.3.56 TCP_DENIED/407 3903 POST http://ocsp.digicert.com/ - HIER_NONE/- text/html
> 1447788378.163     45 10.1.3.56 TCP_MISS/500 6792 POST http://ocsp.digicert.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788378.207      0 10.1.3.56 TCP_MISS/500 4110 POST http://clients1.google.com/ocsp dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788378.786      0 10.1.3.56 TCP_MISS/500 4004 GET http://www.google.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788378.832      0 10.1.3.56 TCP_MISS/500 4080 GET http://www.squid-cache.org/Artwork/SN.png dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788378.894      0 10.1.3.56 TCP_MISS/500 4037 GET http://www.google.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788379.051      0 10.1.3.56 TCP_MISS/500 4037 GET http://www.google.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788381.219      0 10.1.3.56 TCP_MISS/500 4092 POST http://ocsp.digicert.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788383.357      0 10.1.3.56 TCP_MISS/500 3995 GET http://www.cnn.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788383.516      0 10.1.3.56 TCP_MISS/500 4077 GET http://www.squid-cache.org/Artwork/SN.png dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788383.577      0 10.1.3.56 TCP_MISS/500 4028 GET http://www.cnn.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788383.749     15 10.1.3.56 TCP_MISS/500 4028 GET http://www.cnn.com/favicon.ico dolson at IHCRC.ORG HIER_NONE/- text/html
> 1447788432.030      0 10.1.3.56 TCP_MISS/500 4092 POST http://ocsp.digicert.com/ dolson at IHCRC.ORG HIER_NONE/- text/html
> 

The above and the cache.log show the authentication apparently working
fine. The problem is elsewhere.

The "some possible problems" section of the error message list the
things you need to look at fixing.

The access.log lines with "TCP_MISS/500" and "HIER_NONE/-" indicate that
Squid is not able to connect to any external server to fetch the objects
it is being asked for. Something is broken at the TCP layer; firewall
settings? DNS resolution? NAT from 10/8 to public Internet?


Amos


More information about the squid-users mailing list