[squid-users] Squid - AD integration Issue

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 22 05:16:56 UTC 2016 

On 22/07/2016 2:09 a.m., Nilesh Gavali wrote:
> HI All;
> 
> Squid integration with AD kerberos auth was working properly for me. Today 
> faced issue, as users are getting login prompt while accessing Proxy. 
> Not sure what went wrong. here is my configuration and also cache.log o/p. 
> Need urgent help.
> 
> ==============================================================
> #
> # Recommended minimum configuration:
> ####  AD SSO Integration  #####
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s 
> HTTP/proxy02.ABCD.gov.eu at ABCD.GOV.EU -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> #auth_param basic credentialsttl 2 hours
> acl ad_auth proxy_auth REQUIRED
> 
> ####  AD Group membership  ####
> 
> external_acl_type AD_Group ttl=300 negative_ttl=0 %LOGIN 
> /usr/lib64/squid/squid_ldap_group -P -R -b "DC=ABCD,DC=GOV,DC=EU" -D 
> svcproxy -W /etc/squid/pswd/pswd -f 
> "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=EU))" 
> -h ABCD.GOV.EU -s sub -v 3 -d
> 
> acl AVWSUS external AD_Group lgOnlineUpdate
> acl windowsupdate dstdomain "/etc/squid/sitelist/infra_update_site"
> 
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl AVSRVR src xx.xx.8.123      # Cloud SEPM Server
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) 
> machines
> #
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommitted to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> 
> http_access allow AVSRVR windowsupdate
> http_access allow AVWSUS windowsupdate

> http_access deny all

If the "deny all" above is actually what you want, then remove all the
following http_access rules.

If the "allow ad_auth" below is what you want, then remove the above
"allow ... windowsupdate" and "deny all" lines - checking groups is
pointless if any authenticated client is allowed.

> http_access allow ad_auth
> 
> # And finally deny all other access to this proxy
> http_access deny all


> Cache.log-
> ====================================
> 2016/07/21 14:52:53| squid_kerb_auth: ERROR: gss_accept_sec_context() 
> failed: Unspecified GSS failure.  Minor code may provide more information.
> 2016/07/21 14:52:53| authenticateNegotiateHandleReply: Error validating 
> user via Negotiate. Error returned 'BH gss_accept_sec_context() failed: 
> Unspecified GSS failure.  Minor code may provide more information. '
> ===================================

Perhapse your Keytab entry expired or got updated in AD without the
Squid machine one being updated ?


> 
> Also observed Squid_ldap_group helper throwing ERR when checking user 
> group membership. but user is part of the said group in AD.

If the user account credentials are not being identified as valid by the
auth_param helper, there is no "user" to be part of any group check by
the external ACL helper.



> 
> ========================================================================
>  #/usr/lib64/squid/squid_ldap_group -P -R -b "DC=ABCD,DC=GOV,DC=EU" -D 
> svcproxy -W /etc/squid/pswd/pswd -f 
> "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=EU))" 
> -h ABCD.GOV.EU -s sub -v 3 -d
> 853438 lgOnlineUpdate
> Connected OK
> group filter 
> '(&(objectclass=person)(userPrincipalName=853438)(memberof=cn=lgOnlineUpdate,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=EU))', 
> searchbase 'DC=ABCD,DC=GOV,DC=EU'
> ERR
> ==========================================
> 

Tried with any recent version of Squid and/or helper? yours seem to be
many years outdated.

Amos

More information about the squid-users mailing list