[squid-users] Squid - AD kerberos auth and Linux Server proxy access not working

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 4 11:11:08 UTC 2016


On 4/10/2016 11:36 p.m., Antony Stone wrote:
> On Tuesday 04 October 2016 at 12:28:44, Nilesh Gavali wrote:
> 
>> Hello Antony;
>> I have double checked the current working configuration of my squid.conf
>> and it has same settings which I posted earlier. somehow it is working for
>> us.
> 
> I'm not saying the whole thing won't work; I'm saying there is no point in 
> having a line "http_access allow ad_auth" following the line "http_access deny 
> all".  The ad_auth line can never be invoked.

Not knowing why authentication works is dangerous. You might have been
allowing non-authenticated traffic and invalid user accounts through.

The only reason it does "work" is that the ACL called "USERS" is _not_
actually checking user logins. It is a group checking ACL which requires
authentication to happen before it can be checked.

In this specific case invalid logins cannot be a member of the group. So
they will not get through the proxy.

However, people who accidentally type the user/password wrong, or whose
machines automatically login with an account not a member of the group
will not be allowed any way to try again short of shutting down their
browser or maybe even logging out of the machine and trying from another
one.

That may or may not be a problem for you.

> 
>> below is the error from access.log file.
>>
>> 1475518342.279      0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
>> vseries-test.bottomline.com:443 - NONE/- text/html
> 
> Error 407 is "proxy auth required", so the proxy is expecting authentication 
> for some reason.
> 
> Can you confirm that the hostname vseries-test.bottomline.com is contained in 
> your site file /etc/squid/sitelist/dbs_allowed_site ?
> 
> Can you temporarily change the line "http_access allow IWCCP01 allowedsite" to 
> "http_access allow IWCCP01" and see whether the machine then gets access?
> 

If that works, please list the output of the command:
  grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site

Amos



More information about the squid-users mailing list