[squid-users] Squid - AD kerberos auth and Linux Server proxy access not working
Nilesh Gavali
nilesh.gavali at tcs.com
Tue Oct 4 13:49:51 UTC 2016
Hi Amos;
Ok, we can discussed the issue in Two part 1. For Windows AD
Authentication & SSO and 2. Linux server unable to access via squid proxy.
For First point-
Requirement to have SSO for accessing internet via squid proxy and based
on user's AD group membership allow access to specific sites only. I
believe current configuration of squid is working as expected.
For Second point -
Point I would like to highlight here is, the Linux server IWCCP01 is not
part of domain at all. Hence the below error as squid configured for
AD_auth. So how can we allow Linux server or non domain machine to access
specific sites?
> Error 407 is "proxy auth required", so the proxy is expecting
authentication
> for some reason.
====================================
> Can you confirm that the hostname vseries-test.bottomline.com is
contained in
> your site file /etc/squid/sitelist/dbs_allowed_site ?
YES, we have entry as .bottomline.com , which work fine when access via
windows machine having proxy enabled for that user.
==============================
> Can you temporarily change the line "http_access allow IWCCP01
allowedsite" to
> "http_access allow IWCCP01" and see whether the machine then gets
access?
I will test this, and update the results.
========================================
If that works, please list the output of the command:
grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
o/p of above command as below -
[root at Proxy02 ~]# grep "bottomline.com"
/etc/squid/sitelist/dbs_allowed_site
.bottomline.com
[root at Proxy02 ~]#
=======================================
Thanks & Regards
Nilesh Suresh Gavali
Message: 2
Date: Wed, 5 Oct 2016 00:11:08 +1300
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid - AD kerberos auth and Linux Server
proxy access not working
Message-ID: <d35ad0ca-761d-60e3-c594-04697110afdc at treenet.co.nz>
Content-Type: text/plain; charset=utf-8
On 4/10/2016 11:36 p.m., Antony Stone wrote:
> On Tuesday 04 October 2016 at 12:28:44, Nilesh Gavali wrote:
>
>> Hello Antony;
>> I have double checked the current working configuration of my
squid.conf
>> and it has same settings which I posted earlier. somehow it is working
for
>> us.
>
> I'm not saying the whole thing won't work; I'm saying there is no point
in
> having a line "http_access allow ad_auth" following the line
"http_access deny
> all". The ad_auth line can never be invoked.
Not knowing why authentication works is dangerous. You might have been
allowing non-authenticated traffic and invalid user accounts through.
The only reason it does "work" is that the ACL called "USERS" is _not_
actually checking user logins. It is a group checking ACL which requires
authentication to happen before it can be checked.
In this specific case invalid logins cannot be a member of the group. So
they will not get through the proxy.
However, people who accidentally type the user/password wrong, or whose
machines automatically login with an account not a member of the group
will not be allowed any way to try again short of shutting down their
browser or maybe even logging out of the machine and trying from another
one.
That may or may not be a problem for you.
>
>> below is the error from access.log file.
>>
>> 1475518342.279 0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
>> vseries-test.bottomline.com:443 - NONE/- text/html
>
> Error 407 is "proxy auth required", so the proxy is expecting
authentication
> for some reason.
>
> Can you confirm that the hostname vseries-test.bottomline.com is
contained in
> your site file /etc/squid/sitelist/dbs_allowed_site ?
>
> Can you temporarily change the line "http_access allow IWCCP01
allowedsite" to
> "http_access allow IWCCP01" and see whether the machine then gets
access?
>
If that works, please list the output of the command:
grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
Amos
*******************************************
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161004/4f9c6b90/attachment.html>
More information about the squid-users
mailing list