[squid-users] Squid - AD kerberos auth and Linux Server proxy access not working
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 5 13:23:23 UTC 2016
On 5/10/2016 7:00 a.m., Nilesh Gavali wrote:
> Hi Amos;
> Ok, we can discussed the issue in Two part 1. For Windows AD
> Authentication & SSO and 2. Linux server unable to access via squid proxy.
>
> For First point-
> Requirement to have SSO for accessing internet via squid proxy and based
> on user's AD group membership allow access to specific sites only. I
> believe current configuration of squid is working as expected.
>
> For Second point -
> Point I would like to highlight here is, the Linux server IWCCP01 is not
> part of domain at all. Hence the below error as squid configured for
> AD_auth. So how can we allow Linux server or non domain machine to access
> specific sites?
>
>> Error 407 is "proxy auth required", so the proxy is expecting
> authentication
>> for some reason.
> ====================================
> > Can you confirm that the hostname vseries-test.bottomline.com is
> contained in
>> your site file /etc/squid/sitelist/dbs_allowed_site ?
>
> YES, we have entry as .bottomline.com , which work fine when access via
> windows machine having proxy enabled for that user.
> ==============================
>> Can you temporarily change the line "http_access allow IWCCP01
> allowedsite" to
>> "http_access allow IWCCP01" and see whether the machine then gets
> access?
>
> I made the changes as suggested but still it is giving same Error 407.
Meaning that is the ACL which is broken.
> ========================================
> If that works, please list the output of the command:
> grep "bottomline.com" /etc/squid/sitelist/dbs_allowed_site
>
> o/p of above command as below -
>
> [root at Proxy02 ~]# grep "bottomline.com"
> /etc/squid/sitelist/dbs_allowed_site
> .bottomline.com
> [root at Proxy02 ~]#
Okay great. Your allowedsite has a correct entry to match the test request.
Since IWCCP01 contains exactly one IP address for the server
> acl IWCCP01 src 10.xx.15.103
it means your server is not using that IP address when it contacts Squid.
BUT that IP is what gots logged as the client/src IP.
> 1475518342.279 0 10.xx.15.103 TCP_DENIED/407 3589 CONNECT
vseries-test.bottomline.com:443 - NONE/- text/html
Strange. Unless:
* those 'xx' are different numbers, or
* the line was logged by another Squid process (with different config), or
* the config file you think is being used actually is not.
I notice that this config tells your Squid to listen on port 8080 and
pass all its traffic through a peer at 10.xx.xx.108 which also listens
on port 8080.
Is that log being produced by that other peer?
Is there anything, any non-# lines at all, in your config besides what
your first post contained? even if you dont think its relevant.
Amos
More information about the squid-users
mailing list