Hi !
I've configure squid 3.1.10-1 (latest available for CentOS 6.2) with NTLM authentication, but squid keeps asking for username and password. And sometimes more than once...
Users are authenticated in the domain, using IE6/7/9, but squid keeps asking for username/password.
Those with other browsers and Linux it's normal, but in windows no. I don't know if Firefox in windows is supposed to ask for password or not, but it asks.
I have everything working with samba and winbind.
Samba recognizes the user and winbind too.
Wbinfo authentication:
wbinfo -a teste%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded
Squid ntlm_auth also is working ok
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
teste 12345
OK
I notice something in the logs that are also a lots of TCP_DENIED before TCP_MISS (and squid din't ask for password)
An example of access a website:
111.111.11.11 TCP_DENIED/407 4758 GET http://www.venezuelatuya.com/tour/minitour.JPG - NONE/- text/html
1341573268.467 8 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minioccidente.jpg - NONE/- text/html
1341573268.469 9 111.111.11.11 TCP_DENIED/407 4766 GET http://www.venezuelatuya.com/tour/minicentro.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minilosroques.jpg - NONE/- text/html
1341573268.472 11 111.111.11.11 TCP_DENIED/407 4774 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minicaracas.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4762 GET http://www.venezuelatuya.com/tour/miniandes.jpg - NONE/- text/html
1341573268.474 10 111.111.11.11 TCP_DENIED/407 4778 GET http://www.venezuelatuya.com/tour/minimargarita.jpg - NONE/- text/html
1341573268.549 275 111.111.11.11 TCP_MISS/200 2186 GET http://www.venezuelatuya.com/scripts/mapapaginaprincipal.js teste DIRECT/207.58.139.197 applicat
ion/javascript
1341573268.576 139 111.111.11.11 TCP_MISS/200 444 GET http://www.venezuelatuya.com/principal.css teste DIRECT/207.58.139.197 text/css
1341573268.602 1 111.111.11.11 TCP_DENIED/407 4467 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.606 1 111.111.11.11 TCP_DENIED/407 4770 GET http://www.venezuelatuya.com/tour/minioriente.jpg - NONE/- text/html
1341573268.608 1 111.111.11.11 TCP_DENIED/407 4907 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.617 1 111.111.11.11 TCP_DENIED/407 5186 GET http://googleads.g.doubleclick.net/pagead/ads ? - NONE/- text/html
1341573268.699 399 111.111.11.11 TCP_MISS/200 3817 GET http://www.venezuelatuya.com/scripts/barrabusqueda.js teste DIRECT/207.58.139.197 application/ja
vascript
1341573268.741 272 111.111.11.11 TCP_MISS/200 2801 GET http://www.venezuelatuya.com/tour/minioccidente.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.745 137 111.111.11.11 TCP_MISS/200 3520 GET http://www.venezuelatuya.com/tour/minioriente.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.753 274 111.111.11.11 TCP_MISS/200 2062 GET http://www.venezuelatuya.com/tour/minilosroques.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.755 276 111.111.11.11 TCP_MISS/200 2725 GET http://www.venezuelatuya.com/tour/miniandes.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.867 400 111.111.11.11 TCP_MISS/200 4137 GET http://www.venezuelatuya.com/tour/minitour.JPG teste DIRECT/207.58.139.197 image/jpeg
1341573268.869 396 111.111.11.11 TCP_MISS/200 3447 GET http://www.venezuelatuya.com/tour/minicentro.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.877 400 111.111.11.11 TCP_MISS/200 3310 GET http://www.venezuelatuya.com/tour/minimorrocoy.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.880 403 111.111.11.11 TCP_MISS/200 3829 GET http://www.venezuelatuya.com/tour/minimargarita.jpg teste DIRECT/207.58.139.197 image/jpeg
1341573268.882 404 111.111.11.11 TCP_MISS/200 3452 GET http://www.venezuelatuya.com/tour/minicaracas.jpg teste DIRECT/207.58.139.197 image/jpeg
Here is my samba config:
-------------------------------------------------------------
[global]
workgroup = <workgroup>
server string = Squid Server Version %v
netbios name = Dakota
hosts allow = 127. <list_of_ips_allowed>
log file = /var/log/samba/log.%m
max log size = 50
security = domain
realm = HAL.MIN-SAUDE.PT
password server = dc.domain.com dc1.domain.com
acl compatibility = win2k
unix extensions = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
-------------------------------------------------------------
And here is my squid config:
-------------------------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl HomeNetworks src "/etc/squid/Networks.squid"
acl OtherNetworks src "/etc/squid/OtherNetworks.squid"
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Por favor autentique-se!
auth_param basic credentialsttl 2 hours
acl ntlmAuth proxy_auth REQUIRED
acl SSL_ports port 443
acl SSL_ports port 631
acl CONNECT method CONNECT
acl POST method POST
acl AutorizedSites dstdomain "/etc/squid/AutorizedSitesGlobal.squid"
acl Nonet src "/etc/squid/Nonet.squid"
acl Bypass src "/etc/squid/Bypass.squid"
acl Deny dstdom_regex "/etc/squid/Deny.squid"
acl DenyUsers proxy_auth -i src "/etc/squid/DenyUsers.squid"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !HomeNetworks
http_access allow localhost
http_access deny Nonet
http_access allow AutorizedSites
http_access allow Bypass
http_access deny DenyUsers
http_access allow OtherNetworks
http_access allow ntlmAuth
http_access deny all
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
follow_x_forwarded_for allow localhost
cache_dir aufs /cache 96000 16 256
cache_mem 1276 MB
maximum_object_size 4096 KB
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
maximum_object_size 4096 KB
access_log /var/log/squid/access.log squid
cache_mgr squid_at_domain.com
mail_from squid_at_domain.com
cache_effective_user squid
visible_hostname proxy.domain.com
error_directory /usr/share/squid/errors/pt-pt
dns_nameservers dnsip1 dnsip2
-------------------------------------------------------------
and my krb5.conf
-------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
#default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des-cbc-md5; or des-cbc-crc
default_tkt_enctypes = des-cbc-md5; or des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = yes
#ticket_lifetime = 24h
ticket_lifetime = 24000
clock_skew = 300
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.COM = {
kdc = dc1.domain.com:88
admin_server = dc1.domain.com:88
default_domain = domain.com
kdc = dc1
kdc = dc2
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.kerberos.server = DOMAIN.COM
DOMAIN.COM = {
}
[kdc]
profile = /etc/krb5kdc/kdc.conf
-------------------------------------------------------------
Any clue why it's happening ?
squid is also a member of group wbpriv
id squid
uid=23(squid) gid=23(squid) groups=88(wbpriv),23(squid)
I also have dansguardian listening in port 8080.
Thank you all !
-- -- Use Open Source Software Human knowledge belongs to the world Bruno Santos bvsantos_at_ulscb.min-saude.pt http://www.twitter.com/feiticeir0 Tel: +351 962 753 053 Divisão de Informática informatica_at_ulscb.min-saude.pt Tel: +351 272 000 155 Fax: +351 272 000 257 Unidade Local de Saúde de Castelo Branco, E.P.E. geral_at_ulscb.min-saude.pt Tel: +351 272 000 272 Fax: +351 272 000 257 Linux registered user #349448 LPIC-1 CertificationReceived on Fri Jul 06 2012 - 11:42:23 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 06 2012 - 12:00:01 MDT
