[squid-users] Re: Re: Re: Squid + Kerberos + Active Directory

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 6 Jun 2009 21:32:42 +0100

><truth_seeker_3535_at_yahoo.com> wrote in message
>news:549528.19551.qm_at_web43413.mail.sp1.yahoo.com...
>
>Dear Markus,
>
>First of all i disabled the "debug_options ALL,1 33,2 28,9" in squid.conf.
>Then when i reloaded the squid service, i was looking in all the log files
>where it will reflect anything about squid_kerb_auth. I found in two places
>about this information. Please have a look at it;
>
>in /var/log/messages;
>Jun 6 11:49:30 linuxproxy squid[8577]: Squid Parent: child process 8579
>started
>
>and in /var/log/squid/cache.log;
>2009/06/06 18:15:28| Reconfiguring Squid Cache (version 3.0.STABLE13)...
>2009/06/06 18:15:28| FD 21 Closing HTTP connection
>2009/06/06 18:15:28| FD 23 Closing ICP connection
>2009/06/06 18:15:28| Processing Configuration File: /etc/squid/squid.conf
>(depth 0)
>2009/06/06 18:15:28| Initializing https proxy context
>2009/06/06 18:15:28| User-Agent logging is disabled.
>2009/06/06 18:15:28| Referer logging is disabled.
>2009/06/06 18:15:28| DNS Socket created at 0.0.0.0, port 32776, FD 9
>2009/06/06 18:15:28| Adding nameserver 192.168.0.111 from /etc/resolv.conf
>2009/06/06 18:15:28| Adding nameserver 192.168.0.12 from /etc/resolv.conf
>2009/06/06 18:15:28| helperStatefulOpenServers: Starting 10
>'squid_kerb_auth' processes

good

>2009/06/06 18:15:28| Accepting HTTP connections at 0.0.0.0, port 8080, FD
>21.
>2009/06/06 18:15:28| Accepting ICP messages at 0.0.0.0, port 3130, FD 23.
>2009/06/06 18:15:28| HTCP Disabled.
>2009/06/06 18:15:28| Loaded Icons.
>2009/06/06 18:15:28| Ready to serve requests.
>
>
>Then the output of ps is;
>[root_at_linuxproxy ~]# ps -ef | grep squid_kerb_auth
>squid 9474 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9475 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9476 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9477 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9478 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9479 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9480 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9481 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9482 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>squid 9483 8579 0 18:15 ? 00:00:00 (squid_kerb_auth) -d
>root 9485 7946 0 18:15 pts/1 00:00:00 grep squid_kerb_auth
>[root_at_linuxproxy ~]#
>

looks very good

>So i think we can say that squid_kerb_auth is working in the system.
>
>
>the following is my squid.conf;
>
>acl manager proto cache_object
>acl localhost src 127.0.0.1/32
>acl to_localhost dst 127.0.0.0/8
>acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>acl SSL_ports port 443
>acl Safe_ports port 80 # http
>acl Safe_ports port 21 # ftp
>acl Safe_ports port 443 # https
>acl Safe_ports port 70 # gopher
>acl Safe_ports port 210 # wais
>acl Safe_ports port 1025-65535 # unregistered ports
>acl Safe_ports port 280 # http-mgmt
>acl Safe_ports port 488 # gss-http
>acl Safe_ports port 591 # filemaker
>acl Safe_ports port 777 # multiling http
>acl CONNECT method CONNECT
>http_access allow manager localhost
>http_access deny manager
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
>auth_param negotiate children 10
>auth_param negotiate keep_alive on
>acl auth proxy_auth REQUIRED
>http_access deny !auth
>http_access allow auth
>http_access allow localhost
>http_access deny all
>icp_access allow localnet
>icp_access deny all
>htcp_access allow localnet
>htcp_access deny all
>http_port 8080
>hierarchy_stoplist cgi-bin ?
>access_log /var/log/squid/access.log squid
>refresh_pattern ^ftp: 1440 20% 10080
>refresh_pattern ^gopher: 1440 0% 1440
>refresh_pattern (cgi-bin|\?) 0 0% 0
>refresh_pattern . 0 20% 4320
>icp_port 3130
>coredump_dir /var/spool/squid
>
>
>Still if i browse, i will get the error "cache access denied" and the
>following are the details in the log files;
>
>in squid/access.log;
>1244303002.590 0 192.168.4.139 TCP_DENIED/407 2866 GET
>http://google.com/ - NONE/- text/html
>1244303021.209 0 192.168.4.222 TCP_DENIED/407 2175 CONNECT
>mail.google.com:443 - NONE/- text/html
>1244303021.222 0 192.168.4.222 TCP_DENIED/407 2175 CONNECT
>mail.google.com:443 - NONE/- text/html
>
>in squid/store.log;
>1244303002.590 RELEASE -1 FFFFFFFF 893DDA4586FEA28E3D7CC6A9AF02FF06 407
>1244303002 0 -1 text/html 2393/2393 GET http://google.com/
>1244303021.209 RELEASE -1 FFFFFFFF 4860F9392E667CA248F079F4475457A6 407
>1244303021 0 -1 text/html 1702/1702 CONNECT
>mail.google.com:443
>1244303021.222 RELEASE -1 FFFFFFFF DB4AC6E80A21A7065675FE615D788ED2 407
>1244303021 0 -1 text/html 1702/1702 CONNECT
>mail.google.com:443
>
>
>in squid/cache.log;
>NOTHING. as you asked i didnnt played anything with cache option in
>squid.conf (you can also see above my squid.conf)
>
>

That looks like the browser doesn't use negotiate. Can you capture the
traffic between the client and squid ? Can you also check if the browser has
linuxproxy.panasonic.com as proxy configured (e.g. NOT linuxproxy only) ?

>Kindly advice...
>

Regards
Markus
Received on Sat Jun 06 2009 - 20:33:06 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 07 2009 - 12:00:02 MDT