2009/7/29 Amos Jeffries <squid3_at_treenet.co.nz>:
> Harley Jackson Willmott wrote:
>>
>> 2009/7/28 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>
>>> Harley Jackson Willmott wrote:
>>>>
>>>> 2009/7/27 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>>
>>>>> On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott
>>>>> <open.harley_at_gmail.com> wrote:
>>>>>>
>>>>>> Hey all.
>>>>>>
>>>>>> I've done lots of searching and haven't been able to find examples of
>>>>>> this particular scenario so I'm putting it to you guys for help.
>>>>>>
>>>>>> Basically, my boss has me setting up a Squid server for our company's
>>>>>> primarily Microsoft-based network (We use Active Directory). We've
>>>>>> already got a proxy server set up running Webmarshal. Webmarshal takes
>>>>>> care of all the filtering stuff based on Active Directory membership.
>>>>>>
>>>>>> I'm implementing a Squid server to both cache (obviously) and to
>>>>>> throttle certain users using delay pools.
>>>>>>
>>>>>> The original plan was to have Squid in front of Webmarshal, which
>>>>>> means Squid needs to be able to pass the AD credentials to Webmarshal.
>>>>>> The server itself is running Ubuntu 9.04 Server with
>>>>>> Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our
>>>>>> AD domain through Likewise-Open. I'd like to create ACLs based on
>>>>>> user/group membership in AD, but IPs are fine if that isn't possible.
>>>>>> The main thing is that I -need- the credentials passed to Webmarshal
>>>>>> so that the user isn't prompted to enter their username and password
>>>>>> into their browser (this is how it acts prior to pointing it to
>>>>>> Squid).
>>>>>>
>>>>>> Is this possible with my version of Squid? I've been trying to follow
>>>>>> examples and documentation on the web, but frequently run into
>>>>>> conflicting and/or outdated information. If so, can someone help me
>>>>>> out with an example or something? If not, should I just be putting
>>>>>> Squid behind Webmarshal?
>>>>>
>>>>> Behind would be the quickest fix.
>>>>>
>>>>> Or you could go the whole way and configure Squid AD authentication
>>>>> with
>>>>> groups access control to completely replace WebMarshall. Squid bundles
>>>>> a
>>>>> few external ACL helpers that check group access. The rest is up to how
>>>>> you
>>>>> set what access controls.
>>>>>
>>>>> Amos
>>>>>
>>>>>
>>>> Thanks, Amos, I mulled it over a bit and talked to the boss and we've
>>>> put Squid in front of Webmarshal
>>>>
>>>> I got Squid up and running but was getting a massive headache trying
>>>> to make it pass credentials to Webmarshal. The problem was revealed to
>>>> me by another thread on this mailing list that mentioned this would
>>>> only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7
>>>> and it passes credentials to Webmarshal fine now! Delay pools are
>>>> working great too (it's funny being happy about seeing the internet
>>>> moving slowly)
>>>> However, I'm faced with another problem. I still need to set up ACLs
>>>> in Squid that are based on Active Directory groups. The box is in our
>>>> domain with Samba and Winbind and wbinfo, wbinfo_group.pl and
>>>> ntlm_auth all work flawlessly.
>>>> Unfortunately, after I add the lines for ntlm authentication, my
>>>> browser (even IE) prompts me for username and password a few times and
>>>> then sends me to a Cache Access Denied page. My access.log also does
>>>> not show any usernames/groups.
>>>>
>>>> I've played around with the lines a bit but here is how they stand at
>>>> the moment:
>>>>
>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp
>>>> auth_param ntlm children 30
>>>> auth_param ntlm keep_alive on
>>>>
>>>> auth_param basic program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-basic
>>>> auth_param basic children 5
>>>> auth_param basic realm mushmusic
>>>> auth_param basic credentialsttl 2 hours
>>>> auth_param basic casesensitive off
>>>>
>>>> acl authedusers proxy_auth REQUIRED
>>>> http_access allow authedusers
>>>>
>>>> Any advice?
>>>> Cheers :)
>>>
>>> You also need persistent connections enabled, and connection-auth= flags
>>> on
>>> any cache_peer lines.
>>>
>>> http://www.squid-cache.org/Versions/v2/2.7/cfgman/
>>> See these settings:
>>> * client_persistent_connections
>>> * server_persistent_connections
>>> * persistent_connection_after_error
>>> * detect_broken_pconn
>>>
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
>>> Current Beta Squid 3.1.0.12
>>>
>>
>> Thanks again! I managed to get ntlm_auth working, with ACLs based on
>> the user's AD groups to decide different bucket sizes and speeds
>> without the browser prompting.
>> I had disabled the passing of credentials to Webmarshal beforehand to
>> isolate what I was working on and now that I've gotten ntlm_auth
>> working, I re-enabled it. Unfortunately, I am prompted for credentials
>> again. This time, however, entering the credentials seem to work (as
>> opposed to just prompting me over and over again before).
>>
>> If I'm _only_ passing credentials or _only_ authenticating for Squid,
>> then everything works swimmingly. However, having both at once causes
>> it to prompt the user at the browser. Can I only have one or the other
>> or is there a solution that allows Squid to authenticate as well as
>> pass creds to Webmarshal?
>>
>> Cheers
>> Harley
>
> At a guess I'd say the Webmarshal is not finding the NTLM token passed back
> enough and kicking off its own challenge sequence.
>
> Maybe the all-hack will work here....
>
> Setting "all" ACL as the last on each authentication line causes Squid to
> not send the auth chellenge. This breaks any deny lines, but if the auth is
> only on "allow" stuff it can work.
>
> NP: You will also have to create a category for non-authenticated requests.
> Which are prior to the Webmarshal challenge but MUST still go through to get
> the auth challenge happening.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
> Current Beta Squid 3.1.0.12
>
I have to admit I'm a little confused. Still very new to Squid and I'm
not entirely sure what you mean :P Particularly the category part and
what goes where.
This is how my current config stands, if that helps:
--- access_log /opt/squid/var/logs/access.log squid http_port 3128 client_persistent_connections on server_persistent_connections on persistent_connection_after_error on detect_broken_pconn on icp_port 3130 visible_hostname tmg04 acl CONNECT method CONNECT acl all src 0/0 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp all auth_param ntlm children 30 all auth_param ntlm keep_alive on all auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic all auth_param basic children 5 all auth_param basic realm mushmusic all auth_param basic credentialsttl 2 hours all auth_param basic casesensitive off all external_acl_type ad_group %LOGIN /opt/squid/libexec/wbinfo_group.pl acl girly external ad_group girl http_access allow girly http_access allow all cache_effective_user squid delay_pools 1 delay_class 1 2 delay_parameters 1 8000/128000 8000/128000 cache_peer 192.168.5.11 parent 8085 0 no-query default login=PASS never_direct allow all --- There's obvious stuff not in to do with caching, etc, but I'm worrying about that later as it's trivial (IMO) compared to getting it working with Microsoft's crazy old systems. HarleyReceived on Wed Jul 29 2009 - 07:33:55 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT