Answer the question
In order to leave comments, you need to log in
A
A
Arseniy Bukhara2020-04-26 15:35:05
Arseniy Bukhara, 2020-04-26 15:35:05
How to configure squid so that it does not prohibit access to the Internet for groups entered in the AD config?
Good day! Problem essence: the test machine in the domain (Windows) does not go to the Internet. On the test machine, a proxy server 10.47.143.178 (also a test one) is registered, on which freebsd 12.1 is installed. At the same time, an authorization window is first displayed in the browser, I enter the account data into it, try to log in, and as a result, the following message appears: Error. Cache access denied. Screenshots of this error are attached to the post.
It seems to me that the whole problem is in version 4.10 squid, or rather in the squid config. Here is the config:
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol-squid-2.5 -basic auth_param
basic children 50
auth_param basic realm TESTPROXY
auth_param basic credentialsttl 2 hours
external_acl_type nt_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl
acl testgroup external nt_group testgroup
acl LimitedInternet external nt_group LimitedInternet
acl http_proto port 80
acl SiteAllow dstdomain .mail.ru .yandex.ru
#http_access allow test http_proto
http_access allow testgroup SiteAllow
http_access deny all
http_port 3128
#hierarchy_stoplist cgi-bin
coredump_dir /usr/local/etc/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i ( /cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
I must say right away that this config was copied from the old squid 3 more versions, I don’t remember exactly which one. Tried to google a similar config for squid version 4.10, but didn't find anything. As can be seen from the config, authentication is carried out using the NTLM network protocol.
Viewed squid logs. Here is what is displayed
in
access.log when trying to access Yandex from the client's test machine
: .ru - HIER_NONE/- text/html
1587222517.236 61 10.47.143.211 TCP_DENIED/407 5205 GET yandex.ru
HIER_NONE testsquid / - text / html
1587222519.614 12 10.47.143.211 TCP_DENIED / 407 4665 GET yandex.ru testsquid HIER_NONE / - text / html
1587222521.731 24 10.47.143.211 TCP_DENIED / 407 4665 GET yandex.ru testsquid HIER_NONE / - text / html
1587222523.063 25 10.47 .143.211 TCP_DENIED/407 4665 GET yandex.ru testsquid HIER_NONE/- text/html
1587222523.142 17 10.47.143.211 TCP_DENIED/407 4667 GET testproxy.fkp47.local:3128/squid-internal-static/i... testsquid-HIER- HIER /html
1587222523.166 17 10.47.143.211 TCP_DENIED/407 4765 GET testproxy.fkp47.local:3128/squid-internal-static/i... testsquid HIER_NONE/- text/html
1587222524.046 17 10.47.143.211 TCP_DENIED / 407 4765 GET testproxy.fkp47.local: 3128 / squid-internal-static / i ... testsquid HIER_NONE / - text / html
1587222525.363 23 10.47.143.211 TCP_DENIED / 407 4765 GET testproxy.fkp47.local :3128/squid-internal-static/i... testsquid HIER_NONE/- text/html
1587222526.252 18 10.47.143.211 TCP_DENIED/407 4765 GET testproxy.fkp47.local:3128/squid-internal-static/i... testsquid HIER_NONE // text/html
1587222527.089 28 10.47.143.211 TCP_DENIED/407 4765 GET
testproxy.fkp47.local :3128/squid-internal-static/i... testsquid HIER_NONE/- text/
html
/04/19 19:39:18 kid1| Starting new helpers
2020/04/19 19:39:18 kid1| helperOpenServers: Starting 1/5 'wbinfo_group.pl' processes
2020/04/19 19:39:18 kid1| ipcCreate: /usr/local/libexec/squid/wbinfo_group.pl: (2) No such file or directory
2020/04/19 19:39:18 kid1| WARNING: nt_group #Hlpr4527164 exited
2020/04/19 19:39:18 kid1| Too few nt_group processes are running (need 1/5)
2020/04/19 19:39:18 kid1| Starting new helpers
2020/04/19 19:39:18 kid1| helperOpenServers: Starting 1/5 'wbinfo_group.pl' processes
2020/04/19 19:39:18 kid1| ipcCreate: /usr/local/libexec/squid/wbinfo_group.pl: (2) No such file or directory
2020/04/19 19:39:18 kid1| WARNING: nt_group #Hlpr4527165 exited
2020/04/19 19:39:18 kid1| Too few nt_group processes are running (need 1/5)
2020/04/19 19:39:18 kid1| Starting new helpers
2020/04/19 19:39:18 kid1| helperOpenServers: Starting 1/5 'wbinfo_group.pl' processes
2020/04/19 19:39:18 kid1| ipcCreate: /usr/local/libexec/squid/wbinfo_group.pl: (2) No such file or directory
2020/04/19 19:39:18 kid1| WARNING: nt_group #Hlpr4527166 exited
2020/04/19 19:39:18 kid1| Too few nt_group processes are running (need 1/5)
Accordingly, the question is: what is wrong with the config syntax for squid, where the error crept in. And is it worth using squid 4.10, maybe you need to use an earlier version.
2 answer(s)
@Zarom
You need to find (yes, even by searching through find) where this file is specifically located in this version, or use it from an older version. I don't think he ever changed. Well, fix the path in the config. It should start up.
PS Using NTLM for authorization is an extremely outdated method of authentication / authorization. It is better to migrate to Kerberos.
@CityCat4
If you also need to steer groups (otherwise why wbinfo_group.pl?) - then in the same System Administrator last year, shortly before he died - there was an article about group management
D
Dmitry Shitskov, 2020-04-26 @Zarom
The problem is quite on the surface -
/usr/local/libexec/squid/wbinfo_group.pl: (2) No such file or directory
You need to find (yes, even by searching through find) where this file is specifically located in this version, or use it from an older version. I don't think he ever changed. Well, fix the path in the config. It should start up.
PS Using NTLM for authorization is an extremely outdated method of authentication / authorization. It is better to migrate to Kerberos.
C
CityCat4, 2020-04-27 @CityCat4
Sorry, this is a classic example of what happens when, instead of understanding the essence, we limit ourselves to copy-paste :)
Authorization in a squid is a separate topic of a dozen articles :) It is done in at least three ways, but currently only one is relevant - through negotiate_kerberos_auth . There is a rather long procedure, I don’t remember it well, there was an article in the System Administrator, a long time ago, back in 2012. The article was called "Squid + AD - samba"
An account is created in AD A principal is connected to
it via ktpass (this is a Windows command)
This principal is specified in the squid config and something like this is obtained:
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/proxy.keytab -s HTTP/[email protected]
auth_param negotiate children 30 startup=0 idle=1
auth_param negotiate keep_alive onIf you also need to steer groups (otherwise why wbinfo_group.pl?) - then in the same System Administrator last year, shortly before he died - there was an article about group management
Similar questions
M
M
A
C
L
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question