+ Post New Thread
Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 69
*nix Thread, Dansguardian on windows 2003 domain in Technical; That is a Squid ACL problem. Verify you http_access and acl lines are correct and ordered appropriately....
  1. #31

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    That is a Squid ACL problem. Verify you http_access and acl lines are correct and ordered appropriately.

  2. #32

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    Hmm... they look correct to me, but that does not mean much, plus it still does not work.

    Do I have to define another ACL variable somewhere?
    Attached Images Attached Images
    Attached Files Attached Files

  3. #33

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    Enabling NTLM keep alive is probably a good idea.
    Code:
    auth_param ntlm keep_alive on
    I don't see anything obviously wrong with your http_access lines. I shall post mine tomorrow though so you can compare.

  4. #34

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    Thank you, Geoff, I'd appreciate that if you would post your settings.

    I did notice one more thing, not sure if it's related- check the attachment to see the warning I get anytime squid starts or stops.
    Attached Images Attached Images

  5. #35

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    I am using the following version of squid

    Code:
    root@titan:/etc/squid# squid -v
    Squid Cache: Version 2.5.STABLE12
    configure options:  --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null --enable-linux-netfilter --enable-arp-acl --enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools --enable-htcp --enable-poll --enable-cache-digests --enable-underscores --enable-referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm --enable-carp --with-large-files i386-debian-linux
    With the following configuration

    Code:
    #IP/Port squid listens for connections on
    
    #for testing
    #http_port 8080
    
    #for dansguardian
    http_port localhost:3128
    
    # What we call ourselves
    
    visible_hostname proxy.carrhill.lancs.sch.uk
    
    #don't cache urls with these in them
    
    hierarchy_stoplist cgi-bin ?
    
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    
    # how much ram to use
    
    cache_mem 256 MB
    
    # largest file to cache
    
    maximum_object_size  200 MB
    
    #where the cache is on disk, how large it is (50Gb)
    
    cache_dir ufs /var/spool/squid 50000 16 256
    
    #Define upstream proxy
    
    cache_peer proxy.lancsngfl.ac.uk        parent  8080    7       no-query default
    
    #Authentication methods
    
    #NTLM
    
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 10
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 2 minutes
    
    #Basic Auth (Just in case)
    
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 5 hours
    
    #define some acls
    
    # basic stuff
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    
    #Localhost
    acl localhost src 127.0.0.1/255.255.255.255
    
    #Local LEA
    acl local_external dstdomain lancsngfl.ac.uk
    
    #Local domain
    acl local_servers dstdomain carrhill.lancs.ac.uk
    
    #LAN IP Range
    acl local_ip_range dst 10.73.24.0/255.255.252.0
    acl local_lan_ip src 10.73.24.0/255.255.252.0
    
    #Software that doesn't support user authentication
    
    #For windows updates
    acl windowsupdates dstdomain .microsoft.com .windowsupdate.com
    
    #For food software
    acl food dstdomain .cls-bfh.co.uk
    
    #Standard ACLs
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 777         # multiling http
    acl purge method PURGE
    acl CONNECT method CONNECT
    
    #Authentication ACL
    acl AuthorizedUsers proxy_auth REQUIRED
    
    # Allow manager from Localhost
    http_access allow manager localhost
    http_access allow manager local_lan_ip
    http_access deny manager
    
    # Only allow purge requests from localhost
    http_access allow purge localhost
    http_access deny purge
    
    # Deny requests to unknown ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !SSL_ports
    
    #Allow without authentication
    #http_access allow localhost
    
    #Allow software  with no authentication
    http_access allow windowsupdates
    http_access allow food
    
    #allow authenticated users
    http_access allow AuthorizedUsers
    
    # Don't go via another proxy for these addresses
    always_direct allow local_external
    always_direct allow local_servers
    always_direct allow local_ip_range
    never_direct allow all
    
    # And finally deny all other access to this proxy
    http_access deny all

  6. #36

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    Thank you, Geoff. That's very helpful.
    I am now trying to install Squid version 2.5, like on your system, so the configuration file will be more similar, and hopefully, easier for me to find the problem.

    One odd problem occurred after I reinstalled it and editted the config file. The attached error message appears anytime squid starts/stops.

    This appeared a few minutes after Squid "terminated abnormally" and said warning: Squid killed!

    Have you seen this message before?
    Attached Images Attached Images

  7. #37

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    The init script for squid probably isn't doing the right thing for the new version.

  8. #38

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    ^It turns out I had accidentally copied the Squid 2.6 init script. A quick squid reinstall fixed that problem and I now get the authentication dialog.

    However, I am still getting 6+ dialogs and it is not accepting the username and password. I have updated the config file to be very similar to yours.

    I do not know if I missed something in the config file, or what.

    Do you have any more ideas? (I can get any file that might be helpful).

    Thanks again.
    Attached Images Attached Images
    Attached Files Attached Files

  9. #39

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    You have a broken acl. You wrote
    Code:
    http_access allow all AuthorizedUsers
    It should read as
    Code:
    http_access allow AuthorizedUsers

  10. #40

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    I now fixed the broken ACL.

    However, it is still not accepting the username/password.
    I did notice something odd: the first few login prompts just say
    Enter username and password for proxy "" at 192.168.0.2:3128.
    then the last few login prompts say
    Enter username and password for proxy "Squid proxy-caching web server" at 192.168.0.2:3128.
    The username is only recorded in the log for the second style of login prompt.

    Does this mean something is still not configured correctly, and could cause it to not accept any username/password? Thanks.

  11. #41

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    NTLM authentication is failing. This is most likely a problem with Samba/Winbind.

  12. #42

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    I checked the Samba and Winbind logs and found a few interesting events that might be related to the NTLM problem. Screenshots are attached. These events occur after every system restart.

    Any thoughts on whether these are a likely cause, and tips on how to correct these? Thanks.
    Attached Images Attached Images

  13. #43

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    what's the result of 'wbinfo -t'?

  14. #44

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    wbinfo -t produces the following result:

    Code:
    checking the trust secret via RPC calls succeeded
    Is this is a good response?


    In addition, wbinfo -g lists all domain user groups (not sure if that helps any).

  15. #45

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    Do
    Code:
    net ads status -U <username>
    and
    Code:
    ntlm_auth --username=<username> --domain=<domain> -d10 --diagnostics
    work?

SHARE:
+ Post New Thread
Page 3 of 5 FirstFirst 12345 LastLast

Similar Threads

  1. Blocking .EXE and COM etc on a new Windows 2003 Domain Help!
    By bigb3n in forum Network and Classroom Management
    Replies: 11
    Last Post: 22nd February 2013, 03:30 PM
  2. Upgrading 2003 SP1 domain controller to 2003 R2
    By Andi in forum Wireless Networks
    Replies: 4
    Last Post: 27th June 2007, 01:22 PM
  3. Replies: 10
    Last Post: 31st March 2007, 05:40 PM
  4. Replies: 3
    Last Post: 2nd February 2007, 10:09 AM
  5. Replies: 11
    Last Post: 10th November 2006, 06:42 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •