TCP_DENIED/407 AD auth

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TCP_DENIED/407 AD auth

stancfg
Hello everyone, I'm facing some problem with squid.
Squid proxy is working but in access.log is showing TCP_DENIED/407 for most
of the connections.
If i remove authentication configuration from squid.conf this error is
missing in access.log.

CentOS Linux release 8.0.1905
4.18.0-147.6.el8.x86_64
Squid Cache: Version 4.4
wbinfo -t
checking the trust secret for domain AD via RPC calls succeeded

Any assistance in this matter would be greatly appreciated
Regards
Stan

*squid.conf*


*smb.conf*

*nssswitch.conf*


*access.log*



*cache.log*




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TCP_DENIED/407 AD auth

Schroeffu
For my understanding, with (NTLM) authentication every request needs to be authenticated. Therefore you will see TCP_DENIED/407 anytime before TCP_***/200 because the request needs to be authenticated anytime again.

Anybody else correct me if I am wrong ;-)

Schroeffu



4. Dezember 2019 15:09, "stancfg" <[hidden email]> schrieb:

> Hello everyone, I'm facing some problem with squid.
> Squid proxy is working but in access.log is showing TCP_DENIED/407 for most
> of the connections.
> If i remove authentication configuration from squid.conf this error is
> missing in access.log.
>
> CentOS Linux release 8.0.1905
> 4.18.0-147.6.el8.x86_64
> Squid Cache: Version 4.4
> wbinfo -t
> checking the trust secret for domain AD via RPC calls succeeded
>
> Any assistance in this matter would be greatly appreciated
> Regards
> Stan
>
> *squid.conf*
>
> *smb.conf*
>
> *nssswitch.conf*
>
> *access.log*
>
> *cache.log*
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TCP_DENIED/407 AD auth

stancfg
Hello Schroeffu

I fully agree with you, but why some of request are authenticated and some
are not.
Is this a normal behavior.
Thank you for your help.

Stan



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TCP_DENIED/407 AD auth

Schroeffu
Hi Stan,

when you are using NTLM according the latest sentence in https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm (very bottom):

"Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in access.log for every request. This is due to the challenge-response process of NTLM."

So usually any request from end-user through ntlm auth proxy should log a TCP_DENIED/407. If you have websites allowed without authentication in squid.conf before the authentication configuration - of course, these are not logging 407. The real challenge-response thing maybe somebody else can explain that better to you / or link a documentation.

For example I'm running a whitelist configured before the authentication configuration, so i can add domains to allow without NTLM (apple.com domains etc)

acl white_domain dstdomain "/etc/squid/ka/domains_noauth.acl"
http_access allow white_domain

acl white_regexp url_regex -i "/etc/squid/ka/domains_noauth_regex.acl"
http_access allow white_regexp

#Allow fetch intermediate certs before required authentication, guess this is required for SSL BUMP + NTLM
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
http_access allow fetched_certificate

# NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --use-cached-creds --offline-logon
(...)(ntlm configuration, check required ldap groups, blablah)
(...)
(...)
(...)

# Allow based on group membership
# Authentication required, otherwise Pop-Up to Basic Auth
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users



4. Dezember 2019 15:25, "stancfg" <[hidden email]> schrieb:

> Hello Schroeffu
>
> I fully agree with you, but why some of request are authenticated and some
> are not.
> Is this a normal behavior.
> Thank you for your help.
>
> Stan
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: TCP_DENIED/407 AD auth

stancfg
Hello Schroeffu,
Somehow I've manage to miss this last sentence
I have another proxy in production that is working with ACL's like this, but
showing the same error ""TCP_DENIED/407"
That is why i decide to build new one and find the "problem".
Probably will try new one with kerberos.
Thank you very much Schroeffu.

Regards
Stan



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users