kerberos authentication with kerberos groups

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos authentication with kerberos groups

Jeroen Ruijter

I'm trying to replace my basic ldap authentication by kerberos single sign on.

The user can succesfully login with single sign on, but I have restriction on groups and that is where it goes wrong.

I would like to use -r to trim the domain name, but when I do so it seems to work even less.

Someone any ideas what to try, I believe the system is loking wrong in active directory but adding -b OU=Users,DC=yyy,DC=local does not help me further

 

=======

 

auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

auth_param negotiate children 20 startup=0 idle=1

auth_param negotiate keep_alive off

 

external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email] -d

external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email] -d

 

acl XXX_InternetAllowed external XXX_InternetAllowed

acl XXX_Adult external XXX_Adult

 

acl XXX_AdultX dstdomain .alternate.com .brood.nl .broodnodig.nl

 

acl localnet src xxx.xxx.xxx.0/24

acl CONNECT method CONNECT

 

acl auth proxy_auth REQUIRED

 

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny auth !XXX_InternetAllowed

http_access deny XXX_Adult XXX_AdultX

http_access allow localnet

http_access allow localhost

http_access deny all

 

========

 

support_member.cc(63): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: User domain loop: group@domain [hidden email]

support_member.cc(65): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found group@domain [hidden email]

support_ldap.cc(898): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_7612

support_krb5.cc(138): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Get default keytab file name

support_krb5.cc(144): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/krb5.keytab

support_krb5.cc(158): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab

support_krb5.cc(169): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YYY.LOCAL

support_krb5.cc(189): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found principal  name: hosts/[hidden email]

support_krb5.cc(205): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got principal name hosts/[hidden email]

support_krb5.cc(64): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : Client 'hosts/[hidden email]' not found in Kerberos database

support_krb5.cc(169): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YYY.LOCAL

support_krb5.cc(189): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found principal  name: HTTP/[hidden email]

support_krb5.cc(205): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Got principal name HTTP/[hidden email]

support_krb5.cc(269): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Stored credentials

support_ldap.cc(927): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Initialise ldap connection

support_ldap.cc(933): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain YYY.LOCAL

support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad02.yyy.local

support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad01.yyy.local

support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad02.yyy.local

support_resolv.cc(379): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YYY.LOCAL record to ad01.yyy.local

support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 1 of YYY.LOCAL to ad01.yyy.local

support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 2 of YYY.LOCAL to ad01.yyy.local

support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 3 of YYY.LOCAL to ad01.yyy.local

support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 4 of YYY.LOCAL to ad02.yyy.local

support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 5 of YYY.LOCAL to ad02.yyy.local

support_resolv.cc(207): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Resolved address 6 of YYY.LOCAL to ad02.yyy.local

support_resolv.cc(407): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Adding YYY.LOCAL to list

support_resolv.cc(443): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain YYY.LOCAL:

support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: ad01.yyy.local Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: ad02.yyy.local Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Host: YYY.LOCAL Port: -1 Priority: -2 Weight: -2

support_ldap.cc(942): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ad01.yyy.local:389

support_ldap.cc(953): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_ldap.cc(967): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server ad01.yyy.local:389

support_ldap.cc(333): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)

support_ldap.cc(602): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext

support_ldap.cc(645): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext

support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname)

support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Found 0 ldap entries

support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server

support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: ERROR: Error determining ldap server type: Operations error

support_member.cc(76): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: INFO: User Administrator is not member of group@domain [hidden email]

support_member.cc(91): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Default domain loop: group@domain [hidden email]

support_member.cc(119): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: Default group loop: group@domain [hidden email]

kerberos_ldap_group.cc(416): pid=7612 :2018/02/16 11:50:07| kerberos_ldap_group: DEBUG: ERR

 

regards Jeroen Ruijter

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication with kerberos groups

Amos Jeffries
Administrator
On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>

NP: Despite what some claim, SSO is not unique to NTLM and Kerberos
authentication. It is a behaviour of the tools used. As such it can be
done with *any* authentication type if the tools used perform the
necessary behaviour.



> The user can succesfully login with single sign on, but I have
> restriction on groups and that is where it goes wrong.

What exactly does this "going wrong" look like?

Also, what version of Squid are you working with?
 (the "squid -v" output please)

>
> I would like to use -r to trim the domain name, but when I do so it
> seems to work even less.
>
> Someone any ideas what to try, I believe the system is loking wrong in
> active directory but adding -b OU=Users,DC=yyy,DC=local does not help me
> further

You have some things looking for ".local" and others for ".LOCAL". I'm
not sure if case insensitivity exists in all those places they are being
used, so that is one potential cause of problems.


> =======
>
>  
>
> auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s
> GSS_C_NO_NAME
>
> auth_param negotiate children 20 startup=0 idle=1
>
> auth_param negotiate keep_alive off
>
>  
>
> external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600 %LOGIN
> /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email] -d
>
> external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN
> /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email] -d
>
>  
>
> acl XXX_InternetAllowed external XXX_InternetAllowed
>
> acl XXX_Adult external XXX_Adult
>

...
>
> http_access deny auth !XXX_InternetAllowed

The above says the users entire login is to be rejected if they are not
a member of the XXX_InternetAllowed group.

That should work but it is better to reject failed logins fully first,
then do the group checks separately.

Like this:

 http_access deny !auth
 http_access deny !XXX_InternetAllowed all

>
> http_access deny XXX_Adult XXX_AdultX
>

you could gain a fair bit of performance back by making that check the
dstdomain before the slow external lookup:

  http_access deny XXX_AdultX XXX_Adult all


> http_access allow localnet
>
> http_access allow localhost
>
> http_access deny all
>
>  
>
> ========
>


...

>
> support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Search ldap server with bind path
> CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
> (ldapdisplayname=samaccountname)
>
> support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Found 0 ldap entries
>
> support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Determined ldap server not as an Active
> Directory server
>
> support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: ERROR: Error determining ldap server type:
> Operations error
>
> support_member.cc(76): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: INFO: User Administrator is not member of
> group@domain [hidden email]
>

Looks like it is working to me.

The helper tries several methods of locating a server, two fail but the
third seems to work and produces the above result.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication with kerberos groups

Jeroen Ruijter

support_member.cc(91): pid=2166 :2018/02/19 08:23:59| kerberos_ldap_group: DEBUG: Default domain loop: group@domain [hidden email]

support_member.cc(119): pid=2166 :2018/02/19 08:23:59| kerberos_ldap_group: DEBUG: Default group loop: group@domain [hidden email]

support_member.cc(63): pid=2166 :2018/02/19 09:54:21| kerberos_ldap_group: DEBUG: User domain loop: group@domain [hidden email]

support_member.cc(65): pid=2166 :2018/02/19 09:54:21| kerberos_ldap_group: DEBUG: Found group@domain [hidden email]

support_member.cc(76): pid=2166 :2018/02/19 09:54:21| kerberos_ldap_group: INFO: User Jeroen.Ruijter is not member of group@domain [hidden email]

 

So user authenticated for proxy the goup is found but the user is not a member, but I’m certainly a member

 

 

Squid info

bhlnx03:~ # squid -v

Squid Cache: Version 3.5.21

Service Name: squid

configure options:  '--host=x86_64-suse-linux-gnu' '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--disable-strict-error-checking' '--sysconfdir=/etc/squid' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--sharedstatedir=/var/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--with-dl' '--enable-disk-io' '--enable-storeio' '--enable-removal-policies=heap,lru' '--enable-icmp' '--enable-delay-pools' '--enable-esi' '--enable-icap-client' '--enable-useragent-log' '--enable-referer-log' '--enable-kill-parent-hack' '--enable-arp-acl' '--enable-ssl-crtd' '--with-openssl' '--enable-forw-via-db' '--enable-cache-digests' '--enable-linux-netfilter' '--with-large-files' '--enable-underscores' '--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm' '--enable-auth-negotiate' '--enable-auth-digest' '--enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group' '--enable-stacktraces' '--enable-x-accelerator-vary' '--with-default-user=squid' '--disable-ident-lookups' '--enable-follow-x-forwarded-for' '--disable-arch-native' 'build_alias=x86_64-suse-linux-gnu' 'host_alias=x86_64-suse-linux-gnu' 'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'LDFLAGS=-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro,-z,now -pie' 'CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fPIE -fPIC -DOPENSSL_LOAD_CONF' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

 

 

 

 

-----Oorspronkelijk bericht-----
Van: squid-users [mailto:[hidden email]] Namens Amos Jeffries
Verzonden: vrijdag 16 februari 2018 18:58
Aan: [hidden email]
Onderwerp: Re: [squid-users] kerberos authentication with kerberos groups

 

On 17/02/18 02:02, Jeroen Ruijter wrote:

> I'm trying to replace my basic ldap authentication by kerberos single

> sign on.

>

 

NP: Despite what some claim, SSO is not unique to NTLM and Kerberos authentication. It is a behaviour of the tools used. As such it can be done with *any* authentication type if the tools used perform the necessary behaviour.

 

 

 

> The user can succesfully login with single sign on, but I have

> restriction on groups and that is where it goes wrong.

 

What exactly does this "going wrong" look like?

 

Also, what version of Squid are you working with?

(the "squid -v" output please)

 

>

> I would like to use -r to trim the domain name, but when I do so it

> seems to work even less.

>

> Someone any ideas what to try, I believe the system is loking wrong in

> active directory but adding -b OU=Users,DC=yyy,DC=local does not help

> me further

 

You have some things looking for ".local" and others for ".LOCAL". I'm not sure if case insensitivity exists in all those places they are being used, so that is one potential cause of problems.

 

 

> =======

>

>  

>

> auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d

> --ntlm /usr/bin/ntlm_auth --diagnostics

> --helper-protocol=squid-2.5-ntlmssp

> --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s

> GSS_C_NO_NAME

>

> auth_param negotiate children 20 startup=0 idle=1

>

> auth_param negotiate keep_alive off

>

>  

>

> external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600

> %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b

> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]

> -d

>

> external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN

> /usr/sbin/ext_kerberos_ldap_group_acl -b

> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]

> -d

>

>  

>

> acl XXX_InternetAllowed external XXX_InternetAllowed

>

> acl XXX_Adult external XXX_Adult

>

 

...

>

> http_access deny auth !XXX_InternetAllowed

 

The above says the users entire login is to be rejected if they are not a member of the XXX_InternetAllowed group.

 

That should work but it is better to reject failed logins fully first, then do the group checks separately.

 

Like this:

 

http_access deny !auth

http_access deny !XXX_InternetAllowed all

 

>

> http_access deny XXX_Adult XXX_AdultX

>

 

you could gain a fair bit of performance back by making that check the dstdomain before the slow external lookup:

 

  http_access deny XXX_AdultX XXX_Adult all

 

 

> http_access allow localnet

>

> http_access allow localhost

>

> http_access deny all

>

>  

>

> ========

>

 

 

...

>

> support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07|

> kerberos_ldap_group: DEBUG: Search ldap server with bind path

> CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:

> (ldapdisplayname=samaccountname)

>

> support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07|

> kerberos_ldap_group: DEBUG: Found 0 ldap entries

>

> support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07|

> kerberos_ldap_group: DEBUG: Determined ldap server not as an Active

> Directory server

>

> support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07|

> kerberos_ldap_group: ERROR: Error determining ldap server type:

> Operations error

>

> support_member.cc(76): pid=7612 :2018/02/16 11:50:07|

> kerberos_ldap_group: INFO: User Administrator is not member of

> group@domain [hidden email]

>

 

Looks like it is working to me.

 

The helper tries several methods of locating a server, two fail but the third seems to work and produces the above result.

 

 

Amos

 

_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication with kerberos groups

Jeroen Ruijter
In reply to this post by Amos Jeffries
Do you advise to use capitals or small characters for the domain name?


-----Oorspronkelijk bericht-----
Van: squid-users [mailto:[hidden email]] Namens Amos Jeffries
Verzonden: vrijdag 16 februari 2018 18:58
Aan: [hidden email]
Onderwerp: Re: [squid-users] kerberos authentication with kerberos groups

On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>

NP: Despite what some claim, SSO is not unique to NTLM and Kerberos authentication. It is a behaviour of the tools used. As such it can be done with *any* authentication type if the tools used perform the necessary behaviour.



> The user can succesfully login with single sign on, but I have
> restriction on groups and that is where it goes wrong.

What exactly does this "going wrong" look like?

Also, what version of Squid are you working with?
 (the "squid -v" output please)

>
> I would like to use -r to trim the domain name, but when I do so it
> seems to work even less.
>
> Someone any ideas what to try, I believe the system is loking wrong in
> active directory but adding -b OU=Users,DC=yyy,DC=local does not help
> me further

You have some things looking for ".local" and others for ".LOCAL". I'm not sure if case insensitivity exists in all those places they are being used, so that is one potential cause of problems.


> =======
>
>  
>
> auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp
> --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s
> GSS_C_NO_NAME
>
> auth_param negotiate children 20 startup=0 idle=1
>
> auth_param negotiate keep_alive off
>
>  
>
> external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600
> %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]
> -d
>
> external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN
> /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]
> -d
>
>  
>
> acl XXX_InternetAllowed external XXX_InternetAllowed
>
> acl XXX_Adult external XXX_Adult
>

...
>
> http_access deny auth !XXX_InternetAllowed

The above says the users entire login is to be rejected if they are not a member of the XXX_InternetAllowed group.

That should work but it is better to reject failed logins fully first, then do the group checks separately.

Like this:

 http_access deny !auth
 http_access deny !XXX_InternetAllowed all

>
> http_access deny XXX_Adult XXX_AdultX
>

you could gain a fair bit of performance back by making that check the dstdomain before the slow external lookup:

  http_access deny XXX_AdultX XXX_Adult all


> http_access allow localnet
>
> http_access allow localhost
>
> http_access deny all
>
>  
>
> ========
>


...

>
> support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Search ldap server with bind path
> CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
> (ldapdisplayname=samaccountname)
>
> support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Found 0 ldap entries
>
> support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Determined ldap server not as an Active
> Directory server
>
> support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: ERROR: Error determining ldap server type:
> Operations error
>
> support_member.cc(76): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: INFO: User Administrator is not member of
> group@domain [hidden email]
>

Looks like it is working to me.

The helper tries several methods of locating a server, two fail but the third seems to work and produces the above result.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication with kerberos groups

Jeroen Ruijter
I believe this has to be the problem, but how do I solve it? Its almost at the end of the whole listing

support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname)




kerberos_ldap_group.cc(283): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
2018/02/20 17:02:21 kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes
kerberos_ldap_group.cc(283): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(381): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: INFO: Got User: Jeroen.Ruijter Domain: BNH.LOCAL
support_member.cc(63): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: User domain loop: group@domain ADGroupRaamregeling@
support_member.cc(91): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Default domain loop: group@domain ADGroupRaamregeling@
support_member.cc(93): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found group@domain ADGroupRaamregeling@
support_ldap.cc(898): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_2951
support_krb5.cc(138): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/krb5.keytab
support_krb5.cc(158): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/krb5.keytab
support_krb5.cc(169): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Keytab entry has realm name: BNH.LOCAL
support_krb5.cc(189): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found principal  name: HTTP/[hidden email]
support_krb5.cc(205): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Got principal name HTTP/[hidden email]
support_krb5.cc(269): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(927): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(933): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain BNH.LOCAL
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to BHAD02.bnh.local
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to BHAD01.bnh.local
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to bhad02.bnh.local
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to bhad01.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 1 of BNH.LOCAL to BHAD02.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 2 of BNH.LOCAL to BHAD02.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 3 of BNH.LOCAL to BHAD02.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 4 of BNH.LOCAL to BHAD01.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 5 of BNH.LOCAL to BHAD01.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Resolved address 6 of BNH.LOCAL to BHAD01.bnh.local
support_resolv.cc(407): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Adding BNH.LOCAL to list
support_resolv.cc(443): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain BNH.LOCAL:
support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Host: BHAD01.bnh.local Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Host: BHAD02.bnh.local Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Host: BNH.LOCAL Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Setting up connection to ldap server BHAD01.bnh.local:389
support_ldap.cc(953): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_ldap.cc(967): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server BHAD01.bnh.local:389
support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname)
support_ldap.cc(345): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found 0 ldap entries
support_ldap.cc(350): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server
support_ldap.cc(1061): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: ERROR: Error determining ldap server type: Operations error
support_member.cc(104): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: INFO: User Jeroen.Ruijter is not member of group@domain ADGroupRaamregeling@
support_member.cc(119): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Default group loop: group@domain ADGroupRaamregeling@
kerberos_ldap_group.cc(416): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: ERR

-----Oorspronkelijk bericht-----
Van: Jeroen Ruijter
Verzonden: maandag 19 februari 2018 11:19
Aan: 'Amos Jeffries'; [hidden email]
Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups

Do you advise to use capitals or small characters for the domain name?


-----Oorspronkelijk bericht-----
Van: squid-users [mailto:[hidden email]] Namens Amos Jeffries
Verzonden: vrijdag 16 februari 2018 18:58
Aan: [hidden email]
Onderwerp: Re: [squid-users] kerberos authentication with kerberos groups

On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>

NP: Despite what some claim, SSO is not unique to NTLM and Kerberos authentication. It is a behaviour of the tools used. As such it can be done with *any* authentication type if the tools used perform the necessary behaviour.



> The user can succesfully login with single sign on, but I have
> restriction on groups and that is where it goes wrong.

What exactly does this "going wrong" look like?

Also, what version of Squid are you working with?
 (the "squid -v" output please)

>
> I would like to use -r to trim the domain name, but when I do so it
> seems to work even less.
>
> Someone any ideas what to try, I believe the system is loking wrong in
> active directory but adding -b OU=Users,DC=yyy,DC=local does not help
> me further

You have some things looking for ".local" and others for ".LOCAL". I'm not sure if case insensitivity exists in all those places they are being used, so that is one potential cause of problems.


> =======
>
>  
>
> auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp
> --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s
> GSS_C_NO_NAME
>
> auth_param negotiate children 20 startup=0 idle=1
>
> auth_param negotiate keep_alive off
>
>  
>
> external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600
> %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]
> -d
>
> external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN
> /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]
> -d
>
>  
>
> acl XXX_InternetAllowed external XXX_InternetAllowed
>
> acl XXX_Adult external XXX_Adult
>

...
>
> http_access deny auth !XXX_InternetAllowed

The above says the users entire login is to be rejected if they are not a member of the XXX_InternetAllowed group.

That should work but it is better to reject failed logins fully first, then do the group checks separately.

Like this:

 http_access deny !auth
 http_access deny !XXX_InternetAllowed all

>
> http_access deny XXX_Adult XXX_AdultX
>

you could gain a fair bit of performance back by making that check the dstdomain before the slow external lookup:

  http_access deny XXX_AdultX XXX_Adult all


> http_access allow localnet
>
> http_access allow localhost
>
> http_access deny all
>
>  
>
> ========
>


...

>
> support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Search ldap server with bind path
> CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
> (ldapdisplayname=samaccountname)
>
> support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Found 0 ldap entries
>
> support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Determined ldap server not as an Active
> Directory server
>
> support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: ERROR: Error determining ldap server type:
> Operations error
>
> support_member.cc(76): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: INFO: User Administrator is not member of
> group@domain [hidden email]
>

Looks like it is working to me.

The helper tries several methods of locating a server, two fail but the third seems to work and produces the above result.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication with kerberos groups

Markus Moeller
Hi Jeroen,

  Do you use Active Directory as ldap server ?  My automated test says it is
not. I use this check to determine the group attribute check.


support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
(ldapdisplayname=samaccountname)
support_ldap.cc(345): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Found 0 ldap entries
support_ldap.cc(350): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Determined ldap server not as an Active Directory server

Markus

"Jeroen Ruijter"  wrote in message
news:[hidden email]...

I believe this has to be the problem, but how do I solve it? Its almost at
the end of the whole listing

support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
(ldapdisplayname=samaccountname)




kerberos_ldap_group.cc(283): pid=2951 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2953 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2952 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
2018/02/20 17:02:21 kid1| helperOpenServers: Starting 5/5
'ext_kerberos_ldap_group_acl' processes
kerberos_ldap_group.cc(283): pid=2954 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2955 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2956 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2956 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2957 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2957 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2958 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2958 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2959 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2959 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2960 :2018/02/20 17:02:21|
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group list ADGroupRestrictedAdult@
support_group.cc(447): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group:
INFO: Group ADGroupRestrictedAdult  Domain
support_netbios.cc(83): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2960 :2018/02/20 17:02:21| kerberos_ldap_group:
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(381): pid=2951 :2018/02/20 17:02:27|
kerberos_ldap_group: INFO: Got User: Jeroen.Ruijter Domain: BNH.LOCAL
support_member.cc(63): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: User domain loop: group@domain ADGroupRaamregeling@
support_member.cc(91): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Default domain loop: group@domain ADGroupRaamregeling@
support_member.cc(93): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Found group@domain ADGroupRaamregeling@
support_ldap.cc(898): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Set credential cache to MEMORY:squid_ldap_2951
support_krb5.cc(138): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Get default keytab file name
support_krb5.cc(144): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Got default keytab file name /etc/krb5.keytab
support_krb5.cc(158): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Get principal name from keytab /etc/krb5.keytab
support_krb5.cc(169): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Keytab entry has realm name: BNH.LOCAL
support_krb5.cc(189): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Found principal  name: HTTP/[hidden email]
support_krb5.cc(205): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Got principal name HTTP/[hidden email]
support_krb5.cc(269): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Stored credentials
support_ldap.cc(927): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Initialise ldap connection
support_ldap.cc(933): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Canonicalise ldap server name for domain BNH.LOCAL
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to BHAD02.bnh.local
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to BHAD01.bnh.local
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to bhad02.bnh.local
support_resolv.cc(379): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved SRV _ldap._tcp.BNH.LOCAL record to bhad01.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved address 1 of BNH.LOCAL to BHAD02.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved address 2 of BNH.LOCAL to BHAD02.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved address 3 of BNH.LOCAL to BHAD02.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved address 4 of BNH.LOCAL to BHAD01.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved address 5 of BNH.LOCAL to BHAD01.bnh.local
support_resolv.cc(207): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Resolved address 6 of BNH.LOCAL to BHAD01.bnh.local
support_resolv.cc(407): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Adding BNH.LOCAL to list
support_resolv.cc(443): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Sorted ldap server names for domain BNH.LOCAL:
support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Host: BHAD01.bnh.local Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Host: BHAD02.bnh.local Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Host: BNH.LOCAL Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Setting up connection to ldap server BHAD01.bnh.local:389
support_ldap.cc(953): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Bind to ldap server with SASL/GSSAPI
support_ldap.cc(967): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Successfully initialised connection to ldap server
BHAD01.bnh.local:389
support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Search ldap server with bind path
CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
(ldapdisplayname=samaccountname)
support_ldap.cc(345): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Found 0 ldap entries
support_ldap.cc(350): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Determined ldap server not as an Active Directory server
support_ldap.cc(1061): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
ERROR: Error determining ldap server type: Operations error
support_member.cc(104): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
INFO: User Jeroen.Ruijter is not member of group@domain ADGroupRaamregeling@
support_member.cc(119): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group:
DEBUG: Default group loop: group@domain ADGroupRaamregeling@
kerberos_ldap_group.cc(416): pid=2951 :2018/02/20 17:02:27|
kerberos_ldap_group: DEBUG: ERR

-----Oorspronkelijk bericht-----
Van: Jeroen Ruijter
Verzonden: maandag 19 februari 2018 11:19
Aan: 'Amos Jeffries'; [hidden email]
Onderwerp: RE: [squid-users] kerberos authentication with kerberos groups

Do you advise to use capitals or small characters for the domain name?


-----Oorspronkelijk bericht-----
Van: squid-users [mailto:[hidden email]] Namens
Amos Jeffries
Verzonden: vrijdag 16 februari 2018 18:58
Aan: [hidden email]
Onderwerp: Re: [squid-users] kerberos authentication with kerberos groups

On 17/02/18 02:02, Jeroen Ruijter wrote:
> I'm trying to replace my basic ldap authentication by kerberos single
> sign on.
>

NP: Despite what some claim, SSO is not unique to NTLM and Kerberos
authentication. It is a behaviour of the tools used. As such it can be done
with *any* authentication type if the tools used perform the necessary
behaviour.



> The user can succesfully login with single sign on, but I have
> restriction on groups and that is where it goes wrong.

What exactly does this "going wrong" look like?

Also, what version of Squid are you working with?
(the "squid -v" output please)

>
> I would like to use -r to trim the domain name, but when I do so it
> seems to work even less.
>
> Someone any ideas what to try, I believe the system is loking wrong in
> active directory but adding -b OU=Users,DC=yyy,DC=local does not help
> me further

You have some things looking for ".local" and others for ".LOCAL". I'm not
sure if case insensitivity exists in all those places they are being used,
so that is one potential cause of problems.


> =======
>
>
>
> auth_param negotiate program /usr/sbin/negotiate_wrapper_auth -d
> --ntlm /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp
> --domain=yyy --kerberos /usr/sbin/negotiate_kerberos_auth -d -s
> GSS_C_NO_NAME
>
> auth_param negotiate children 20 startup=0 idle=1
>
> auth_param negotiate keep_alive off
>
>
>
> external_acl_type XXX_InternetAllowed ttl=3600 negative_ttl=3600
> %LOGIN /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]
> -d
>
> external_acl_type RestrictedAdult ttl=3600 negative_ttl=3600 %LOGIN
> /usr/sbin/ext_kerberos_ldap_group_acl -b
> OU=Users,OU=BenH,DC=yyy,DC=local -g [hidden email]
> -d
>
>
>
> acl XXX_InternetAllowed external XXX_InternetAllowed
>
> acl XXX_Adult external XXX_Adult
>

...
>
> http_access deny auth !XXX_InternetAllowed

The above says the users entire login is to be rejected if they are not a
member of the XXX_InternetAllowed group.

That should work but it is better to reject failed logins fully first, then
do the group checks separately.

Like this:

http_access deny !auth
http_access deny !XXX_InternetAllowed all

>
> http_access deny XXX_Adult XXX_AdultX
>

you could gain a fair bit of performance back by making that check the
dstdomain before the slow external lookup:

  http_access deny XXX_AdultX XXX_Adult all


> http_access allow localnet
>
> http_access allow localhost
>
> http_access deny all
>
>
>
> ========
>


...

>
> support_ldap.cc(342): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Search ldap server with bind path
> CN=Schema,CN=Configuration,DC=bnh,DC=local and filter:
> (ldapdisplayname=samaccountname)
>
> support_ldap.cc(345): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Found 0 ldap entries
>
> support_ldap.cc(350): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: DEBUG: Determined ldap server not as an Active
> Directory server
>
> support_ldap.cc(1061): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: ERROR: Error determining ldap server type:
> Operations error
>
> support_member.cc(76): pid=7612 :2018/02/16 11:50:07|
> kerberos_ldap_group: INFO: User Administrator is not member of
> group@domain [hidden email]
>

Looks like it is working to me.

The helper tries several methods of locating a server, two fail but the
third seems to work and produces the above result.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users