Can you run both squid_kerb_ldap and squid_kerb_auth with -d. It should give
a lot more details to find out why it happens
Markus
"Mark deJong" <dejongm_at_gmail.com> wrote in message
news:AANLkTikvdJu6+ysyWkDN7VxYzYTS4RtDJGF7ccNzmqyb_at_mail.gmail.com...
> Hello,
> I'm having an issue with squid_kerb_auth. It seems not all proxy
> requests are getting serviced. When falling back on NTLM the requests
> come though fine.
>
> My guess is subsequent GET requests made over Proxy_KeepAlive sessions
> are not getting serviced. I confirmed this on a trace using Wireshark
> where the client requests a page but Squid doesn't come back with an
> answer. Is this a known issue?
>
> I'm currently running squid3-3.1.6 and have seen this behavior both
> with the include squid_kerb_auth and a seperately compiled binary.
>
> squid.conf follows:
>
>
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>
> access_log /var/log/squid/access.log combined
>
>
>
> auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d -s
> HTTP/dc32-wgw01.nix.DOM.LOCAL_at_USHS.DOM.LOCAL
> auth_param negotiate children 30
> auth_param negotiate keep_alive on
>
> auth_param ntlm program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm use_ntlm_negotiate on
>
> external_acl_type AD_US_TEMPS ttl=3600 negative_ttl=3600 %LOGIN
> /usr/bin/squid_kerb_ldap -d -g temps_at_US.DOM.LOCAL
> external_acl_type AD_US_ITDEPT ttl=3600 negative_ttl=3600 %LOGIN
> /usr/bin/squid_kerb_ldap -d -g ITDept_at_US.DOM.LOCAL
>
>
>
>
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl firefox_browser browser Firefox
>
> acl UnrestrictedUsers external AD_US_ITDEPT
> acl TempUsers external AD_US_TEMPS
> acl AuthorizedUsers proxy_auth REQUIRED
>
>
> acl hq-dmz src 10.50.192.0/24
> acl hq-servers src 10.50.64.0/23 10.50.4.0/24
> acl hq-services src 10.50.8.0/24 10.50.2.0/24
> acl hq-dev src 10.50.66.0/24
>
> acl ie_urls dstdomain "/etc/squid/ie_urls.allow"
>
> acl service_urls dstdomain "/etc/squid/service_urls.allow"
> acl dev_urls dstdomain "/etc/squid/dev_urls.allow"
> acl hq-servers_urls dstdomain "/etc/squid/servers_urls.allow"
> acl temp_urls dstdomain "/etc/squid/temp_urls.allow"
>
> acl SSL_ports port 443
> acl CONNECT method CONNECT
>
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
>
> http_access allow hq-servers hq-servers_urls
> http_access deny hq-servers
>
> http_access allow hq-services service_urls
> http_access deny hq-services
>
> http_access allow hq-dev dev_urls
> http_access deny hq-dev
>
>
> http_access allow TempUsers temp_urls
> http_access deny TempUsers all
>
> http_access allow UnrestrictedUsers
> http_access deny UnrestrictedUsers all
>
> http_access deny !AuthorizedUsers
> http_access allow all
> http_access deny all
>
>
> http_reply_access allow all
> icp_access allow all
> cache_mgr support_at_DOM.LOCAL
> coredump_dir /var/spool/squid
>
>
>
> Thanks,
> M. de Jong
>
Received on Tue Aug 17 2010 - 19:39:36 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 18 2010 - 12:00:03 MDT