Enhancement #3178
SquidGuard profiles not working when proxy authenticated with AD
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-squid | |||
| Target version: | v6.6 | |||
| Resolution: | NEEDINFO: | No |
Description
Scenario:
- domain controller
- NethServer act like AD member
- Squid authenticated (with AD users, via ntlm or kerberos)
Setting different profiles on squidGuard using AD users does not work, because the username provided from squid is different from the one checked by squidGuard
- squid put realm after real username (e.g. bob@domain)
- squidGuard uses only real username (e.g. bob)
Associated revisions
AD auth: strip domain name. Refs #3178
History
#1
Updated by Giacomo Sanchietti about 6 years ago
- Description updated (diff)
#2
Updated by Davide Marini about 6 years ago
Proposed fix:
[root@proxy ~]# /usr/lib64/squid/negotiate_kerberos_auth -h Usage: . . -r remove realm from username .
proposed template
[root@proxy ~]# diff -u /etc/e-smith/templates/etc/squid/squid.conf/20acl_10_auth /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_10_auth
--- /etc/e-smith/templates/etc/squid/squid.conf/20acl_10_auth 2015-05-19 09:32:21.000000000 +0200
+++ /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_10_auth 2015-05-22 09:46:17.769444696 +0200
@@ -10,7 +10,7 @@
# Samba
if(defined $smb && $smb{'status'} eq 'enabled' && $smb{'ServerRole'} eq 'ADS') {
$OUT .= "\n# GSSAPI auth in ADS mode\n";
- $OUT .= "auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth\n";
+ $OUT .= "auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r \n";
$OUT .= "auth_param negotiate children 10\n";
$OUT .= "auth_param negotiate keep_alive on\n";
#3
Updated by Giacomo Sanchietti about 6 years ago
- Category set to nethserver-squid
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#4
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:nethserver-squid-1.3.5-1.1.g77d2287.ns6.noarch.rpm
nethserver-squid-1.3.5-1.2.g521093f.ns6.noarch.rpm
- Join the machine to the Active Directory
- Enable authenticated mode
- Try to open a site with a client
- Check the user doesn't contain the realm inside
/var/log/squid/access.log - Create a profile for the user inside SquidGuard
- Check the user is filtered
#7
Updated by Davide Principi about 6 years ago
- Assignee set to Davide Principi
#8
Updated by Davide Principi about 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
#9
Updated by Davide Principi about 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-squid-1.3.6-1.ns6.noarch.rpm