Enhancement #3178

SquidGuard profiles not working when proxy authenticated with AD

Added by Davide Marini about 6 years ago. Updated about 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.6
Resolution: NEEDINFO:No

Description

Scenario:
  • domain controller
  • NethServer act like AD member
  • Squid authenticated (with AD users, via ntlm or kerberos)

Setting different profiles on squidGuard using AD users does not work, because the username provided from squid is different from the one checked by squidGuard

  • squid put realm after real username (e.g. bob@domain)
  • squidGuard uses only real username (e.g. bob)

Associated revisions

Revision 77d2287d
Added by Giacomo Sanchietti about 6 years ago

AD auth: strip domain name. Refs #3178

History

#1 Updated by Giacomo Sanchietti about 6 years ago

  • Description updated (diff)

#2 Updated by Davide Marini about 6 years ago

Proposed fix:

[root@proxy ~]# /usr/lib64/squid/negotiate_kerberos_auth -h
Usage: 
.
.
-r remove realm from username
.

proposed template

[root@proxy ~]# diff -u /etc/e-smith/templates/etc/squid/squid.conf/20acl_10_auth /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_10_auth
--- /etc/e-smith/templates/etc/squid/squid.conf/20acl_10_auth   2015-05-19 09:32:21.000000000 +0200
+++ /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_10_auth    2015-05-22 09:46:17.769444696 +0200
@@ -10,7 +10,7 @@
        # Samba 
        if(defined $smb && $smb{'status'} eq 'enabled' && $smb{'ServerRole'} eq 'ADS') {
        $OUT .= "\n# GSSAPI auth in ADS mode\n";
-           $OUT .= "auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth\n";
+           $OUT .= "auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r \n";
            $OUT .= "auth_param negotiate children 10\n";
            $OUT .= "auth_param negotiate keep_alive on\n";

#3 Updated by Giacomo Sanchietti about 6 years ago

  • Category set to nethserver-squid
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#4 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

Package in nethserver-testing:
nethserver-squid-1.3.5-1.1.g77d2287.ns6.noarch.rpm
nethserver-squid-1.3.5-1.2.g521093f.ns6.noarch.rpm

Test case
  • Join the machine to the Active Directory
  • Enable authenticated mode
  • Try to open a site with a client
  • Check the user doesn't contain the realm inside /var/log/squid/access.log
  • Create a profile for the user inside SquidGuard
  • Check the user is filtered

#7 Updated by Davide Principi about 6 years ago

  • Assignee set to Davide Principi

#8 Updated by Davide Principi about 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

#9 Updated by Davide Principi about 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-squid-1.3.6-1.ns6.noarch.rpm

Also available in: Atom PDF