My Debian+Squid 2.5+winbind squid box is acting strangely. I must deny
Internet access from one of my users named "teszt". The NTLM helper
authenticates through a Debian Samba server. I think I have the correct
ACLs and http_access rules, but the user can reach the Internet through
the proxy without problem.
My config is:
Its a Debian Woody box, with 2.4.28 kernel. I downloaded squid 2.5
stable 3 source from www.squid-cache.org, "debianized" it with deb-make
command. My debian/rules files is:
#!/usr/bin/make -f
# Made with the aid of debmake, by Christoph Lameter,
# based on the sample debian/rules file for GNU hello by Ian Jackson.
package=squid
build:
$(checkdir)
./configure --prefix=/usr --enable-auth="ntlm,basic"
--enable-basic-auth-helpers="winbind"
--enable-ntlm-auth-helpers="winbind"
$(MAKE) CFLAGS="-O2 -g -Wall"
touch build
clean:
$(checkdir)
-rm -f build
-$(MAKE) distclean
-rm -f `find . -name "*~"`
-rm -rf debian/tmp debian/files* core debian/substvars
binary-indep: checkroot build
$(checkdir)
# There are no architecture-independent files to be uploaded
# generated by this package. If there were any they would be
# made here.
binary-arch: checkroot build
$(checkdir)
-rm -rf debian/tmp
install -d debian/tmp
cd debian/tmp && install -d `cat ../dirs`
$(MAKE) install prefix=`pwd`/debian/tmp/usr
# Must have debmake installed for this to work. Otherwise please copy
# /usr/bin/debstd into the debian directory and change debstd to
debian/debstd
debstd ChangeLog README
dpkg-gencontrol -isp
chown -R root.root debian/tmp
chmod -R go=rX debian/tmp
dpkg --build debian/tmp ..
define checkdir
test -f debian/rules
endef
binary: binary-indep binary-arch
checkroot:
$(checkdir)
test root = "`whoami`"
.PHONY: binary binary-arch binary-indep clean checkroot
After this I compiled the program with
dpkg-buildpackage debian/rules binary
and installed it with
dpkg -i squid_2.5.deb
I needed NTLM auth so installed winbindd and Samba 2.2.8a after the
squid howto, and tested it without problem. After that I edited squid.
conf:
<snip>
auth_param ntlm program /usr/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
<snip>
acl badusers proxy_auth DOM\teszt DOM\guest
acl AuthorizedUsers proxy_auth REQUIRED
acl our_networks src 192.168.10.0/24
<snip>
http_access deny badusers
http_access allow AuthorizedUsers
http_access allow our_networks
http_access deny all
I tested the config with squid -k parse, it says OK. The cache.log:
2003/09/26 13:09:54| storeDirWriteCleanLogs: Starting...
2003/09/26 13:09:55| Finished. Wrote 8370 entries.
2003/09/26 13:09:55| Took 0.0 seconds (939499.4 entries/sec).
2003/09/26 13:09:55| logfileRotate: /var/log/squid/store.log
2003/09/26 13:09:55| logfileRotate: /var/log/squid/access.log
2003/09/26 13:09:55| helperStatefulOpenServers: Starting 5 'wb_ntlmauth'
processes
(wb_ntlmauth)[10918](wb_ntlm_auth.c:355): target domain is DOM
(wb_ntlmauth)[10919](wb_ntlm_auth.c:355): target domain is DOM
(wb_ntlmauth)[10920](wb_ntlm_auth.c:355): target domain is DOM
(wb_ntlmauth)[10921](wb_ntlm_auth.c:355): target domain is DOM
2003/09/26 13:09:55| helperOpenServers: Starting 5 'wb_auth' processes
(wb_ntlmauth)[10922](wb_ntlm_auth.c:355): target domain is DOM
2003/09/26 13:11:54| The request GET http://www.debianplanet.org/ is
DENIED, because it matched 'badusers'
2003/09/26 13:11:54| The reply for GET http://www.debianplanet.org/ is
ALLOWED, because it matched 'all'
2003/09/26 13:11:54| The request GET http://www.debianplanet.org/ is
DENIED, because it matched 'badusers'
2003/09/26 13:11:54| The reply for GET http://www.debianplanet.org/ is
ALLOWED, because it matched 'all'
2003/09/26 13:11:54| The request GET http://www.debianplanet.org/ is
ALLOWED, because it matched 'AuthorizedUsers'
2003/09/26 13:11:54| The reply for GET http://www.debianplanet.org/ is
ALLOWED, because it matched 'all'
2003/09/26 13:11:55| The request GET http://www.debianplanet.
org/themes/traditional/style.css is DENIED, because it matched
'badusers'
etc. etc. etc...
The acces.log:
<snip>
1064574714.812 71 192.168.10.225 TCP_DENIED/407 1742 GET http://www.
debianplanet.org/ - NONE/- text/html
1064574714.851 3 192.168.10.225 TCP_DENIED/407 1750 GET http://www.
debianplanet.org/ - NONE/- text/html
1064574715.434 20 192.168.10.225 TCP_DENIED/407 1826 GET http://www.
debianplanet.org/themes/traditional/style.css - NONE/- text/html
1064574715.456 0 192.168.10.225 TCP_DENIED/407 1834 GET http://www.
debianplanet.org/themes/traditional/style.css - NONE/- text/html
<snip>
1064574715.689 231 192.168.10.225 TCP_MISS/200 880 GET http://www.
debianplanet.org/themes/traditional/style.css dom\teszt DIRECT/212.111.
35.118 text/css
1064574715.848 307 192.168.10.225 TCP_MISS/200 828 GET http://www.
debianplanet.org/misc/xml.gif dom\teszt DIRECT/212.111.35.118 image/gif
1064574715.865 176 192.168.10.225 TCP_MISS/200 1514 GET http://www.
debianplanet.org/images/debian.png dom\teszt DIRECT/212.111.35.118
image/png
etc. etc. etc.
Im a little confused now. It doesnt seem to be an authenticator problem:
I think the winbind helper works fine, but the squid doesnt. The FAQ
says:
"Access list rules are checked in the order they are written. List
searching terminates as soon as one of the rules is a match."
But in this case it seems (to me) that squid doesnt terminates the
searching the access list after the first match. It is really strange.
Please can anybody help me with this? What is wrong? Where made I a
mistake?
Thank you
Katalin
