Thank you Amos, will upgrade to 3.1.19 auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/lib/squid3/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=example,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h exch01.example.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute acl password proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 192.168.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny !password http_access allow password http_access allow localhost http_access deny all icp_access deny all htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /var/spool/squid3
-----Original Message----- From: Amos Jeffries [mailto:[email protected]] Sent: 08 March 2012 02:44 PM To: [email protected] Subject: Re: [squid-users] Kerberos TCP/DENIED 407 On 9/03/2012 1:07 a.m., JC Putter wrote: > Amos, > > Thank you for the reply. > > Sorry I meant 3.0 STABLE 19. Please at minimum upgrade to 3.0.STABLE26 then, if possible 3.1.19. There are a handful of major security vulnerabilities in between. > The Zimbra Desktop client connects via port 443 and I have the > standard ACL; > > http_access deny !Safe_ports > http_access deny !SSL_ports > > however when I change the ACL to (very insecure) > > http_access allow CONNECT (without the exception of !SSL_ports) the zimbra > client connects... > > no too sure if my ACL is incorrect or if a need to add additional ports in > the ACL however according to Zimbra 443 is the only one required. The ACL you list above is not the defaults. The correct default is: http_access deny CONNECT !SSL_ports SSL_Ports should only contain the HTTPS ports you permit requests to. > I ran wireshark trace I can confirm that the proxy offers all configured > authentication schemes and the client responds with a Kerberos ticket. Okay. It would seem to be some other part of the configuration. If you want a proper analysis please post your whole config (without the comments and empty lines though). Amos
