Author Topic: Proxy (Squid)  (Read 2488 times)

peterpugh

  • Guest
Proxy (Squid)
« on: March 10, 2014, 08:01:20 pm »
Dunno as haven't had a good ride with the proxy in previous versions.

Maybe it is just me doing something daft.

I have two users zenadmin domain admin and test just a user.
create two filters "all" with threshold disabled but just a test
"medium" with the medium threshold.
then access profiles
first when I searched for domain admins strangely it wasn't there but administrators is which local administrators are a member of domain admins so I went for that one,
so I have administrators on the "all" filter

then for users the are on the "medium" filter

sso enabled.

Its been a while so just going to do a little check on setting and the zentyal docs.

Prob me at this stage.


Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: Proxy (Squid)
« Reply #1 on: March 10, 2014, 08:50:58 pm »
Default policy = filter?

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

peterpugh

  • Guest
Re: Proxy (Squid)
« Reply #2 on: March 10, 2014, 09:08:33 pm »
Dunno Escopiom,

It was purely to check some area's that have been a little grey in the past.

Suffering from monitor eyes. So maybe a more comphrehensive test later.

Just aimed at previous probs of mine but I don't understand the reply?
« Last Edit: March 10, 2014, 09:10:27 pm by peterpugh »

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: Proxy (Squid)
« Reply #3 on: March 10, 2014, 10:30:48 pm »
What I meant to say was, check your setting on the proxy tab.
Perhaps default policy has been set to "always deny" instead of "filter".
Seems obvious, but can happen.

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

peterpugh

  • Guest
Re: Proxy (Squid)
« Reply #4 on: March 11, 2014, 12:26:31 am »
No apols, got confused slightly as I jumped straight in and was also applying filters.

The default of allow all, deny all, apply filter did make me think that actually OK drop the filters.

So I have two groups users and administrators and currently both are set to allow all.

Then something occurred to me that was strange and with myself jumping ahead.

At first I forgot to tick SSO and suddenly realised that I never got an authentication box before I ticked SSO.

I have just gone back and unticked SSO and yeah doesn't even revert to basic authentication never mind kerb.

So guess its time to roll out wireshark and have a look see.

Not sure what is happening with SSO ticked or unticked.

Its been a while since I was last playing with wire shark.

What I was expecting was first some kerb principles asking for the proxy
then ntlm doing the same if it failed
then basic authentication.

In the trace nada, nothing ... ??

Prob going to do what I did last time and have the proxy allow all with a medium filter.

In group polices set admins to not use the proxy with users with the proxy.
« Last Edit: March 11, 2014, 01:05:50 am by peterpugh »

peterpugh

  • Guest
Re: Proxy (Squid)
« Reply #5 on: March 12, 2014, 08:49:39 am »
Think you still need to check group access with the proxy.

Get plain text auth now with sso turned off but still no access.
Then again Domain Admins which is the security group my user is a member of is missing?

peterpugh

  • Guest
Re: Proxy (Squid)
« Reply #6 on: March 12, 2014, 05:34:27 pm »
I have been using the proxy with the settings of zent1.zentyal.lan and port 3128

I don't have SSO enabled

Created two access groups to allow all for domain admins (the domain admins account is missing so I choose administrators) allow all

my security group of sales deny all.

Couldn't get access at all

Changed things around so sales was allow all and domain admins was deny all

Sales can get access

So it would seem like another sogo port error where with basic authentication the domain admins account is missing and I happened to of choose that account to allow access.

So basic authentication on the proxy seems to work apart from that

Going to check SSO and kerb

 
« Last Edit: March 12, 2014, 05:36:15 pm by peterpugh »

peterpugh

  • Guest
Re: Proxy (Squid)
« Reply #7 on: March 12, 2014, 06:07:30 pm »
Just tried SSO with internet exploder and my sales group works fine.

Applied a filter and porn blocked

so looking good.

Just domain admins group missing from group lists.

All users are in the domain user group and I thought administrators would be part of the domain admins but I guess it works the other way round.

Anyone got a good list of M$ group hierarchies as it has been a bit and my memory as usual is very foggy.

No need for wireshark just worked which is great.


peterpugh

  • Guest
Re: Proxy (Squid)
« Reply #8 on: March 14, 2014, 08:08:01 am »
3.4~145 Still missing domain admins group also list full of all the AD security groups that are usually hidden.

Not really bothered about them showing its the missing domain admins that is the problem.

Usually I run domain admins for a few users who don't use the proxy filter.