[squid-users] squid auth

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 8 09:03:12 UTC 2015 

On 8/12/2015 7:44 p.m., Alex Samad wrote:
> Hi
> 
> Currently using 3.1 (from centos 6)
> I have setup squid to auth against MS AD
> 
> I have
> # #######
> # Negotiate
> # #######
> 
> # http://wiki.squid-cache.org/Features/Authentication
> # http://wiki.squid-cache.org/Features/NegotiateAuthentication
> auth_param negotiate program /usr/bin/ntlm_auth
> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
> auth_param negotiate children 10 startup=0 idle=3
> auth_param negotiate keep_alive on
> 
> # #######
> # NTLM AUTH
> # #######
> 
> # ntlm auth
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --configfile
> /etc/samba/smb.conf-squid
> auth_param ntlm children 10
> #auth_param ntlm children 10 startup=0 idle=3
> #auth_param ntlm keep_alive
> 
> 
> # #######
> # NTLM over basic
> # #######
> 
> # warning: basic authentication sends passwords plaintext
> # a network sniffer can and will discover passwords
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic --configfile
> /etc/samba/smb.conf-squid
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> 
> 
> I want to move towards using kerberos come to this page
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
> 
> worked through that, but i saw this
> 
> Do not use this method if you run winbindd or other samba services as
> samba will reset the machine password every x days and thereby makes
> the keytab invalid !!


As I understand it that disclaimer applies only to the "OR with Samba"
instructions for keytab creation directly above it. The other two
methods should work.

Also, it is just a disclaimer about a known problem. There is always the
option to setup a script that re-builds the keytab and reloads Squid
every X days when it changes.

> 
> I have winbindd running for my users list in linux
> 
> is there a way around this and if not how
> 

The initial mskutil method of keytab creation is both a way around it
and the preferred method of keytab creation.

As you found elsewhere ...

> then found this one
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
> 
> but I am not using msktutil, i do have samba and the krb-workstation installed
> 

mskutil is just a tool to generate keytabs and link the machine to
domain. I *think* it should still be usable even if you have Sambe, the
probem is just that if you let Samba know about the keytab and account
it will do the periodic updates.

Amos

More information about the squid-users mailing list