[squid-users] squid auth

Markus Moeller huaraz at moeller.plus.com
Tue Dec 8 20:20:51 UTC 2015


Hi,

   The issue appears if you use the same AD account for samba and the 
kerberos keytab creation.  As samba will reset the password of the AD 
account and thereby invalidate the extracted keytab.

Markus


"Alex Samad"  wrote in message 
news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qFNEwMMGA at mail.gmail.com...

Hi

So what your saying is I should install the mskutil and let it manage
the squid krb keytab file.


Could you possible help with the changed to the squid.conf file do I
leave as is and just add kerberos first ?


On 8 December 2015 at 20:03, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 8/12/2015 7:44 p.m., Alex Samad wrote:
>> Hi
>>
>> Currently using 3.1 (from centos 6)
>> I have setup squid to auth against MS AD
>>
>> I have
>> # #######
>> # Negotiate
>> # #######
>>
>> # http://wiki.squid-cache.org/Features/Authentication
>> # http://wiki.squid-cache.org/Features/NegotiateAuthentication
>> auth_param negotiate program /usr/bin/ntlm_auth
>> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
>> auth_param negotiate children 10 startup=0 idle=3
>> auth_param negotiate keep_alive on
>>
>> # #######
>> # NTLM AUTH
>> # #######
>>
>> # ntlm auth
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --configfile
>> /etc/samba/smb.conf-squid
>> auth_param ntlm children 10
>> #auth_param ntlm children 10 startup=0 idle=3
>> #auth_param ntlm keep_alive
>>
>>
>> # #######
>> # NTLM over basic
>> # #######
>>
>> # warning: basic authentication sends passwords plaintext
>> # a network sniffer can and will discover passwords
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic --configfile
>> /etc/samba/smb.conf-squid
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>> I want to move towards using kerberos come to this page
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> worked through that, but i saw this
>>
>> Do not use this method if you run winbindd or other samba services as
>> samba will reset the machine password every x days and thereby makes
>> the keytab invalid !!
>
>
> As I understand it that disclaimer applies only to the "OR with Samba"
> instructions for keytab creation directly above it. The other two
> methods should work.
>
> Also, it is just a disclaimer about a known problem. There is always the
> option to setup a script that re-builds the keytab and reloads Squid
> every X days when it changes.
>
>>
>> I have winbindd running for my users list in linux
>>
>> is there a way around this and if not how
>>
>
> The initial mskutil method of keytab creation is both a way around it
> and the preferred method of keytab creation.
>
> As you found elsewhere ...
>
>> then found this one
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>
>> but I am not using msktutil, i do have samba and the krb-workstation 
>> installed
>>
>
> mskutil is just a tool to generate keytabs and link the machine to
> domain. I *think* it should still be usable even if you have Sambe, the
> probem is just that if you let Samba know about the keytab and account
> it will do the periodic updates.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list