[squid-users] squid auth

Alex Samad alex at samad.com.au
Tue Dec 8 23:21:25 UTC 2015


so when I do kinit I should use a different account to the samba one.

I'm lost sorry.

when I attach with winbind, I kinit with my personal admin account and
also do a net ads join -U <admin account>.

the password on the <admin account> doesn't / hasn't changed.

are you talking about the computer account password ?

if so, then I setup a different computer account for the squid
kerberos application !


On 9 December 2015 at 07:20, Markus Moeller <huaraz at moeller.plus.com> wrote:
> Hi,
>
>   The issue appears if you use the same AD account for samba and the
> kerberos keytab creation.  As samba will reset the password of the AD
> account and thereby invalidate the extracted keytab.
>
> Markus
>
>
> "Alex Samad"  wrote in message
> news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qFNEwMMGA at mail.gmail.com...
>
>
> Hi
>
> So what your saying is I should install the mskutil and let it manage
> the squid krb keytab file.
>
>
> Could you possible help with the changed to the squid.conf file do I
> leave as is and just add kerberos first ?
>
>
> On 8 December 2015 at 20:03, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>
>> On 8/12/2015 7:44 p.m., Alex Samad wrote:
>>>
>>> Hi
>>>
>>> Currently using 3.1 (from centos 6)
>>> I have setup squid to auth against MS AD
>>>
>>> I have
>>> # #######
>>> # Negotiate
>>> # #######
>>>
>>> # http://wiki.squid-cache.org/Features/Authentication
>>> # http://wiki.squid-cache.org/Features/NegotiateAuthentication
>>> auth_param negotiate program /usr/bin/ntlm_auth
>>> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
>>> auth_param negotiate children 10 startup=0 idle=3
>>> auth_param negotiate keep_alive on
>>>
>>> # #######
>>> # NTLM AUTH
>>> # #######
>>>
>>> # ntlm auth
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp --configfile
>>> /etc/samba/smb.conf-squid
>>> auth_param ntlm children 10
>>> #auth_param ntlm children 10 startup=0 idle=3
>>> #auth_param ntlm keep_alive
>>>
>>>
>>> # #######
>>> # NTLM over basic
>>> # #######
>>>
>>> # warning: basic authentication sends passwords plaintext
>>> # a network sniffer can and will discover passwords
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic --configfile
>>> /etc/samba/smb.conf-squid
>>> auth_param basic children 5
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>>
>>>
>>> I want to move towards using kerberos come to this page
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>
>>> worked through that, but i saw this
>>>
>>> Do not use this method if you run winbindd or other samba services as
>>> samba will reset the machine password every x days and thereby makes
>>> the keytab invalid !!
>>
>>
>>
>> As I understand it that disclaimer applies only to the "OR with Samba"
>> instructions for keytab creation directly above it. The other two
>> methods should work.
>>
>> Also, it is just a disclaimer about a known problem. There is always the
>> option to setup a script that re-builds the keytab and reloads Squid
>> every X days when it changes.
>>
>>>
>>> I have winbindd running for my users list in linux
>>>
>>> is there a way around this and if not how
>>>
>>
>> The initial mskutil method of keytab creation is both a way around it
>> and the preferred method of keytab creation.
>>
>> As you found elsewhere ...
>>
>>> then found this one
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>>
>>> but I am not using msktutil, i do have samba and the krb-workstation
>>> installed
>>>
>>
>> mskutil is just a tool to generate keytabs and link the machine to
>> domain. I *think* it should still be usable even if you have Sambe, the
>> probem is just that if you let Samba know about the keytab and account
>> it will do the periodic updates.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list