[squid-users] squid 3.5.10 samba4 kerberos few questions (debain Jessie)

L.P.H. van Belle belle at bazuin.nl
Wed Dec 16 10:48:30 UTC 2015 

Hai, 

 

Im having the following running. 

Debian Jessie, squid 3.5.10 (recompiled from sid)  with icap and authorisation agains a samba 4 AD DC. 

I begin with, this works great !.. so now my questions and the conf part for this. 

 

I am using the following authentications. 

First Kerberos:

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.tld at KERB.REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

And this works also

#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

#    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \

#    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \

 

I use as fallback  basic auth.

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \

    -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \

    -D ldap-bind@ KERB.REALM  -W /etc/squid/private/ldap-bind \

    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \

    -h samba4-dc2.internal.domain.tld \

    -h samba4-dc1.internal.domain.tld

 

I know the following: 

## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.

##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.

##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.

##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.

## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

 

When people access websites a see a lot of : TCP_DENIED/407 

Sometimes about 10-12 times the TCP_DENIED/407, even when the user already access the website and it authenticated. 

Is this because of pc’s auth, or user auth, or by design as i did read here : 

 

http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html

acl AuthRequest http_status 407 
access_log ... !AuthRequest ...

 

 

is this the only solution to reduce the 407, or am i missing some setting here? 

If you need more info, just ask.. 

 

 

Greetz, 

 

Louis

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151216/2198209e/attachment-0001.html>

More information about the squid-users mailing list