[squid-users] squid 3.5.10 samba4 kerberos few questions (debain Jessie)

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 16 13:14:18 UTC 2015


On 16/12/2015 11:48 p.m., L.P.H. van Belle wrote:
> Hai, 
> 
>  
> 
> Im having the following running. 
> 
> Debian Jessie, squid 3.5.10 (recompiled from sid)  with icap and authorisation agains a samba 4 AD DC. 
> 
> I begin with, this works great !.. so now my questions and the conf part for this. 
> 
>  
> 
> I am using the following authentications. 
> 
> First Kerberos:
> 
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
> 
>     --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.tld at KERB.REALM \
> 
>     --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
> 
>  
> 
> And this works also
> 
> #auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> 
> #    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
> 
> #    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \
> 
>  
> 
> I use as fallback  basic auth.
> 
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
> 
>     -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \
> 
>     -D ldap-bind@ KERB.REALM  -W /etc/squid/private/ldap-bind \
> 
>     -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
> 
>     -h samba4-dc2.internal.domain.tld \
> 
>     -h samba4-dc1.internal.domain.tld
> 
>  
> 
> I know the following: 
> 
> ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
> 
> ##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
> 
> ##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
> 
> ##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
> 
> ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.
> 

AFAIK #2 is incorrect. Negotiate still needs the *joined* part to be
true. They just do not have to have current connectivity to the DC
provided the secret-token part of credentials that comes from the DC is
still current on the client machine.


> 
> When people access websites a see a lot of : TCP_DENIED/407 
> 
> Sometimes about 10-12 times the TCP_DENIED/407, even when the user already access the website and it authenticated. 
> 
> Is this because of pc’s auth, or user auth, or by design as i did read here : 
> 
> 
> http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html


> 
> acl AuthRequest http_status 407 
> access_log ... !AuthRequest ...
> 
> is this the only solution to reduce the 407, or am i missing some setting here? 

It just hides them from the logging. They still happen.

Another workaround is suggested in that thread; to bypass and not
require authentication for some popular domains. That has the added
benefit of letting HTTP performance optimizations work - most HTTP
features actually have to be disabled in the presence of NTLM or Negotiate.

The solution is for clients to actually make use of the connection
persistence that NTLM and Negotiate *require* Squid to setup just to
perform those auth types. Tearing it all down after just one HTTP level
transaction is very wasteful.

Amos



More information about the squid-users mailing list