[squid-users] Active Directory Authentication failing at the browser
squid3 at treenet.co.nz
Mon Nov 16 21:15:56 UTC 2015
On 17/11/2015 9:17 a.m., Amos Jeffries wrote:
> On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
>> On 16.11.2015 18:46, dolson wrote:
>>> Squid Version: Squid 3.4.8
>>> OS Version: Debian 8 (8.2)
>>> I have installed Squid on a server using Debian 8 and seem to have the basics
>>> operating, at least when I start the squid service, I have am no longer
>>> getting any error messages. At this time, the goal is to authenticate users
>>> from Active Directory and log the user and the websites they are accessing.
>>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7
>>> workstation to use the Squid proxy, I am getting the log in page (image below).
>>> I have tried entering my user name in various form EXAMPLE/USERID, USERID,
>>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a
>>> successful at this time.
>>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files for
>>> review. If you would like to see the cache.log file, please contact me as the
>>> file is too large to include in this post.
>> I suggest you first make Basic and NTLM working with active directory, and only
>> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. This is
>> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it uses
>> lots of components and can fall apart easily on any stage.
> I suggest also using a current Firefox release. I am finding the 4x's
> series work a lot better than the earlier 3x's did on Windows 7.
> Kerberos also uses the USER at DOMAIN format for user labeling. Sending it
> Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.
> Kerberos and NTLM are both PITA protocols. But NTLM makes everything
> worse. If you are able to avoid using it at all and to actively turn
> NTLM off around your network the Kerberos side of things will work better.
Also, since you are using what looks to be an outdated copy-n-paste of
the Squid official wiki article on Windows AD integration. Not the
living-document original itself you missed seeing one critical detail
about winbind bugs on Debian that have come to light a few months back.
More information about the squid-users