[squid-users] NTLM Authentication Failing
Alex Samad
alex at samad.com.au
Wed Oct 21 21:33:45 UTC 2015
Would it be fair to say best practice is to get kerbose working in favour
of ntlm ?
On 21/10/2015 3:18 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:
> On 2015-10-21 15:38, Ilias Clifton wrote:
>
>>
>>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
>>> > Hi All,
>>> > I've been following the guide at this location for Active Directory
>>> integration
>>> >
>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/
>>> >Active_Directory_Integrated_Squid_Proxy]
>>> >
>>> > First, some versions for sanity..
>>> > Ubuntu : 14.04.3 LTS
>>> > Squid : 3.3.8 (from ubuntu repositories)
>>> > Samba : 4.1.6-Ubuntu
>>> > DC : Windows Server 2012 R2
>>> >
>>> > I am currently testing the authentication, negotiate kerberos and
>>> basic ldap are
>>> > both working correctly. However ntlm is not and I don't seem to making
>>> any
>>> > progress on debugging further.
>>>
>>> Date: Tue, 20 Oct 2015 18:06:17 +1300
>>> From: Amos Jeffries <squid3 at treenet.co.nz>
>>>
>>>
>>>
>>> Your version of Squid has big problems with (4) and some with (2), and
>>> your DC server version has big problems with (1) and (3).
>>>
>>>
>>> Amos
>>>
>>>
>>>
>>>
>> Hi Amos,
>>
>> Thank you for your detailed answer.
>>
>> So what is the best way to authenticate users in a mixed environment?
>> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
>> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
>> plus various mobile devices.
>>
>> I've tried getting rid of ntlm and just using negotiate kerberos and
>> ldap for basic, is that all I need?
>>
>
> I believe thats at least very close to the solution. The getting rid of
> NTLM is something that needs to happen at the client end though, so IE does
> not attempt to use it over Negotiate scheme.
>
>
>
>> On the non-domain joined PCs, if I disable 'Enable Integrated Windows
>> Authentication', they now correctly use basic ldap.
>>
>
> And thats the way to do it IIRC. Someone more familiar may know a better
> way.
>
>
>
>> My config now looks like..
>>
>> ### negotiate kerberos and ntlm authentication
>> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
>> -d -s GSS_C_NO_NAME
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive off
>>
>> ### provide basic authentication via ldap for clients not
>> authenticated via kerberos/ntlm
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
>> "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
>> auth_param basic children 10
>> auth_param basic realm Internet Proxy
>> auth_param basic credentialsttl 30 minutes
>>
>> ### ldap authorisation
>> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
>> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f
>>
>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
>> -h dc1.domain.local
>>
>> Does that look ok?
>>
>
> Looks reasonable for a small installation. If you have a medium to large
> network you may find Squid mentioning queue issues and requesting more
> helper children be configured. Simply increasing the numbers there should
> resolve that.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151022/81e99a10/attachment-0001.html>
More information about the squid-users
mailing list