[squid-users] NTLM Authentication Failing
alex at samad.com.au
Wed Oct 21 21:33:45 UTC 2015
Would it be fair to say best practice is to get kerbose working in favour
of ntlm ?
On 21/10/2015 3:18 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:
> On 2015-10-21 15:38, Ilias Clifton wrote:
>>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
>>> > Hi All,
>>> > I've been following the guide at this location for Active Directory
>>> > First, some versions for sanity..
>>> > Ubuntu : 14.04.3 LTS
>>> > Squid : 3.3.8 (from ubuntu repositories)
>>> > Samba : 4.1.6-Ubuntu
>>> > DC : Windows Server 2012 R2
>>> > I am currently testing the authentication, negotiate kerberos and
>>> basic ldap are
>>> > both working correctly. However ntlm is not and I don't seem to making
>>> > progress on debugging further.
>>> Date: Tue, 20 Oct 2015 18:06:17 +1300
>>> From: Amos Jeffries <squid3 at treenet.co.nz>
>>> Your version of Squid has big problems with (4) and some with (2), and
>>> your DC server version has big problems with (1) and (3).
>> Hi Amos,
>> Thank you for your detailed answer.
>> So what is the best way to authenticate users in a mixed environment?
>> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
>> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
>> plus various mobile devices.
>> I've tried getting rid of ntlm and just using negotiate kerberos and
>> ldap for basic, is that all I need?
> I believe thats at least very close to the solution. The getting rid of
> NTLM is something that needs to happen at the client end though, so IE does
> not attempt to use it over Negotiate scheme.
>> On the non-domain joined PCs, if I disable 'Enable Integrated Windows
>> Authentication', they now correctly use basic ldap.
> And thats the way to do it IIRC. Someone more familiar may know a better
>> My config now looks like..
>> ### negotiate kerberos and ntlm authentication
>> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
>> -d -s GSS_C_NO_NAME
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive off
>> ### provide basic authentication via ldap for clients not
>> authenticated via kerberos/ntlm
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
>> "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
>> auth_param basic children 10
>> auth_param basic realm Internet Proxy
>> auth_param basic credentialsttl 30 minutes
>> ### ldap authorisation
>> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
>> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f
>> -h dc1.domain.local
>> Does that look ok?
> Looks reasonable for a small installation. If you have a medium to large
> network you may find Squid mentioning queue issues and requesting more
> helper children be configured. Simply increasing the numbers there should
> resolve that.
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users