[squid-users] ldap authentication with encrypted credentials

L.P.H. van Belle belle at bazuin.nl
Wed May 4 12:46:01 UTC 2016

In addition, due to last samba and windows security fixes there was a behavior change. 

So beware with squid and samba/winbind/ldap/windows auth. 
Read : https://www.samba.org/samba/history/samba-4.4.2.html 
This was a big impact.. 

BUt beware, use samba 4.2.12 4.3.9 or 4.4.3
All version bug release (4.4.2 4.3.8 4.2.11 ) had some nasty bugs. 

I had to reconfigure my squid auth. 
I've tested with latest squid 3.5.17 on my debian jessie, all fine again. 

And to Sampei, add a samba 4 AD ( preffered 4.4.3 ) to you domain, 
Move FSMO roles to samba, and drop your unsupported windows AD. 
I dropped all my windows servers, only samba now. 



> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: woensdag 4 mei 2016 14:23
> Aan: Sampei; squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] ldap authentication with encrypted
> credentials
> On 4/05/2016 11:56 p.m., Sampei wrote:
> > I'll explain better:
> > Squid is running on Debian 5 older server and every Windows (XP/7/10)
> > client uses it to surf on web.
> > Clients are configured in outofdate Microsoft domain where Domain
> > Controllers are based on Windows 2000 server.
> > So far I permit Internet access to clients by specify IP address of
> > computers in squid.conf file but now I'd like to manage internet access
> > by asking to user its AD credentials.
> > Now I'm not able to update systems so I have to schedule it upgrade for
> > next year.
> I've been in those shoes myself, and recommed you may want to keep the
> IP based authorization until you can get a better AD system.
> >
> >>>> Look into Negotiate/Kerberos authentication. You will need that for
> >>>> the Win7 and Win10 clients anyway
> > For Windows 7/10 clients, the Basic authentication (Squid 2.7) with LDAP
> > helper will not able to work ?
> > While Kerberos will work both with older clients and newer ones?
> >
> Yes they all still support Basic, but you said that was not desirable.
> The secure methods that leaves you with are NTLMv2 (definitely *not*
> NTLMv1) or Negotiate/Kerberos.
> NTLM was deprecated by MS in 2006. All software produced by MS since
> then is increasingly hostile to NTLM being used and preferring Kerberos.
> XP can handle Kerberos with maybe a little config. And it is both more
> secure and faster so a double-win once you get over the learning curve
> for its management tools.
> I'm not sure if or how the Win2k server can handle Kerberos. You will
> need to find that out.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list