[squid-users] Squid and AD => That' s don't work !

L.P.H. van Belle belle at bazuin.nl
Wed May 11 12:02:26 UTC 2016 

Ok, well. Its not only the squid conf you need, so here is what you need in total. 

https, yes works to, but im dont use sslbump etc. 

 

below is all based on debian packages 0 source installs are used. 

( if you need squid 3.5.19 in debian jessie amd64 i can share them to, ssl is enabled in my build ) 

Read through is, see what you can use, and mail if you dont get it. 

 

Below works as of debian 3.4.8 up to 3.5.19 ( tested ) 

 

Squid: 

This is what i have in the auth lines : 

 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN

 

auth_param negotiate children 50 startup=10 idle=1

auth_param negotiate keep_alive on 

 

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \

    -b "ou=Company,dc=internal,dc=domain,dc=tld" \

    -D ldap-bind at internal.domain.tld \

    -W /etc/squid/private/ldap-bind \

    -f sAMAccountName=%s \

    -H ldaps://ad-dc2.internal.domain.tld \

    -H ldaps://ad-dc1.internal.domain.tld

 

auth_param basic children 5 startup=5 idle=1

auth_param basic realm Internet Proxy Auth

auth_param basic credentialsttl 2 hours

 

 

The samba smb.conf im using with it. 

About samba, last update is a complex one, you must configure this correctly for samba and ldap. 

I’ll explain that below. 

 

[global]

    workgroup = NTDOMAIN

    security = ads

    realm = REALM

 

    netbios name = PROXY

    preferred master = no

    domain master = no

    host msdfs = no

 

    dns proxy = yes

 

    server signing = mandatory

    ntlm auth = no

 

    #Add and Update TLS Key

    tls enabled = yes

    tls keyfile = /etc/ssl/local/private/proxy.key.pem

    tls certfile = /etc/ssl/local/certs/proxy.cert.pem

    tls cafile = /etc/ssl/certs/personal-ca.pem

 

    ## map id's outside to domain to tdb files.

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

 

    ## map ids from the domain  the range may not overlap !

    idmap config NTDOMAIN : backend = ad

    idmap config NTDOMAIN : schema_mode = rfc2307

    idmap config NTDOMAIN : range = 10000-3999999

 

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

 

    # renew the kerberos ticket

    winbind refresh tickets = yes

 

    # Use home directory and shell information from AD

    winbind nss info = rfc2307

 

    winbind trusted domains only = no

    winbind use default domain = yes

 

    winbind enum users  = yes

    winbind enum groups = yes

 

    # enable offline logins

    winbind offline logon = yes

 

    # check depth of nested groups, ! slows down you samba, if to much groups depth

    winbind expand groups = 4

 

    # disable usershares creating, when set empty no error log messages.

    usershare path =

 

    # Disable printing completely

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes

 

the krb5.conf for this: 

[libdefaults]

    default_realm = REALM

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4

 

; for Windows 2003

;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

 

; for Windows 2008 with AES

;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

 

 

For /etc/ldap/ldap.conf ( client conf )

 

A “correcty” ca-root and client certs setup. Needed for samba and ldap clients 

 

Add in /etc/ldap/ldap.conf ( minimal )

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT allow

 

Setup your own "rootCA" like this.

 

( if not done, apt-get install ca-certificates )

 

 

 

mkdir -p /usr/local/share/ca-certificates/yourCArootFolder 

copy your root CA cert (.crt or it wont be detected)  in /usr/local/share/ca-certificates/yourCArootFolder 

run : update-ca-certificates

 

! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command.

 

you should see:

update-ca-certificates

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d....done.

 

 

Now after done above your CA Cert is hashed in /etc/ssl/certs

And its added in /etc/ssl/certs/ca-certificates.crt

 

For windows, now setup a GPO to deploy the rootCa to your pc's and your good to go. 

How : 

https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx 

 

This folder : /etc/ssl/local is adviced for your personal certificates. 

Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs.

 

So create a folders 

/etc/ssl/local/certs

/etc/ssl/local/private

Much easier to maintain this way. 

 

 

Some advice on samba/winbind. 

 

Above only needs winbind installed and i do advice 4.4.3 recompile it from debian SID.

Of if your on debian jessie amd64, you can use my deb files. 

Found here  http://downloads.van-belle.nl/samba4/

Please do read the README.txt 

 

 

Greetz, 

 

Louis

 

 


Van: Olivier CALVANO [mailto:o.calvano at gmail.com] 
Verzonden: woensdag 11 mei 2016 13:34
Aan: L.P.H. van Belle
Onderwerp: Re: [squid-users] Squid and AD => That' s don't work !


 

Hi

 


thanks for your answer. 


Https work too ?


 


because before we use 3.3.8 but NTLM/Kerberos walking randomly, that's work very good 1 or 2 days but after


a lot of user can't connect.


 


We update in 3.5.x and now, all https don't work :<


 


can you help me ? if you have a sample of your squid.conf


 


regards


olivier



 

2016-05-11 10:23 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:

Yes and it works great. 

 

My setup Debian Jessie,

Squid tested : 3.4.8 upto 3.5.19 

I use kerberos and ntlm and ldap auto in that order. 

 

Samba 4.4.3 AD DC

 

So what do you want to know? 

 

Greetz, 

 

Louis

 

 


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Olivier CALVANO
Verzonden: woensdag 11 mei 2016 10:08
Aan: Squid Users
Onderwerp: [squid-users] Squid and AD => That' s don't work !


 

Hi


 


is that someone has actually used squid with ntlm AD authentication?


because it don't works really well and no there is no one who reponds to problems, it's a shame.


 


there is commercial support a squid?


 


Regards


Olivier









_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160511/9f84d7b8/attachment-0001.html>

More information about the squid-users mailing list