[squid-users] Squid and AD => That' s don't work !

L.P.H. van Belle belle at bazuin.nl
Wed May 11 12:02:26 UTC 2016

Ok, well. Its not only the squid conf you need, so here is what you need in total. 

https, yes works to, but im dont use sslbump etc. 


below is all based on debian packages 0 source installs are used. 

( if you need squid 3.5.19 in debian jessie amd64 i can share them to, ssl is enabled in my build ) 

Read through is, see what you can use, and mail if you dont get it. 


Below works as of debian 3.4.8 up to 3.5.19 ( tested ) 



This is what i have in the auth lines : 


auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN


auth_param negotiate children 50 startup=10 idle=1

auth_param negotiate keep_alive on 


auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \

    -b "ou=Company,dc=internal,dc=domain,dc=tld" \

    -D ldap-bind at internal.domain.tld \

    -W /etc/squid/private/ldap-bind \

    -f sAMAccountName=%s \

    -H ldaps://ad-dc2.internal.domain.tld \

    -H ldaps://ad-dc1.internal.domain.tld


auth_param basic children 5 startup=5 idle=1

auth_param basic realm Internet Proxy Auth

auth_param basic credentialsttl 2 hours



The samba smb.conf im using with it. 

About samba, last update is a complex one, you must configure this correctly for samba and ldap. 

I’ll explain that below. 



    workgroup = NTDOMAIN

    security = ads

    realm = REALM


    netbios name = PROXY

    preferred master = no

    domain master = no

    host msdfs = no


    dns proxy = yes


    server signing = mandatory

    ntlm auth = no


    #Add and Update TLS Key

    tls enabled = yes

    tls keyfile = /etc/ssl/local/private/proxy.key.pem

    tls certfile = /etc/ssl/local/certs/proxy.cert.pem

    tls cafile = /etc/ssl/certs/personal-ca.pem


    ## map id's outside to domain to tdb files.

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999


    ## map ids from the domain  the range may not overlap !

    idmap config NTDOMAIN : backend = ad

    idmap config NTDOMAIN : schema_mode = rfc2307

    idmap config NTDOMAIN : range = 10000-3999999


    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab


    # renew the kerberos ticket

    winbind refresh tickets = yes


    # Use home directory and shell information from AD

    winbind nss info = rfc2307


    winbind trusted domains only = no

    winbind use default domain = yes


    winbind enum users  = yes

    winbind enum groups = yes


    # enable offline logins

    winbind offline logon = yes


    # check depth of nested groups, ! slows down you samba, if to much groups depth

    winbind expand groups = 4


    # disable usershares creating, when set empty no error log messages.

    usershare path =


    # Disable printing completely

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes


the krb5.conf for this: 


    default_realm = REALM

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4


; for Windows 2003

;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5


; for Windows 2008 with AES

;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5



For /etc/ldap/ldap.conf ( client conf )


A “correcty” ca-root and client certs setup. Needed for samba and ldap clients 


Add in /etc/ldap/ldap.conf ( minimal )

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt



Setup your own "rootCA" like this.


( if not done, apt-get install ca-certificates )




mkdir -p /usr/local/share/ca-certificates/yourCArootFolder 

copy your root CA cert (.crt or it wont be detected)  in /usr/local/share/ca-certificates/yourCArootFolder 

run : update-ca-certificates


! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command.


you should see:


Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d....done.



Now after done above your CA Cert is hashed in /etc/ssl/certs

And its added in /etc/ssl/certs/ca-certificates.crt


For windows, now setup a GPO to deploy the rootCa to your pc's and your good to go. 

How : 



This folder : /etc/ssl/local is adviced for your personal certificates. 

Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs.


So create a folders 



Much easier to maintain this way. 



Some advice on samba/winbind. 


Above only needs winbind installed and i do advice 4.4.3 recompile it from debian SID.

Of if your on debian jessie amd64, you can use my deb files. 

Found here  http://downloads.van-belle.nl/samba4/

Please do read the README.txt 








Van: Olivier CALVANO [mailto:o.calvano at gmail.com] 
Verzonden: woensdag 11 mei 2016 13:34
Aan: L.P.H. van Belle
Onderwerp: Re: [squid-users] Squid and AD => That' s don't work !




thanks for your answer. 

Https work too ?


because before we use 3.3.8 but NTLM/Kerberos walking randomly, that's work very good 1 or 2 days but after

a lot of user can't connect.


We update in 3.5.x and now, all https don't work :<


can you help me ? if you have a sample of your squid.conf





2016-05-11 10:23 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:

Yes and it works great. 


My setup Debian Jessie,

Squid tested : 3.4.8 upto 3.5.19 

I use kerberos and ntlm and ldap auto in that order. 


Samba 4.4.3 AD DC


So what do you want to know? 







Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Olivier CALVANO
Verzonden: woensdag 11 mei 2016 10:08
Aan: Squid Users
Onderwerp: [squid-users] Squid and AD => That' s don't work !




is that someone has actually used squid with ntlm AD authentication?

because it don't works really well and no there is no one who reponds to problems, it's a shame.


there is commercial support a squid?




squid-users mailing list
squid-users at lists.squid-cache.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160511/9f84d7b8/attachment-0001.html>

More information about the squid-users mailing list