[squid-users] Has anyone seen v3.5.x.x authenication work in an all windows environment?

Dijxie dijxie at gmail.com
Mon Jul 3 11:33:31 UTC 2017 

W dniu 03.07.2017 o 09:43, Todd Pearson pisze:
>
> I have spent the past few days working to get the latest version 
> working in an all windows environment.  I am unable to get kerberos 
> authentication to work.  I am struggling with getting the keytab file 
> correct.
> Wondering if there is anyone who has seen it actually work in an all 
> windows environment.  I have had earlier version (v2.X stable) with 
> NTLM authentication, but unfortunately I do not have the binaries to 
> implement in v3.5.x.x.
>
> I continue to struggle to find the secret forumula for SPN and keytab.
>
> Thanks,
> Todd
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Hi,

I have 4 squid serves, 3 of them are 3.5.9 @centos 7.x. Everything is 
working fine, both pure NTLM and NEGOTIATE helpers are working 
flawlessly. I've created local group on squid servers like 
keytab-readers, then:
chown root:keytab-readers /etc/krb5.keytab
chmod 740 /etc/keytab-readers
and added squid to keytab-readers.

Squid clients are windows workstations, mostly 8.1 and 10.

Why do you need to have Squid on Windows server so badly? Less 
documentation, less support. And nowadays, my guess is  almost every MS 
security update can brake things down.

My guess is when you're using squid on Windows server, you have to, 
alternatively:
1. Run squid on NT AUTHORITY/SYSTEM or NT AUTHORITY/NETWORK SERVICE 
account and put SPN  squid_accessible_name to AD machine account. So, if 
Your squid DNS name is squidproxy.corpo.local and your server name is 
srvSquid01.corpo.local, machine account srvSquid01$ has to have 
HOST/squidproxy SPN also.
2. Run squid on dedicated domain account (user account). Create user 
like "squid01", give it all nessecary permissions on squid server and 
then give this user SPN. And there's the problem: what kind of SPN in 
this configuration... I would say that HTTP/squidproxy, and then in DNS 
you'll have to have presumably CNAME (not A) pointing squidproxy to 
srvSquid01.corpo.local. And domain user squid01 will have to read acces 
to keytab, as well as keytab will have to have apropriate content (it 
should be a user, not machine keytab).

https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on 


-- 
Greets, Dijx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170703/f7428a0e/attachment.html>

More information about the squid-users mailing list