[squid-users] Problem with Squid3 Authentication ( after sambaupgrades )

L.P.H. van Belle belle at bazuin.nl
Tue May 23 07:09:46 UTC 2017 

Hi Amos and others. 

Its not a "samba" thing or a squid thing.   
Maybe in the end yes, but this is a configuration thing. 

For you guys to know, samba AD DC setup this parameter as default : 
 ldap server require strong auth = yes 
Which obligates the use of TLS. 

Next, users dont configure /etc/ldap/ldap.conf when they use TLS. 
Squid and samba may need the CA root if you use TLS. 
Which should to in ldap.conf 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

Samba sets these days: 
ntlm auth = no
Laman auth = no

Which disables NTLMv1 and last, users dont know kerberos and the need of A/PTR records. 

For others, i've posted a example auth setup and smb.conf setup for squid on Debian Jessie.
Tested as of squid 3.4.8 upto 3.5.24. ( with and without ssl bumping ) 
Google for : Problems with Samba 4.6.3 Authentication  
Post date 23-may 2017

When upgrading samba/winbind as of 4.2 upto 4.5 or 4.6. 
You MUST read the change logs at least for every samba 4.X.0 version. \
At least 4.2.0 4.3.0 4.4.0 4.5.0 and 4.6.0 

https://www.samba.org/samba/history/ 
Look a the smb.conf changes. 
Like this one for 4.5 : 
smb.conf changes
================

  Parameter Name                Description             Default
  --------------                -----------             -------
  kccsrv:samba_kcc              Changed default         yes
  ntlm auth                     Changed default         no
  only user                     Removed
  password hash gpg key ids     New
  shadow:snapprefix             New
  shadow:delimiter              New                     _GMT
  smb2 leases                   Changed default         yes
  username                      Removed



Greetz, 

Louis



 

> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Amos Jeffries
> Verzonden: maandag 22 mei 2017 22:46
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Squid3 Authentication
> 
> On 23/05/17 02:15, Marcio Demetrio Bacci wrote:
> > I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but 
> now my Squid 
> > authentication doesn't work.
> >
> > In samba 4.2.1 is working properly.
> >
> > This is my authentication block:
> >
> >
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b 
> > DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
> > -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f 
> "sAMAccountName=%s"
> > auth_param basic children 50
> > auth_param basic realm Access Monitored auth_param basic 
> > credentialsttl 8 hours auth_param basic casesensitive off
> >
> > I'm using Squid 3.4.8
> >
> > Can anybody help me ?
> 
> If the only thing that changed was Samba its clearly an issue 
> with that end of the system.
> 
> I suggest you compare those LDAP parameters with what the new 
> Samba version needs, and if there is no issue there please 
> contact your vendor or the Samba help channels.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list