[squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 21 09:17:55 UTC 2021
What i showed used kerberos, if that fails it used ntlm.. and you can add.. if that fails use LDAP (basic auth) ..
This way, you support all of them.
if you going only for kerberos, that make sure you setup your krb5.conf correctly..
A + PTR records, SPN/UPNs and yes, then you can run it fully without samba ( if your not haveing PTR, set rdns = no in krb5.conf )
Also, if you dont want the NTLM part, just remove the line :
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego --domain=ADDOM
on firefox, did you set this In Firefox, you have to go to the about:config page and set the parameters
network.negotiate-auth.trusted-uris
network.automatic-ntlm-auth.trusted-uris
As far i can tell, what i see, is you didnt configure the browsers to use kerberos.
Greetz,
Louis
Van: David Touzeau [mailto:david at articatech.com]
Verzonden: dinsdag 21 september 2021 10:18
Aan: L.P.H. van Belle; squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome
Thanks Louis for this tips but we did not want to use NTLM as it is an old way.
It requires a samba on the Squid Box
As Amos said, this is most a browser (that using Microsoft API ) issue
The best way is to make these browsers replicating the correct Firefox behavior.
Means swith to basic auth instead of trying this stupid NTLM method
Le 21/09/2021 à 09:38, L.P.H. van Belle a écrit :
in your smb.conf add # Added to enforced NTLM 2, must be set on all Samba AD-DC's and the needed members. # This is used in combination with ntlm_auth --allow-mschapv2 ntlm auth = mschapv2-and-ntlmv2-only In squid use: auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP.keytab \ -s HTTP/proxy.fq.dn.tld at MY.REALM.TLD \ --ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego --domain=ADDOM If you connecting for ldap.. Dont use -h 192.168.90.10 Uses -H ldaps://host.name.fq.dn Also push the root-CA off the domain to pc's with GPO for example And in that GPO you can set the parts you need to enable for the users/pcs to make it all work. But your close, your almost there.. On thing i have not looked at myself yet, ext_kerberos_ldap_group_acl https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 Thats one i'll be using with squid 5.1, im still compiling everyting i need, but then im setting It up, i'll document it and make and howto of it. Greetz, Louis ________________________________ Van: squid-users [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" mailto:squid-users-bounces at lists.squid-cache.org] Namens David Touzeau Verzonden: dinsdag 21 september 2021 1:49 Aan: squid-users at lists.squid-cache.org Onderwerp: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome Hi all i have setup Kerberos authentication with Windows 2019 domain using Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x) In some cases, some computers are not joined to the domain and ween need to allow authenticate on Squid To allow this, Basic Authentication is defined in Squid and we expect that browsers prompt a login to be authenticated and access to Internet But the behavior is strange. On a computer outside the windows domain: Firefox is be able to be successfully authenticated to squid using basic auth. Edge, Chrome and IE still try ujsing NTLM method and are allways rejected with a 407 When edge, chrome and IE try to establish a session, Squid claim 2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} This let us understanding that these 3 browsers try NTLM instead of a Basic Authentication. I did not know why these browsers using NTLM as they did not connected to the Windows domain Why squid never get the Basic Authentication credentials. ? Did i miss something ? Here it is my configuration. auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab auth_param negotiate children 20 startup=5 idle=1 concurrency=0 queue-size=80 on-persistent-overload=ERR auth_param negotiate keep_alive on auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b "DC=articatech,DC=int" -D "administrator at articatech.int" <mailto:administrator at articatech.int> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10 auth_param basic children 3 auth_param basic realm Active Directory articatech.int auth_param basic credentialsttl 7200 seconds authenticate_ttl 3600 seconds authenticate_ip_ttl 1 seconds authenticate_cache_garbage_interval 3600 seconds acl AUTHENTICATED proxy_auth REQUIRED _______________________________________________ squid-users mailing list squid-users at lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210921/fdcf06eb/attachment.htm>
More information about the squid-users
mailing list