<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001">
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.tlid-translation
{mso-style-name:tlid-translation;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-ID vLink=#954f72 link=#0563c1>
<DIV dir=ltr align=left><FONT color=#0000ff size=2
face=Arial></FONT> </DIV><FONT color=#0000ff size=2 face=Arial></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial>The most simple way to add SSO. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial>Install winbind krb5-user, then your smb.conf,
</FONT></SPAN><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial>update this config : </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial>[global]<BR> # Auth-Only setup with
winbind. ( no Shares )<BR> log level =
1<BR> workgroup = NTDOM<BR> security =
ADS<BR> realm = YOUR-REALM<BR> netbios
name = HOSTNAME<BR> <BR> preferred master =
no<BR> domain master = no<BR> host msdfs =
no<BR> dns proxy = yes<BR> <BR>
interfaces = eth0 lo<BR> bind interfaces only =
yes</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> #Add and Update TLS Key<BR> # Add
the root cert and clients certs here, add the rootCA with GPO to the pc's.
<BR> tls enabled = yes<BR> tls keyfile =
/etc/ssl/private/HOSTNAME.key.pem<BR> tls certfile =
/etc/ssl/certs/HOSTNAME.cert.pem<BR> tls cafile =
/etc/ssl/certs/ROOT-ca.crt</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> ## map id's outside to domain to tdb
files.<BR> idmap config *: backend =
tdb<BR> idmap config *: range =
2000-9999</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> ## map ids from the domain and (*) the
range may not overlap !<BR> idmap config NTDOM : backend =
rid<BR> idmap config NTDOM : schema_mode =
rfc2307<BR> idmap config NTDOM : range =
10000-3999999</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # Samba 4.6+ ( get primary group from AD ) ( Samba
AD-Backend )<BR> #idmap config NTDOM : unix_nss_info =
yes<BR> # Samba 4.6+ ( get primary group from unix primary group
)<BR> #idmap config NTDOM : unix_primary_group =
yes<BR>###########</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> kerberos method = secrets and
keytab<BR> dedicated keytab file =
/etc/krb5.keytab</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # renew the kerberos
ticket<BR> winbind refresh tickets = yes</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # We strip the domain (NTDOM\username) to
username<BR> winbind use default domain =
yes</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # enable offline
logins<BR> winbind offline logon = yes</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # check depth of nested groups, ! slows
down you samba, if to much groups depth<BR> # Not needed on
the VPN server.<BR> #winbind expand groups =
2</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # user Administrator workaround, without
it you are unable to set privileges<BR> username map =
/etc/samba/samba_usermapping</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # disable usershares
creating<BR> usershare path =</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # Disable printing
completely<BR> load printers = no<BR>
printing = bsd<BR> printcap name =
/dev/null<BR> disable spoolss = yes</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> # For ACL support on member servers with
shares, OBLIGATES<BR> vfs objects =
acl_xattr<BR> map acl inherit = Yes<BR>
store dos attributes = Yes</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial>######## SHARE DEFINITIONS
################<BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial> </DIV></FONT></SPAN>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial># Next TODO. </FONT></SPAN><SPAN
class=401055506-23082019><FONT color=#0000ff size=2 face=Arial>Join the AD-DC
domain. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial>kinit Administrator</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=401055506-23082019><FONT color=#0000ff
size=2 face=Arial>net ads join </FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2 face=Arial>#
setup keytab for squid. </FONT></SPAN></DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial>export
KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial>net ads keytab ADD HTTP/$(hostname
-f)</FONT></DIV><FONT color=#0000ff size=2 face=Arial># check keytab
file.<BR>klist -ke /etc/squid/HTTP-$(hostname -s).keytab<BR>unset
KRB5_KTNAME<BR></FONT>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial># set rights.<BR>chgrp proxy
/etc/squid/HTTP-$(hostname -s).keytab<BR>chmod g+r /etc/squid/HTTP-$(hostname
-s).keytab</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT
color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2 face=Arial>and
use this for auth in squid. </FONT></SPAN></DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2 face=Arial>###
negotiate kerberos and ntlm authentication<BR>auth_param negotiate program
/usr/lib/squid/negotiate_wrapper_auth \<BR> --kerberos
/usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab
\<BR> -s <A
href="mailto:HTTP/hostname.fqdn@REALM">HTTP/hostname.fqdn@REALM</A>
\<BR> --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego
--domain=NTDOM<BR>auth_param negotiate children 30 startup=5
idle=5<BR>auth_param negotiate children 10<BR>auth_param negotiate keep_alive
on<BR></FONT></SPAN></DIV><FONT color=#0000ff size=2 face=Arial>If you serve
multiple Kerberos realms add a <A
href="mailto:HTTP/fqdn@REALM">HTTP/fqdn@REALM</A> service principal per realm
to<BR> the HTTP.keytab file and use the -s
GSS_C_NO_NAME option with negotiate_kerberos_auth.</FONT>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial>Greetz, </FONT></SPAN></DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial>Louis</FONT></SPAN></DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=401055506-23082019><FONT color=#0000ff size=2
face=Arial> </DIV></FONT></SPAN>
<DIV><BR></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> squid-users
[mailto:squid-users-bounces@lists.squid-cache.org] <B>Namens </B>Randi
Indrawan<BR><B>Verzonden:</B> vrijdag 23 augustus 2019 3:28<BR><B>Aan:</B>
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> [squid-users] AD user
Login + Squid Proxy + Automatic Authentication<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=WordSection1>
<P>So I have setup a squid proxy on a CentOS 7 Server and <SPAN
class=tlid-translation><SPAN lang=EN>now the authentication system uses ldap
and it works, I can set which groups get access through a
proxy</SPAN></SPAN><o:p></o:p></P>
<P>The problem is ... can we setup <SPAN class=tlid-translation><SPAN
lang=EN>the proxy read the domain id that is being logged</SPAN></SPAN>,
<SPAN class=tlid-translation><SPAN lang=EN>so the proxy no longer asks for a
username and password</SPAN></SPAN>. All the tutorials I've seen are pop-up
messages asking for the username and password. I would like this to happen
automatically so when the user logs in they automatically
authenticate<o:p></o:p></P>
<P class=MsoNormal>Best Regards<o:p></o:p></P>
<P class=MsoNormal>Randi Indrawan<o:p></o:p></P></DIV>DISCLAIMER : The
information contained in this communication (including any attachments) is
privileged and confidential, and may be legally exempt from disclosure under
applicable law. It is intended only for the specific purpose of being used
by the individual or entity to whom it is addressed. If you are not the
addressee indicated in this message (or are responsible for delivery of the
message to such person), you must not disclose, disseminate, distribute,
deliver, copy, circulate, rely on or use any of the information contained in
this transmission. We apologize if you have received this communication in
error; kindly inform the sender accordingly. Please also ensure that this
original message and any record of it is permanently deleted from your
computer system. We do not give or endorse any opinions, conclusions and
other information in this message that do not relate to our official
business. </BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>