<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001"></HEAD>
<BODY text=#464646 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=189330309-21092021><SPAN lang=N>
<P><FONT face=Arial><FONT color=#0000ff><FONT size=2>What i showed used
kerberos, if that fails it used ntlm.. and you can add.. if that fails use LDAP
(basic auth) .. <BR><SPAN class=189330309-21092021>T</SPAN>his way, you
support all of them<SPAN class=189330309-21092021>.
</SPAN></FONT></FONT></FONT></P>
<P><FONT face=Arial><FONT color=#0000ff size=2>if you going only for kerberos,
that make sure you setup your krb5.conf correctly.. <BR>A + PTR records,
SPN/UPNs and yes, then you can run it fully without samba<SPAN
class=189330309-21092021> </SPAN>( if your not haveing PTR, set rdns = no
in krb5.conf ) </FONT></FONT></P>
<P><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=189330309-21092021>A</SPAN>lso, if you dont want the NTLM part, just
remove the line : <BR>--ntlm /usr/bin/ntlm_auth --allow-mschapv2
--helper-protocol=gss-spnego --domain=ADDOM</FONT></FONT></FONT></P>
<P><BR><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=189330309-21092021>on firefox,</SPAN> did you set this
</FONT></FONT></FONT><FONT color=#0000ff size=2 face=Arial>In Firefox<SPAN
class=189330309-21092021>,</SPAN> you have to go to the about:config page and
set the parameters<BR></FONT><FONT face=Arial><FONT color=#0000ff
size=2>network.negotiate-auth.trusted-uris<BR></FONT><FONT color=#0000ff
size=2>network.automatic-ntlm-auth.trusted-uris</FONT></FONT></P>
<P><FONT color=#0000ff size=2 face=Arial><SPAN class=189330309-21092021>As far i
can tell, what i see, is you didnt configure the browsers to use kerberos.
<BR></SPAN></FONT></P>
<P><FONT color=#0000ff size=2 face=Arial><SPAN
class=189330309-21092021>Greetz,<BR><BR>Louis</SPAN></FONT></P>
<P><FONT color=#0000ff size=2 face=Arial><SPAN
class=189330309-21092021></SPAN></FONT> </P></SPAN></DIV></SPAN>
<DIV dir=ltr align=left><SPAN class=189330309-21092021><FONT color=#0000ff
size=2 face=Arial> </DIV></FONT></SPAN><FONT color=#0000ff size=2
face=Arial></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> David Touzeau
[mailto:david@articatech.com] <BR><B>Verzonden:</B> dinsdag 21 september 2021
10:18<BR><B>Aan:</B> L.P.H. van Belle;
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> Re: [squid-users] squid
5.1: Kerberos: Unable to switch to basic auth with Edge - IE -
Chrome<BR></FONT><BR></DIV>
<DIV></DIV><FONT face=Arial>Thanks Louis for this tips but we did not want to
use NTLM as it is an old way.<BR>It requires a samba on the Squid Box
<BR><BR>As Amos said, this is most a browser (that using Microsoft API ) issue
<BR><BR>The best way is to make these browsers replicating the correct Firefox
behavior. <BR>Means swith to basic auth instead of trying this stupid NTLM
method<BR><BR></FONT>
<DIV class=moz-cite-prefix>Le 21/09/2021 à 09:38, L.P.H. van Belle a
écrit :<BR></DIV>
<BLOCKQUOTE
cite=mid:vmime.61498c03.38c3.221b82153bf930b3@ms249-lin-003.rotterdam.bazuin.nl
type="cite"><PRE class=moz-quote-pre wrap="">
in your smb.conf add
# Added to enforced NTLM 2, must be set on all Samba AD-DC's and the needed members.
# This is used in combination with ntlm_auth --allow-mschapv2
ntlm auth = mschapv2-and-ntlmv2-only
In squid use:
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP.keytab \
-s <A class=moz-txt-link-abbreviated href="mailto:HTTP/proxy.fq.dn.tld@MY.REALM.TLD">HTTP/proxy.fq.dn.tld@MY.REALM.TLD</A> \
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego --domain=ADDOM
If you connecting for ldap.. Dont use -h 192.168.90.10
Uses -H <A class=moz-txt-link-freetext href="ldaps://host.name.fq.dn">ldaps://host.name.fq.dn</A>
Also push the root-CA off the domain to pc's with GPO for example
And in that GPO you can set the parts you need to enable for the users/pcs to make it all work.
But your close, your almost there..
On thing i have not looked at myself yet, ext_kerberos_ldap_group_acl
<A class=moz-txt-link-freetext href="https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8">https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8</A>
Thats one i'll be using with squid 5.1, im still compiling everyting i need, but then im setting
It up, i'll document it and make and howto of it.
Greetz,
Louis
________________________________
Van: squid-users [<A class=moz-txt-link-freetext href="mailto:squid-users-bounces@lists.squid-cache.org"><font color="red"><b> MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" </b></font> <FONT color=red><B> MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" </B></FONT> mailto:squid-users-bounces@lists.squid-cache.org</A>] Namens David Touzeau
Verzonden: dinsdag 21 september 2021 1:49
Aan: <A class=moz-txt-link-abbreviated href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A>
Onderwerp: [squid-users] squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome
Hi all
i have setup Kerberos authentication with Windows 2019 domain using Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x)
In some cases, some computers are not joined to the domain and ween need to allow authenticate on Squid
To allow this, Basic Authentication is defined in Squid and we expect that browsers prompt a login to be authenticated and access to Internet
But the behavior is strange.
On a computer outside the windows domain:
Firefox is be able to be successfully authenticated to squid using basic auth.
Edge, Chrome and IE still try ujsing NTLM method and are allways rejected with a 407
When edge, chrome and IE try to establish a session, Squid claim
2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
This let us understanding that these 3 browsers try NTLM instead of a Basic Authentication.
I did not know why these browsers using NTLM as they did not connected to the Windows domain
Why squid never get the Basic Authentication credentials. ?
Did i miss something ?
Here it is my configuration.
auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab
auth_param negotiate children 20 startup=5 idle=1 concurrency=0 queue-size=80 on-persistent-overload=ERR
auth_param negotiate keep_alive on
auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b "DC=articatech,DC=int" -D <A class=moz-txt-link-rfc2396E href="mailto:administrator@articatech.int">"administrator@articatech.int"</A> <A class=moz-txt-link-rfc2396E href="mailto:administrator@articatech.int"><mailto:administrator@articatech.int></A> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10
auth_param basic children 3
auth_param basic realm Active Directory articatech.int
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds
acl AUTHENTICATED proxy_auth REQUIRED
_______________________________________________
squid-users mailing list
<A class=moz-txt-link-abbreviated href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A>
<A class=moz-txt-link-freetext href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A>
</PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BODY></HTML>