[squid-users] squid auth
Alex Samad
alex at samad.com.au
Tue Dec 8 19:32:53 UTC 2015
Hi
So what your saying is I should install the mskutil and let it manage
the squid krb keytab file.
Could you possible help with the changed to the squid.conf file do I
leave as is and just add kerberos first ?
On 8 December 2015 at 20:03, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 8/12/2015 7:44 p.m., Alex Samad wrote:
>> Hi
>>
>> Currently using 3.1 (from centos 6)
>> I have setup squid to auth against MS AD
>>
>> I have
>> # #######
>> # Negotiate
>> # #######
>>
>> # http://wiki.squid-cache.org/Features/Authentication
>> # http://wiki.squid-cache.org/Features/NegotiateAuthentication
>> auth_param negotiate program /usr/bin/ntlm_auth
>> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
>> auth_param negotiate children 10 startup=0 idle=3
>> auth_param negotiate keep_alive on
>>
>> # #######
>> # NTLM AUTH
>> # #######
>>
>> # ntlm auth
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp --configfile
>> /etc/samba/smb.conf-squid
>> auth_param ntlm children 10
>> #auth_param ntlm children 10 startup=0 idle=3
>> #auth_param ntlm keep_alive
>>
>>
>> # #######
>> # NTLM over basic
>> # #######
>>
>> # warning: basic authentication sends passwords plaintext
>> # a network sniffer can and will discover passwords
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic --configfile
>> /etc/samba/smb.conf-squid
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>> I want to move towards using kerberos come to this page
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>
>> worked through that, but i saw this
>>
>> Do not use this method if you run winbindd or other samba services as
>> samba will reset the machine password every x days and thereby makes
>> the keytab invalid !!
>
>
> As I understand it that disclaimer applies only to the "OR with Samba"
> instructions for keytab creation directly above it. The other two
> methods should work.
>
> Also, it is just a disclaimer about a known problem. There is always the
> option to setup a script that re-builds the keytab and reloads Squid
> every X days when it changes.
>
>>
>> I have winbindd running for my users list in linux
>>
>> is there a way around this and if not how
>>
>
> The initial mskutil method of keytab creation is both a way around it
> and the preferred method of keytab creation.
>
> As you found elsewhere ...
>
>> then found this one
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>
>> but I am not using msktutil, i do have samba and the krb-workstation installed
>>
>
> mskutil is just a tool to generate keytabs and link the machine to
> domain. I *think* it should still be usable even if you have Sambe, the
> probem is just that if you let Samba know about the keytab and account
> it will do the periodic updates.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list