[squid-users] Squid with NTLM auth behind netscaler
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 29 15:34:35 UTC 2015
Hai,
> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed
Thats good, but if you want fallback and make NTLM work
( for only kerberos its not needed )
You want something like :
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \
--domain=NTDOMAIN
Or
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth \
-s HTTP/proxy.domain.tld at REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
For the --ntlm you MUST install samba, since its suplied by samba.
And a basic fallback if above fails, then this one will give a popup to auth
auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=Users,dc=internal,dc=domain,dc=tld" \
-D bind2ad at User_domain -W /etc/squid/private/secretfile \
-f (sAMAccountName=%s) \
-h dc2.internal.domain.tld \
-h dc1.internal.domain.tld
Above is all tested and running in my production env.
Few very important pointers.
1) make sure your proxy has A and PTR record ( needed for kerberos )
2) make sure you have the HTTP/ spn for the hostnames of your proxy servers
3) make sure you time is in sync on all servers and clients.
In samba 4 i did it like this. Login with ssh on a DC.
kinit Administrator
samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password
samba-tool user setexpiry squid-proxy --noexpiry
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1. internal.domain.tld at REALM squid-proxy
# export the keytab.
samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. /root/keytabs/proxy1.keytab
check if your hostname has all the SPNs.
samba-tool spn list proxy1$
proxy1 is the name in smb.conf
you must have:
HOST/PROXY1
HOST/proxy1.internal.domain.tld.
And make your you have :
/etc/default/squid
KRB5_KTNAME=/etc/squid/proxy1.keytab
export KRB5_KTNAME
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Fabio Bucci
> Verzonden: dinsdag 29 december 2015 16:21
> Aan: Eliezer Croitoru
> CC: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
>
> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed
>
> 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru <eliezer at ngtech.co.il>:
> > Hey Fabio,
> >
> > If you do want to use kerberos you do not need to use winbindd there are
> > other options.
> > (I have not tried them both yet)
> >
> > Eliezer
> >
> > On 29/12/2015 16:30, Fabio Bucci wrote:
> >>
> >> Hi Amos,
> >> i'm trying to implement kerberos as you suggested me. But following
> >> the guide i read "Do not use this method if you run winbindd or other
> >> samba services as samba will reset the machine password every x days
> >> and thereby makes the keytab invalid !!" and my system guy told me we
> >> use winbindd method.
> >>
> >> How can i implement so?
> >> Thanks
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list