[squid-users] Squid with NTLM auth behind netscaler
Fabio Bucci
fabietto82 at gmail.com
Wed Dec 30 14:42:36 UTC 2015
Could you help me in kerberos configuration only? I don't want a fallback
2015-12-29 16:34 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> Hai,
>
>> ok thanks. I think the system guys use samba and winbind to join linux
>> machines to domain independetly services installed
>
> Thats good, but if you want fallback and make NTLM work
> ( for only kerberos its not needed )
>
> You want something like :
>
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
> --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \
> --domain=NTDOMAIN
> Or
>
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
> --kerberos /usr/lib/squid/negotiate_kerberos_auth \
> -s HTTP/proxy.domain.tld at REALM \
> --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
>
>
> For the --ntlm you MUST install samba, since its suplied by samba.
>
> And a basic fallback if above fails, then this one will give a popup to auth
>
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
> -b "ou=Users,dc=internal,dc=domain,dc=tld" \
> -D bind2ad at User_domain -W /etc/squid/private/secretfile \
> -f (sAMAccountName=%s) \
> -h dc2.internal.domain.tld \
> -h dc1.internal.domain.tld
>
> Above is all tested and running in my production env.
> Few very important pointers.
> 1) make sure your proxy has A and PTR record ( needed for kerberos )
> 2) make sure you have the HTTP/ spn for the hostnames of your proxy servers
> 3) make sure you time is in sync on all servers and clients.
>
>
> In samba 4 i did it like this. Login with ssh on a DC.
> kinit Administrator
>
> samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password
> samba-tool user setexpiry squid-proxy --noexpiry
> samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
> samba-tool spn add HTTP/proxy1. internal.domain.tld at REALM squid-proxy
>
> # export the keytab.
> samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. /root/keytabs/proxy1.keytab
>
> check if your hostname has all the SPNs.
> samba-tool spn list proxy1$
> proxy1 is the name in smb.conf
> you must have:
> HOST/PROXY1
> HOST/proxy1.internal.domain.tld.
>
> And make your you have :
> /etc/default/squid
> KRB5_KTNAME=/etc/squid/proxy1.keytab
> export KRB5_KTNAME
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
>> Fabio Bucci
>> Verzonden: dinsdag 29 december 2015 16:21
>> Aan: Eliezer Croitoru
>> CC: squid-users at lists.squid-cache.org
>> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
>>
>> ok thanks. I think the system guys use samba and winbind to join linux
>> machines to domain independetly services installed
>>
>> 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru <eliezer at ngtech.co.il>:
>> > Hey Fabio,
>> >
>> > If you do want to use kerberos you do not need to use winbindd there are
>> > other options.
>> > (I have not tried them both yet)
>> >
>> > Eliezer
>> >
>> > On 29/12/2015 16:30, Fabio Bucci wrote:
>> >>
>> >> Hi Amos,
>> >> i'm trying to implement kerberos as you suggested me. But following
>> >> the guide i read "Do not use this method if you run winbindd or other
>> >> samba services as samba will reset the machine password every x days
>> >> and thereby makes the keytab invalid !!" and my system guy told me we
>> >> use winbindd method.
>> >>
>> >> How can i implement so?
>> >> Thanks
>> >
>> >
>> > _______________________________________________
>> > squid-users mailing list
>> > squid-users at lists.squid-cache.org
>> > http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list