[squid-users] Active Directory Authentication failing at the browser

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 16 21:15:56 UTC 2015


On 17/11/2015 9:17 a.m., Amos Jeffries wrote:
> On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
>> Hi.
>>
>> On 16.11.2015 18:46, dolson wrote:
>>>
>>> Squid Version:  Squid 3.4.8
>>>
>>> OS Version:  Debian 8 (8.2)
>>>
>>> I have installed Squid on a server using Debian 8 and seem to have the basics 
>>> operating, at least when I start the squid service, I have am no longer 
>>> getting any error messages.  At this time, the goal is to authenticate users 
>>> from Active Directory and log the user and the websites they are accessing.
>>>
>>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>>> workstation to use the Squid proxy, I am getting the log in page (image below).
>>>
>>> imap://emz@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody&part=1.1.2&filename=image001.png
>>>
>>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, 
>>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a 
>>> successful at this time.
>>>
>>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files for 
>>> review.  If you would like to see the cache.log file, please contact me as the 
>>> file is too large to include in this post.
>>>
>>>
>> I suggest you first make Basic and NTLM working with active directory, and only 
>> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. This is 
>> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it uses 
>> lots of components and can fall apart easily on any stage.
>>
> 
> I suggest also using a current Firefox release. I am finding the 4x's
> series work a lot better than the earlier 3x's did on Windows 7.
> 
> Kerberos also uses the USER at DOMAIN format for user labeling. Sending it
> Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.
> 
> Kerberos and NTLM are both PITA protocols. But NTLM makes everything
> worse. If you are able to avoid using it at all and to actively turn
> NTLM off around your network the Kerberos side of things will work better.
> 

Also, since you are using what looks to be an outdated copy-n-paste of
the Squid official wiki article on Windows AD integration. Not the
living-document original itself you missed seeing one critical detail
about winbind bugs on Debian that have come to light a few months back.

<http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory?highlight=%28winbind%29#NTLM>
or
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions>

Amos



More information about the squid-users mailing list