[squid-users] Testing Kerberos and LDAP connections

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 13 17:05:05 UTC 2016


On 14/01/2016 4:36 a.m., dolson at ihcrc.org wrote:
> Is there a way to test the following lines from my squid.conf file to make sure the connections are working correctly?
> 
> ### negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> 
> ### pure ntlm authentication
> auth_param ntlm program /usr/lib/squid3/ntlm_smb_lm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=IHCRC
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> 
> ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "dc=ihcrc,dc=org" -D squid at ihcrc.org -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h srv-dataserver2.ihcrc.org
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
> 
> When I run them at the command lines, minus the statements from Children down, I just get a huge print out of some man pages.  I'm trying to identify why I can't get AD authentication to work correctly on my Squid server, so I'm trying to test each area of the squid.conf file independently.
> 

They do not work. The --* parameters you are passing to ntlm_smb_lm_auth
are actually parameters for the Samba ntlm_auth helper. If you need NTLM
then you should install that Samba helper and use it instead.


FYI: ntlm_smb_lm_auth is the Squid bundled helepr for doing SMB LanMan
authentication. Thats a form of auth for Microsoft Network (circa
1970-1980's) with terrible encryption.
SMB LM crypto is so weak/bad that the Squid helper is actually
decrypting it in realtime to extract the user:password and translating
them into Basic auth queries against your AD servers. Ironically Basic
auth is more secure.
 *** Any software which works with this helper is *very* insecure.

Amos



More information about the squid-users mailing list