[squid-users] Squid and AD => That' s don't work !
L.P.H. van Belle
belle at bazuin.nl
Wed May 11 12:02:26 UTC 2016
Ok, well. Its not only the squid conf you need, so here is what you need in total.
https, yes works to, but im dont use sslbump etc.
below is all based on debian packages 0 source installs are used.
( if you need squid 3.5.19 in debian jessie amd64 i can share them to, ssl is enabled in my build )
Read through is, see what you can use, and mail if you dont get it.
Below works as of debian 3.4.8 up to 3.5.19 ( tested )
Squid:
This is what i have in the auth lines :
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN
auth_param negotiate children 50 startup=10 idle=1
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=Company,dc=internal,dc=domain,dc=tld" \
-D ldap-bind at internal.domain.tld \
-W /etc/squid/private/ldap-bind \
-f sAMAccountName=%s \
-H ldaps://ad-dc2.internal.domain.tld \
-H ldaps://ad-dc1.internal.domain.tld
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Internet Proxy Auth
auth_param basic credentialsttl 2 hours
The samba smb.conf im using with it.
About samba, last update is a complex one, you must configure this correctly for samba and ldap.
I’ll explain that below.
[global]
workgroup = NTDOMAIN
security = ads
realm = REALM
netbios name = PROXY
preferred master = no
domain master = no
host msdfs = no
dns proxy = yes
server signing = mandatory
ntlm auth = no
#Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/proxy.key.pem
tls certfile = /etc/ssl/local/certs/proxy.cert.pem
tls cafile = /etc/ssl/certs/personal-ca.pem
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOMAIN : backend = ad
idmap config NTDOMAIN : schema_mode = rfc2307
idmap config NTDOMAIN : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups, ! slows down you samba, if to much groups depth
winbind expand groups = 4
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
the krb5.conf for this:
[libdefaults]
default_realm = REALM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
For /etc/ldap/ldap.conf ( client conf )
A “correcty” ca-root and client certs setup. Needed for samba and ldap clients
Add in /etc/ldap/ldap.conf ( minimal )
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
Setup your own "rootCA" like this.
( if not done, apt-get install ca-certificates )
mkdir -p /usr/local/share/ca-certificates/yourCArootFolder
copy your root CA cert (.crt or it wont be detected) in /usr/local/share/ca-certificates/yourCArootFolder
run : update-ca-certificates
! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command.
you should see:
update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
Now after done above your CA Cert is hashed in /etc/ssl/certs
And its added in /etc/ssl/certs/ca-certificates.crt
For windows, now setup a GPO to deploy the rootCa to your pc's and your good to go.
How :
https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx
This folder : /etc/ssl/local is adviced for your personal certificates.
Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs.
So create a folders
/etc/ssl/local/certs
/etc/ssl/local/private
Much easier to maintain this way.
Some advice on samba/winbind.
Above only needs winbind installed and i do advice 4.4.3 recompile it from debian SID.
Of if your on debian jessie amd64, you can use my deb files.
Found here http://downloads.van-belle.nl/samba4/
Please do read the README.txt
Greetz,
Louis
Van: Olivier CALVANO [mailto:o.calvano at gmail.com]
Verzonden: woensdag 11 mei 2016 13:34
Aan: L.P.H. van Belle
Onderwerp: Re: [squid-users] Squid and AD => That' s don't work !
Hi
thanks for your answer.
Https work too ?
because before we use 3.3.8 but NTLM/Kerberos walking randomly, that's work very good 1 or 2 days but after
a lot of user can't connect.
We update in 3.5.x and now, all https don't work :<
can you help me ? if you have a sample of your squid.conf
regards
olivier
2016-05-11 10:23 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
Yes and it works great.
My setup Debian Jessie,
Squid tested : 3.4.8 upto 3.5.19
I use kerberos and ntlm and ldap auto in that order.
Samba 4.4.3 AD DC
So what do you want to know?
Greetz,
Louis
Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Olivier CALVANO
Verzonden: woensdag 11 mei 2016 10:08
Aan: Squid Users
Onderwerp: [squid-users] Squid and AD => That' s don't work !
Hi
is that someone has actually used squid with ntlm AD authentication?
because it don't works really well and no there is no one who reponds to problems, it's a shame.
there is commercial support a squid?
Regards
Olivier
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160511/9f84d7b8/attachment-0001.html>
More information about the squid-users
mailing list