[squid-users] Has anyone seen v3.5.x.x authenication work in an all windows environment?
Dijxie
dijxie at gmail.com
Mon Jul 3 11:33:31 UTC 2017
W dniu 03.07.2017 o 09:43, Todd Pearson pisze:
>
> I have spent the past few days working to get the latest version
> working in an all windows environment. I am unable to get kerberos
> authentication to work. I am struggling with getting the keytab file
> correct.
> Wondering if there is anyone who has seen it actually work in an all
> windows environment. I have had earlier version (v2.X stable) with
> NTLM authentication, but unfortunately I do not have the binaries to
> implement in v3.5.x.x.
>
> I continue to struggle to find the secret forumula for SPN and keytab.
>
> Thanks,
> Todd
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Hi,
I have 4 squid serves, 3 of them are 3.5.9 @centos 7.x. Everything is
working fine, both pure NTLM and NEGOTIATE helpers are working
flawlessly. I've created local group on squid servers like
keytab-readers, then:
chown root:keytab-readers /etc/krb5.keytab
chmod 740 /etc/keytab-readers
and added squid to keytab-readers.
Squid clients are windows workstations, mostly 8.1 and 10.
Why do you need to have Squid on Windows server so badly? Less
documentation, less support. And nowadays, my guess is almost every MS
security update can brake things down.
My guess is when you're using squid on Windows server, you have to,
alternatively:
1. Run squid on NT AUTHORITY/SYSTEM or NT AUTHORITY/NETWORK SERVICE
account and put SPN squid_accessible_name to AD machine account. So, if
Your squid DNS name is squidproxy.corpo.local and your server name is
srvSquid01.corpo.local, machine account srvSquid01$ has to have
HOST/squidproxy SPN also.
2. Run squid on dedicated domain account (user account). Create user
like "squid01", give it all nessecary permissions on squid server and
then give this user SPN. And there's the problem: what kind of SPN in
this configuration... I would say that HTTP/squidproxy, and then in DNS
you'll have to have presumably CNAME (not A) pointing squidproxy to
srvSquid01.corpo.local. And domain user squid01 will have to read acces
to keytab, as well as keytab will have to have apropriate content (it
should be a user, not machine keytab).
https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on
--
Greets, Dijx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170703/f7428a0e/attachment.html>
More information about the squid-users
mailing list