[squid-users] Squid - using NTLM for SSO
Kevin M?hlparzer
kevinmuehlparzer at hotmail.de
Tue May 9 07:16:52 UTC 2017
Hello list,
I need your help with a Squid-Proxy (3.5) NTLM Auth, the aim is to use SSO for my windows clients.
My Windows-Clients are using Active-Directory running on a Samba4-PDC.
I set up ldap basic auth in a developer environment, now I want to achieve SSO. (using NTLM?)
The Documentation on http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm doesn't really help me enough (on my knowledge about squid and forms of authentication/samba).
Tests:
-> testing Kerberos
I'm able to obtain (kinit) tickets and list them (klist)
root at xxx-testproxy01:~# kinit Administrator
Password for Administrator at X-XXX.LOCAL:
root at xxx-testproxy01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at X-XXX.LOCAL
Valid starting Expires Service principal
2017-05-09 08:43:25 2017-05-09 18:43:25 krbtgt/X-XXX.LOCAL at X-XXX.LOCAL
renew until 2017-05-10 08:43:21
-> testing Samba:
I joined my domain X-XXX.
Test support for ntlm:
root at xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
root at xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
root at xxx-testproxy01:~# wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded
root at xxx-testproxy01:~# wbinfo -g
X-XXX\cert publishers
...
X-XXX\webusers
-> Testing NTLM-helper:
Now here's my problem.
root at xxx-testproxy01:~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --username=testuser --password=xxxxxxxxxxx
x-xxx\testuser xxxxxxxxxxx
SPNEGO request [testuser xxxxxxxxxxx] invalid prefix
BH SPNEGO request invalid prefix
root at xxx-testproxy01:~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxxxxx
x-xxx\testuser xxxxxxxxxxx
OK
What is ntlmssp? I read both helpers on tutorials. If I need both, why do I need both?
My squid is starting how it should, logs are looking normal, PopUp for authentication appears aswell, but I can't log in. I shoudn't need to authenticate in the first place because it should use SSO.
What is missing/faulty?
The rest of squid is basic stuff:
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --username=testuser --password=Passme123
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic --username=testuser --password=Passme123
auth_param basic children 5
auth_param basic realm Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
...
acl auth proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
...
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localnet
http_access allow localhost manager
http_access deny !auth
http_access allow auth
http_access deny all
...
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5
Does anyone know further? Thanks in advance.
- Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170509/8f1caea0/attachment-0001.html>
More information about the squid-users
mailing list