[squid-users] Problem with Squid3 Authentication ( after sambaupgrades )
L.P.H. van Belle
belle at bazuin.nl
Tue May 23 07:09:46 UTC 2017
Hi Amos and others.
Its not a "samba" thing or a squid thing.
Maybe in the end yes, but this is a configuration thing.
For you guys to know, samba AD DC setup this parameter as default :
ldap server require strong auth = yes
Which obligates the use of TLS.
Next, users dont configure /etc/ldap/ldap.conf when they use TLS.
Squid and samba may need the CA root if you use TLS.
Which should to in ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
Samba sets these days:
ntlm auth = no
Laman auth = no
Which disables NTLMv1 and last, users dont know kerberos and the need of A/PTR records.
For others, i've posted a example auth setup and smb.conf setup for squid on Debian Jessie.
Tested as of squid 3.4.8 upto 3.5.24. ( with and without ssl bumping )
Google for : Problems with Samba 4.6.3 Authentication
Post date 23-may 2017
When upgrading samba/winbind as of 4.2 upto 4.5 or 4.6.
You MUST read the change logs at least for every samba 4.X.0 version. \
At least 4.2.0 4.3.0 4.4.0 4.5.0 and 4.6.0
https://www.samba.org/samba/history/
Look a the smb.conf changes.
Like this one for 4.5 :
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
kccsrv:samba_kcc Changed default yes
ntlm auth Changed default no
only user Removed
password hash gpg key ids New
shadow:snapprefix New
shadow:delimiter New _GMT
smb2 leases Changed default yes
username Removed
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: maandag 22 mei 2017 22:46
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with Squid3 Authentication
>
> On 23/05/17 02:15, Marcio Demetrio Bacci wrote:
> > I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but
> now my Squid
> > authentication doesn't work.
> >
> > In samba 4.2.1 is working properly.
> >
> > This is my authentication block:
> >
> >
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
> > DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
> > -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f
> "sAMAccountName=%s"
> > auth_param basic children 50
> > auth_param basic realm Access Monitored auth_param basic
> > credentialsttl 8 hours auth_param basic casesensitive off
> >
> > I'm using Squid 3.4.8
> >
> > Can anybody help me ?
>
> If the only thing that changed was Samba its clearly an issue
> with that end of the system.
>
> I suggest you compare those LDAP parameters with what the new
> Samba version needs, and if there is no issue there please
> contact your vendor or the Samba help channels.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list