[squid-users] The issue NTLM_AUTH with --require-membership-of
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 21 10:14:11 UTC 2019
I think you problem has todo NT1.
I assum you already tried the setting in smb.conf :
ntlm auth = ntlmv1-permitted
(which is the alias for yes)
And which samba/ntlm_auth version it this? Standard centos?
I must say i noob in Centos, so i'll shown you what i know from debian.
And it might be better to switch to kerberos auth.
I know there are problems with the groups in ntlm_auth and its detection.
If i recall right, a patch passed recently, so waiting for that on the next samba version.
I use the following.
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/$(hostname -f)@MY_REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
With ldap fallback
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=Office,dc=some,dc=domain,dc=tld" \
-D ldap-bind at MY_REALM \
-W /etc/squid/private/ldap-bind \
-f sAMAccountName=%s \
-H ldaps://dc1.FQDN \
-H ldaps://dc2.FQDN
The ldap-bind account, needs, no pre-check on kerberos auth and disable passwd expire.
The group part, now im not using it myself but per example. Should be something like this.
Basicly its :
Search for %LOGIN from this point : DC=office,DC=some,DC=domain,DC=tld And get person-%a from group Proxygroups
external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b DC=office,DC=some,DC=domain,DC=tld \
-f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld)) \
-D ldap-bind at MY_REALM \
-W /etc/squid/private/ldap-bind \
-H ldaps://dc1.FQDN \
-H ldaps://dc2.FQDN
external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -b DC=office,DC=some,DC=domain,DC=tld \
-s sub \
-R -v3 \
-D ldap-bind at MY_REALM \
-W /etc/squid/private/ldap-bind \
-f "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=Proxygroups,DC=office,DC=some,DC=domain,DC=tld))" \
-H ldaps://dc1.FQDN \
-H ldaps://dc2.FQDN
I Hope this helps a bit.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Amos Jeffries
> Verzonden: donderdag 21 februari 2019 10:18
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] The issue NTLM_AUTH with
> --require-membership-of
>
> On 21/02/19 9:35 pm, WANG TOM wrote:
> >
> --------------------------------------------------------------
> --------------------------------
> > And I have tested run ntlm_auth directly, it looks successfully.
> > "ntlm_auth --require-membership-of='IBM\Domain Users'
> > --username=Administrators --password=123456
> > NT_STATUS_OK: The operation completed successfully. (0x0)"
> >
> --------------------------------------------------------------
> --------------------------------
> > I have no idea what I have missed or made mistake, could
> someone can help.
> >
>
> Very likely that whitespace in the parameter string. Squid does not
> support double-quote encoding of most parameters.
>
> That means the helper will be passed two different environment
> arguments. One being "--require-membership-of='IBM\Domain".
> The second being "Users'"
>
> IIRC you can probably %-encode that (as "IBM\Domain%20Users").
>
>
> If not that then you are going to have to debug what the
> helper is doing.
>
>
> NP: This helper is provided by Samba, it is not part of Squid. So
> questions about its abilities and encodings supported are a
> question for
> their help channels. Someone here _might_ know, but do not
> count on that.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list