Hi, we are running squid-3.0.STABLE9-1.el5 on Centos 5.4 with Kerberos-Authentication against an Active Directory. It works fine, but IE6, some Java-Applets and some Linux Workstations can´t use the proxy. It seems, that they don´t support kerberos SSO against the AD. Newer IEs and Firefox works well. Is it possible, to use ntlm-Authentication as a fallback ? I´ve installed samba 3.4.5, wbinfo -g works. I then added the lines with ntlm to the squid.conf: auth_param negotiate program /usr/lib/squid/squid_kerb_auth -s HTTP/proxy-kerberos.heidelberg.bw-online.de auth_param negotiate children 50 auth_param negotiate keep_alive on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=WWW auth_param ntlm children 5 auth_param ntlm keep_alive on external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "DC=heidelberg,DC=bw-online,DC=de" -D "CN=USER,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf=CN=%a,CN=Users,DC=heidelberg,DC=bw-online,DC=de))" -v 3 -h "10.141.1.57 10.141.1.55" -K . acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 81-84 # Gebaudetechnik StaBue acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Konfiguration Stadt Heidelberg # All elements of an acl entry are OR'ed together. # All elements of an access entry are AND'ed together acl AD-AUTH proxy_auth REQUIRED http_access allow AD-AUTH . #fuer ziegelhausen, linux, macht kein kerberos passthrough bzw. kein domaenenuser acl amt62 src 10.141.20.245 10.141.20.26 10.141.20.24 http_access allow amt62 #Java-Anwendung, kann kein Kerberos-Auth und keine Auto.pac acl teleteach url_regex lc-prod.teleteach.de http_access allow teleteach . # ACL mit ldap acl ldapgroup-www external ldapgroup www acl ldapgroup-ebay external ldapgroup ebay acl blocklist dstdomain "/etc/squid/blocklist" acl ldapgroup-teamviewer external ldapgroup proxy_teamviewer acl blocklist-teamviewer dstdomain "/etc/squid/blocklist_teamviewer" acl ldapgroup-filesharing external ldapgroup proxy_filesharing acl blocklist-filesharing dstdomain "/etc/squid/blocklist_filesharing" acl ldapgroup-amt80 external ldapgroup proxy_amt80 acl blocklist-amt80 dstdomain "/etc/squid/blocklist_amt80" . http_access allow ldapgroup-ebay all #http_access allow schul340 http_access deny blocklist http_access allow ldapgroup-filesharing http_access deny blocklist-filesharing http_access allow ldapgroup-teamviewer http_access deny blocklist-teamviewer http_access allow ldapgroup-amt80 http_access deny blocklist-amt80 http_access allow ldapgroup-www all # And finally deny all other access to this proxy #http_access allow localhost http_access deny all www ist the AD-group that has access to the internet The browser then pops-up for usercredentials, but will not get authenticatet. The access.log writes no user information with the DENIED-entries. Has anyone an idea if kerberos and ntlm as fallback should work ? Best Regards Ralf Lutz
