Search squid archive

Re: Kerberos-authentication and ntlm-fallback with AD-group-membership-checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tom,

Which version do you use ?  The latest squid_kerb_ldap version has a -D
option to define a default Kerberos domain for usernames without domain
info.

 /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" -D
Kerberos-Domain

Regards
Markus

----- Original Message ----- From: "Tom Tux" <tomtux80@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Sent: Thursday, July 08, 2010 1:54 PM
Subject: Re:  Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking


Hi Markus

I think, that the output from the log with just the username instead
of "netbios-name\username" is because of the setting "winbind use
default domain = yes" in the smb.conf.

The debug-output is this:
2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group@domain
Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: Found group@domain Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
group@domain Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: ERR



For my question:
Is it necessary to have winbindd runnning for authentication our
IE6-clients with ntlm? Or can I handle this without a
winbind-domain-join? Just with squid_kerb_ldap?

Thank you.
Regards
Tom


2010/7/8 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Tom,

Squid_kerb_ldap with -d will give more debug output. Could you send it to
me. What suprises me is that your username is only user1 not
NETBIOSNAME\user1

Markus

----- Original Message ----- From: "Tom Tux" <tomtux80@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Sent: Thursday, July 08, 2010 6:30 AM
Subject: Re:  Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking


Hi Markus

Thank you. I have tried it out, but this didn't worked. In my
squid.conf I have the following entry:

external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users"
-N NETBIOSNAME@xxxxx
acl inetAccess external SQUID_KERB_LDAP

For the "NETBIOSNAME", I've entered this one, which I have defined in
the smb.conf in the string "workgroup".

The cache.log-output looks like this:
2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group@domain
Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: Found group@domain Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
group@domain Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: ERR

Without the "-N"-Parameter, all clients >IE6 are successfully able to
authenticate with kerberos and squid_kerb_ldap.

In the smb.conf, I have set "winbind use default domain = yes". So the
"wbinfo -u" gives me back just the username without any domain-suffix.

For my understanding: Is it necessary to have winbindd runnning for
authentication our IE6-clients with ntlm? Or can I handle this without
a winbind-domain-join? Just with squid_kerb_ldap?

Thank you.

Regards,
Tom

2010/7/7 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Hi Tom

It should work if squid sends Negotiate and NTLM authentication requests
to
the client. IE6 will ignore the Negotiate request and reply to NTLM,
whereas
IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
like Netbios-Domain\user in contrast to user@Kerberos-Realm.
squid_kerb_ldap
can deal with this through the -N option e.g. -N
Netbios-Domain@Kerberos-Realm and if you have two domains use -N
Netbios-Domain@Kerberos-Realm:Netbios-Domain2@Kerberos-Realm2.

Regards
Markus

"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5@xxxxxxxxxxxxxxxxx

Hi

I'm searching a way to authenticate IE6-clients with ntlm based on
group-membership and all other clients (IE7, IE8) with kerberos (also
group-membership-based).

I'm able to authenticate with kerberos AND group-membership
(squid_kerb_ldap), but the IE6-clients will then prompt for the
squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper
away, then all users are able to authenticate without checking the
group-membership.

How can I achieve to have a proper single-sign-on
kerberos-authentication (with squid_kerb_ldap) and a
fallback-ntlm-authentication for the IE6-browser (also with checking
group-membership) without prompting for username/password?

Thank you.
Regards
Tom













[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux