Hi Markus I'm using squid_kerb_ldap-1.2.1a. I will try it with the "-D"-Option. Is it possible to have a Single-Sign-On-solution with IE6 without winbind? Can I take "squid_kerb_ldap" for this purpose? Thank you. Regards, Tom 2010/7/9 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: > Hi Tom, > > Which version do you use ? The latest squid_kerb_ldap version has a -D > option to define a default Kerberos domain for usernames without domain > info. > > /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" -D > Kerberos-Domain > > Regards > Markus > > ----- Original Message ----- From: "Tom Tux" <tomtux80@xxxxxxxxx> > To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> > Sent: Thursday, July 08, 2010 1:54 PM > Subject: Re: Re: Kerberos-authentication and ntlm-fallback > with AD-group-membership-checking > > >> Hi Markus >> >> I think, that the output from the log with just the username instead >> of "netbios-name\username" is because of the setting "winbind use >> default domain = yes" in the smb.conf. >> >> The debug-output is this: >> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL >> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group@domain >> Internet Users@NULL >> 2010/07/08 07:13:39| squid_kerb_ldap: Found group@domain Internet >> Users@NULL >> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of >> group@domain Internet Users@NULL >> 2010/07/08 07:13:39| squid_kerb_ldap: ERR >> >> >> >> For my question: >> Is it necessary to have winbindd runnning for authentication our >> IE6-clients with ntlm? Or can I handle this without a >> winbind-domain-join? Just with squid_kerb_ldap? >> >> Thank you. >> Regards >> Tom >> >> >> 2010/7/8 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>> >>> Hi Tom, >>> >>> Squid_kerb_ldap with -d will give more debug output. Could you send it to >>> me. What suprises me is that your username is only user1 not >>> NETBIOSNAME\user1 >>> >>> Markus >>> >>> ----- Original Message ----- From: "Tom Tux" <tomtux80@xxxxxxxxx> >>> To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> >>> Sent: Thursday, July 08, 2010 6:30 AM >>> Subject: Re: Re: Kerberos-authentication and ntlm-fallback >>> with AD-group-membership-checking >>> >>> >>> Hi Markus >>> >>> Thank you. I have tried it out, but this didn't worked. In my >>> squid.conf I have the following entry: >>> >>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" >>> -N NETBIOSNAME@xxxxx >>> acl inetAccess external SQUID_KERB_LDAP >>> >>> For the "NETBIOSNAME", I've entered this one, which I have defined in >>> the smb.conf in the string "workgroup". >>> >>> The cache.log-output looks like this: >>> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL >>> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group@domain >>> Internet Users@NULL >>> 2010/07/08 07:13:39| squid_kerb_ldap: Found group@domain Internet >>> Users@NULL >>> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of >>> group@domain Internet Users@NULL >>> 2010/07/08 07:13:39| squid_kerb_ldap: ERR >>> >>> Without the "-N"-Parameter, all clients >IE6 are successfully able to >>> authenticate with kerberos and squid_kerb_ldap. >>> >>> In the smb.conf, I have set "winbind use default domain = yes". So the >>> "wbinfo -u" gives me back just the username without any domain-suffix. >>> >>> For my understanding: Is it necessary to have winbindd runnning for >>> authentication our IE6-clients with ntlm? Or can I handle this without >>> a winbind-domain-join? Just with squid_kerb_ldap? >>> >>> Thank you. >>> >>> Regards, >>> Tom >>> >>> 2010/7/7 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>> >>>> Hi Tom >>>> >>>> It should work if squid sends Negotiate and NTLM authentication requests >>>> to >>>> the client. IE6 will ignore the Negotiate request and reply to NTLM, >>>> whereas >>>> IE7 and IE8 will respond to Negotiate. With NTLM you will get a username >>>> like Netbios-Domain\user in contrast to user@Kerberos-Realm. >>>> squid_kerb_ldap >>>> can deal with this through the -N option e.g. -N >>>> Netbios-Domain@Kerberos-Realm and if you have two domains use -N >>>> Netbios-Domain@Kerberos-Realm:Netbios-Domain2@Kerberos-Realm2. >>>> >>>> Regards >>>> Markus >>>> >>>> "Tom Tux" <tomtux80@xxxxxxxxx> wrote in message >>>> news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5@xxxxxxxxxxxxxxxxx >>>>> >>>>> Hi >>>>> >>>>> I'm searching a way to authenticate IE6-clients with ntlm based on >>>>> group-membership and all other clients (IE7, IE8) with kerberos (also >>>>> group-membership-based). >>>>> >>>>> I'm able to authenticate with kerberos AND group-membership >>>>> (squid_kerb_ldap), but the IE6-clients will then prompt for the >>>>> squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper >>>>> away, then all users are able to authenticate without checking the >>>>> group-membership. >>>>> >>>>> How can I achieve to have a proper single-sign-on >>>>> kerberos-authentication (with squid_kerb_ldap) and a >>>>> fallback-ntlm-authentication for the IE6-browser (also with checking >>>>> group-membership) without prompting for username/password? >>>>> >>>>> Thank you. >>>>> Regards >>>>> Tom >>>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> > >
