Hi Tom,
I don't know all the functions of winbindd. If it is only used for group
memberships for squid then you don't need it.
Markus
"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTim5IAZiQqa9tFQmbrSK9vaQ9rlkf-h7u-yTBL4c@xxxxxxxxxxxxxxxxx
Hi Markus
I'm using squid_kerb_ldap-1.2.1a. I will try it with the "-D"-Option.
Is it possible to have a Single-Sign-On-solution with IE6 without
winbind? Can I take "squid_kerb_ldap" for this purpose?
Thank you.
Regards,
Tom
2010/7/9 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Tom,
Which version do you use ? The latest squid_kerb_ldap version has a -D
option to define a default Kerberos domain for usernames without domain
info.
/usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" -D
Kerberos-Domain
Regards
Markus
----- Original Message ----- From: "Tom Tux" <tomtux80@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Sent: Thursday, July 08, 2010 1:54 PM
Subject: Re: Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking
Hi Markus
I think, that the output from the log with just the username instead
of "netbios-name\username" is because of the setting "winbind use
default domain = yes" in the smb.conf.
The debug-output is this:
2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group@domain
Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: Found group@domain Internet
Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
group@domain Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: ERR
For my question:
Is it necessary to have winbindd runnning for authentication our
IE6-clients with ntlm? Or can I handle this without a
winbind-domain-join? Just with squid_kerb_ldap?
Thank you.
Regards
Tom
2010/7/8 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Tom,
Squid_kerb_ldap with -d will give more debug output. Could you send it
to
me. What suprises me is that your username is only user1 not
NETBIOSNAME\user1
Markus
----- Original Message ----- From: "Tom Tux" <tomtux80@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Sent: Thursday, July 08, 2010 6:30 AM
Subject: Re: Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking
Hi Markus
Thank you. I have tried it out, but this didn't worked. In my
squid.conf I have the following entry:
external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users"
-N NETBIOSNAME@xxxxx
acl inetAccess external SQUID_KERB_LDAP
For the "NETBIOSNAME", I've entered this one, which I have defined in
the smb.conf in the string "workgroup".
The cache.log-output looks like this:
2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group@domain
Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: Found group@domain Internet
Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
group@domain Internet Users@NULL
2010/07/08 07:13:39| squid_kerb_ldap: ERR
Without the "-N"-Parameter, all clients >IE6 are successfully able to
authenticate with kerberos and squid_kerb_ldap.
In the smb.conf, I have set "winbind use default domain = yes". So the
"wbinfo -u" gives me back just the username without any domain-suffix.
For my understanding: Is it necessary to have winbindd runnning for
authentication our IE6-clients with ntlm? Or can I handle this without
a winbind-domain-join? Just with squid_kerb_ldap?
Thank you.
Regards,
Tom
2010/7/7 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Tom
It should work if squid sends Negotiate and NTLM authentication
requests
to
the client. IE6 will ignore the Negotiate request and reply to NTLM,
whereas
IE7 and IE8 will respond to Negotiate. With NTLM you will get a
username
like Netbios-Domain\user in contrast to user@Kerberos-Realm.
squid_kerb_ldap
can deal with this through the -N option e.g. -N
Netbios-Domain@Kerberos-Realm and if you have two domains use -N
Netbios-Domain@Kerberos-Realm:Netbios-Domain2@Kerberos-Realm2.
Regards
Markus
"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5@xxxxxxxxxxxxxxxxx
Hi
I'm searching a way to authenticate IE6-clients with ntlm based on
group-membership and all other clients (IE7, IE8) with kerberos (also
group-membership-based).
I'm able to authenticate with kerberos AND group-membership
(squid_kerb_ldap), but the IE6-clients will then prompt for the
squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper
away, then all users are able to authenticate without checking the
group-membership.
How can I achieve to have a proper single-sign-on
kerberos-authentication (with squid_kerb_ldap) and a
fallback-ntlm-authentication for the IE6-browser (also with checking
group-membership) without prompting for username/password?
Thank you.
Regards
Tom