Search squid archive

squid 3.3.8 kerberos and ldap auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all!

Please help me.

My problem is: I want to setup squid with two auth methods. The first method is: kerberos auth. The second is: BASIC ldap auth as a fail back method for users without a kerberos ticket.

I see that is don't work. When user wants to login without kerberos, browser (IE 8/9/10 ; FF 30/31 ; chrome) asks for a BASIC login and password, after insert a correct login and pass browser ask again for BASIC auth - and again and again. - In access.log I see only 407 code and nothing any and an error about NTLM auth. If I disable kerberos auth , I can use BASIC auth without any problem. Why Windows wants to use NTLM..?

I use samba 4.1.9 as a DC/kerberos server. Kerberos works fine in Windows client, but not good for linux - it get proxy refuse connection from time to time.


I use squid from ubuntu 14.04 repo:

# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'

# cat krb5.conf
[libdefaults]
    default_realm = COMPANY.RU
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false

    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac
    permitted_enctypes = rc4-hmac



[realms]
        COMPANY.RU = {
        kdc = domainctrl.company.ru
        admin_server = domainctrl.company.ru
    default_domain = COMPANY.RU
}

[domain_realm]
domainctrl.company.ru = COMPANY.RU
.domainctrl.company.ru = COMPANY.RU

# egrep -v '^($|#)' /etc/squid3/squid.conf
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r
auth_param negotiate children  150 startup=20 idle=20
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid3/basic_pam_auth -n squid -t 300 -o
auth_param basic children 5 startup=5 idle=1
auth_param basic credentialsttl 10800 seconds
acl auth proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access allow auth
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0      20%    2880
refresh_pattern .        0    20%    4320
# cat /etc/pam.d/squid
auth sufficient pam_krb5.so alt_auth_map=%s@xxxxxxxxxx
account required pam_krb5.so

I have played with BASIC ldap auth with the same result. I have played with krb5.conf without success.

Best regards,
Victor.




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux