> > On 20/10/2015 4:04 p.m., Ilias Clifton wrote: > > Hi All, > > I've been following the guide at this location for Active Directory integration > > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy] > > > > First, some versions for sanity.. > > Ubuntu : 14.04.3 LTS > > Squid : 3.3.8 (from ubuntu repositories) > > Samba : 4.1.6-Ubuntu > > DC : Windows Server 2012 R2 > > > > I am currently testing the authentication, negotiate kerberos and basic ldap are > > both working correctly. However ntlm is not and I don't seem to making any > > progress on debugging further. > > Date: Tue, 20 Oct 2015 18:06:17 +1300 > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > > > > Your version of Squid has big problems with (4) and some with (2), and > your DC server version has big problems with (1) and (3). > > > Amos > > > Hi Amos, Thank you for your detailed answer. So what is the best way to authenticate users in a mixed environment? I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome - plus various mobile devices. I've tried getting rid of ntlm and just using negotiate kerberos and ldap for basic, is that all I need? On the non-domain joined PCs, if I disable 'Enable Integrated Windows Authentication', they now correctly use basic ldap. My config now looks like.. ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 30 minutes ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" -h dc1.domain.local Does that look ok? _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
