On 2015-10-21 15:38, Ilias Clifton wrote:
On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
> Hi All,
> I've been following the guide at this location for Active Directory integration
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy]
>
> First, some versions for sanity..
> Ubuntu : 14.04.3 LTS
> Squid : 3.3.8 (from ubuntu repositories)
> Samba : 4.1.6-Ubuntu
> DC : Windows Server 2012 R2
>
> I am currently testing the authentication, negotiate kerberos and basic ldap are
> both working correctly. However ntlm is not and I don't seem to making any
> progress on debugging further.
Date: Tue, 20 Oct 2015 18:06:17 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Your version of Squid has big problems with (4) and some with (2), and
your DC server version has big problems with (1) and (3).
Amos
Hi Amos,
Thank you for your detailed answer.
So what is the best way to authenticate users in a mixed environment?
I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
plus various mobile devices.
I've tried getting rid of ntlm and just using negotiate kerberos and
ldap for basic, is that all I need?
I believe thats at least very close to the solution. The getting rid of
NTLM is something that needs to happen at the client end though, so IE
does not attempt to use it over Negotiate scheme.
On the non-domain joined PCs, if I disable 'Enable Integrated Windows
Authentication', they now correctly use basic ldap.
And thats the way to do it IIRC. Someone more familiar may know a better
way.
My config now looks like..
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
### provide basic authentication via ldap for clients not
authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
"DC=domain,DC=local" -D proxyuser at domain.local -W
/etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes
### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
/etc/squid3/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
-h dc1.domain.local
Does that look ok?
Looks reasonable for a small installation. If you have a medium to large
network you may find Squid mentioning queue issues and requesting more
helper children be configured. Simply increasing the numbers there
should resolve that.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users