On 17/11/2015 9:17 a.m., Amos Jeffries wrote: > On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote: >> Hi. >> >> On 16.11.2015 18:46, dolson wrote: >>> >>> Squid Version: Squid 3.4.8 >>> >>> OS Version: Debian 8 (8.2) >>> >>> I have installed Squid on a server using Debian 8 and seem to have the basics >>> operating, at least when I start the squid service, I have am no longer >>> getting any error messages. At this time, the goal is to authenticate users >>> from Active Directory and log the user and the websites they are accessing. >>> >>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 >>> workstation to use the Squid proxy, I am getting the log in page (image below). >>> >>> imap://emz@xxxxxxxxxxxxxxxxxx:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody&part=1.1.2&filename=image001.png >>> >>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, >>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a >>> successful at this time. >>> >>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files for >>> review. If you would like to see the cache.log file, please contact me as the >>> file is too large to include in this post. >>> >>> >> I suggest you first make Basic and NTLM working with active directory, and only >> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. This is >> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it uses >> lots of components and can fall apart easily on any stage. >> > > I suggest also using a current Firefox release. I am finding the 4x's > series work a lot better than the earlier 3x's did on Windows 7. > > Kerberos also uses the USER@DOMAIN format for user labeling. Sending it > Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem. > > Kerberos and NTLM are both PITA protocols. But NTLM makes everything > worse. If you are able to avoid using it at all and to actively turn > NTLM off around your network the Kerberos side of things will work better. > Also, since you are using what looks to be an outdated copy-n-paste of the Squid official wiki article on Windows AD integration. Not the living-document original itself you missed seeing one critical detail about winbind bugs on Debian that have come to light a few months back. <http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory?highlight=%28winbind%29#NTLM> or <http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
