On 8/12/2015 7:44 p.m., Alex Samad wrote: > Hi > > Currently using 3.1 (from centos 6) > I have setup squid to auth against MS AD > > I have > # ####### > # Negotiate > # ####### > > # http://wiki.squid-cache.org/Features/Authentication > # http://wiki.squid-cache.org/Features/NegotiateAuthentication > auth_param negotiate program /usr/bin/ntlm_auth > --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid > auth_param negotiate children 10 startup=0 idle=3 > auth_param negotiate keep_alive on > > # ####### > # NTLM AUTH > # ####### > > # ntlm auth > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --configfile > /etc/samba/smb.conf-squid > auth_param ntlm children 10 > #auth_param ntlm children 10 startup=0 idle=3 > #auth_param ntlm keep_alive > > > # ####### > # NTLM over basic > # ####### > > # warning: basic authentication sends passwords plaintext > # a network sniffer can and will discover passwords > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic --configfile > /etc/samba/smb.conf-squid > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > > > I want to move towards using kerberos come to this page > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > worked through that, but i saw this > > Do not use this method if you run winbindd or other samba services as > samba will reset the machine password every x days and thereby makes > the keytab invalid !! As I understand it that disclaimer applies only to the "OR with Samba" instructions for keytab creation directly above it. The other two methods should work. Also, it is just a disclaimer about a known problem. There is always the option to setup a script that re-builds the keytab and reloads Squid every X days when it changes. > > I have winbindd running for my users list in linux > > is there a way around this and if not how > The initial mskutil method of keytab creation is both a way around it and the preferred method of keytab creation. As you found elsewhere ... > then found this one > http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory > > but I am not using msktutil, i do have samba and the krb-workstation installed > mskutil is just a tool to generate keytabs and link the machine to domain. I *think* it should still be usable even if you have Sambe, the probem is just that if you let Samba know about the keytab and account it will do the periodic updates. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
