Hi So what your saying is I should install the mskutil and let it manage the squid krb keytab file. Could you possible help with the changed to the squid.conf file do I leave as is and just add kerberos first ? On 8 December 2015 at 20:03, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 8/12/2015 7:44 p.m., Alex Samad wrote: >> Hi >> >> Currently using 3.1 (from centos 6) >> I have setup squid to auth against MS AD >> >> I have >> # ####### >> # Negotiate >> # ####### >> >> # http://wiki.squid-cache.org/Features/Authentication >> # http://wiki.squid-cache.org/Features/NegotiateAuthentication >> auth_param negotiate program /usr/bin/ntlm_auth >> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid >> auth_param negotiate children 10 startup=0 idle=3 >> auth_param negotiate keep_alive on >> >> # ####### >> # NTLM AUTH >> # ####### >> >> # ntlm auth >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp --configfile >> /etc/samba/smb.conf-squid >> auth_param ntlm children 10 >> #auth_param ntlm children 10 startup=0 idle=3 >> #auth_param ntlm keep_alive >> >> >> # ####### >> # NTLM over basic >> # ####### >> >> # warning: basic authentication sends passwords plaintext >> # a network sniffer can and will discover passwords >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic --configfile >> /etc/samba/smb.conf-squid >> auth_param basic children 5 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> >> >> I want to move towards using kerberos come to this page >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >> >> worked through that, but i saw this >> >> Do not use this method if you run winbindd or other samba services as >> samba will reset the machine password every x days and thereby makes >> the keytab invalid !! > > > As I understand it that disclaimer applies only to the "OR with Samba" > instructions for keytab creation directly above it. The other two > methods should work. > > Also, it is just a disclaimer about a known problem. There is always the > option to setup a script that re-builds the keytab and reloads Squid > every X days when it changes. > >> >> I have winbindd running for my users list in linux >> >> is there a way around this and if not how >> > > The initial mskutil method of keytab creation is both a way around it > and the preferred method of keytab creation. > > As you found elsewhere ... > >> then found this one >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory >> >> but I am not using msktutil, i do have samba and the krb-workstation installed >> > > mskutil is just a tool to generate keytabs and link the machine to > domain. I *think* it should still be usable even if you have Sambe, the > probem is just that if you let Samba know about the keytab and account > it will do the periodic updates. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
