Search squid archive

Re: squid auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Alex,

  Yes I talk about the AD computer account password.

Markus


"Alex Samad" wrote in message news:CAJ+Q1PVw1rrSvMUjzqbp_QNUAVwN=r7rqRg0Lt94hv3V3o9ekA@xxxxxxxxxxxxxx...

so when I do kinit I should use a different account to the samba one.

I'm lost sorry.

when I attach with winbind, I kinit with my personal admin account and
also do a net ads join -U <admin account>.

the password on the <admin account> doesn't / hasn't changed.

are you talking about the computer account password ?

if so, then I setup a different computer account for the squid
kerberos application !


On 9 December 2015 at 07:20, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi,

  The issue appears if you use the same AD account for samba and the
kerberos keytab creation.  As samba will reset the password of the AD
account and thereby invalidate the extracted keytab.

Markus


"Alex Samad"  wrote in message
news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qFNEwMMGA@xxxxxxxxxxxxxx...


Hi

So what your saying is I should install the mskutil and let it manage
the squid krb keytab file.


Could you possible help with the changed to the squid.conf file do I
leave as is and just add kerberos first ?


On 8 December 2015 at 20:03, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

On 8/12/2015 7:44 p.m., Alex Samad wrote:

Hi

Currently using 3.1 (from centos 6)
I have setup squid to auth against MS AD

I have
# #######
# Negotiate
# #######

# http://wiki.squid-cache.org/Features/Authentication
# http://wiki.squid-cache.org/Features/NegotiateAuthentication
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 10 startup=0 idle=3
auth_param negotiate keep_alive on

# #######
# NTLM AUTH
# #######

# ntlm auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 10
#auth_param ntlm children 10 startup=0 idle=3
#auth_param ntlm keep_alive


# #######
# NTLM over basic
# #######

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours


I want to move towards using kerberos come to this page
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

worked through that, but i saw this

Do not use this method if you run winbindd or other samba services as
samba will reset the machine password every x days and thereby makes
the keytab invalid !!



As I understand it that disclaimer applies only to the "OR with Samba"
instructions for keytab creation directly above it. The other two
methods should work.

Also, it is just a disclaimer about a known problem. There is always the
option to setup a script that re-builds the keytab and reloads Squid
every X days when it changes.


I have winbindd running for my users list in linux

is there a way around this and if not how


The initial mskutil method of keytab creation is both a way around it
and the preferred method of keytab creation.

As you found elsewhere ...

then found this one

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

but I am not using msktutil, i do have samba and the krb-workstation
installed


mskutil is just a tool to generate keytabs and link the machine to
domain. I *think* it should still be usable even if you have Sambe, the
probem is just that if you let Samba know about the keytab and account
it will do the periodic updates.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux