Search squid archive

squid 3.5.10 samba4 kerberos few questions (debain Jessie)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hai,

 

Im having the following running.

Debian Jessie, squid 3.5.10 (recompiled from sid)  with icap and authorisation agains a samba 4 AD DC.

I begin with, this works great !.. so now my questions and the conf part for this.

 

I am using the following authentications.

First Kerberos:

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.tld@KERB.REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

And this works also

#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

#    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \

#    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \

 

I use as fallback  basic auth.

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \

    -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \

    -D ldap-bind@ KERB.REALM  -W /etc/squid/private/ldap-bind \

    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \

    -h samba4-dc2.internal.domain.tld \

    -h samba4-dc1.internal.domain.tld

 

I know the following:

## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.

##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.

##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.

##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.

## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

 

When people access websites a see a lot of : TCP_DENIED/407

Sometimes about 10-12 times the TCP_DENIED/407, even when the user already access the website and it authenticated.

Is this because of pc’s auth, or user auth, or by design as i did read here :

 

http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html

acl AuthRequest http_status 407
access_log ... !AuthRequest ...

 

 

is this the only solution to reduce the 407, or am i missing some setting here?

If you need more info, just ask..

 

 

Greetz,

 

Louis

 

 

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux