Could you help me in kerberos configuration only? I don't want a fallback 2015-12-29 16:34 GMT+01:00 L.P.H. van Belle <belle@xxxxxxxxx>: > Hai, > >> ok thanks. I think the system guys use samba and winbind to join linux >> machines to domain independetly services installed > > Thats good, but if you want fallback and make NTLM work > ( for only kerberos its not needed ) > > You want something like : > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \ > --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \ > --domain=NTDOMAIN > Or > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \ > --kerberos /usr/lib/squid/negotiate_kerberos_auth \ > -s HTTP/proxy.domain.tld@REALM \ > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN > > > For the --ntlm you MUST install samba, since its suplied by samba. > > And a basic fallback if above fails, then this one will give a popup to auth > > auth_param basic program /usr/lib/squid/basic_ldap_auth -R \ > -b "ou=Users,dc=internal,dc=domain,dc=tld" \ > -D bind2ad@User_domain -W /etc/squid/private/secretfile \ > -f (sAMAccountName=%s) \ > -h dc2.internal.domain.tld \ > -h dc1.internal.domain.tld > > Above is all tested and running in my production env. > Few very important pointers. > 1) make sure your proxy has A and PTR record ( needed for kerberos ) > 2) make sure you have the HTTP/ spn for the hostnames of your proxy servers > 3) make sure you time is in sync on all servers and clients. > > > In samba 4 i did it like this. Login with ssh on a DC. > kinit Administrator > > samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password > samba-tool user setexpiry squid-proxy --noexpiry > samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy > samba-tool spn add HTTP/proxy1. internal.domain.tld@REALM squid-proxy > > # export the keytab. > samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. /root/keytabs/proxy1.keytab > > check if your hostname has all the SPNs. > samba-tool spn list proxy1$ > proxy1 is the name in smb.conf > you must have: > HOST/PROXY1 > HOST/proxy1.internal.domain.tld. > > And make your you have : > /etc/default/squid > KRB5_KTNAME=/etc/squid/proxy1.keytab > export KRB5_KTNAME > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens >> Fabio Bucci >> Verzonden: dinsdag 29 december 2015 16:21 >> Aan: Eliezer Croitoru >> CC: squid-users@xxxxxxxxxxxxxxxxxxxxx >> Onderwerp: Re: Squid with NTLM auth behind netscaler >> >> ok thanks. I think the system guys use samba and winbind to join linux >> machines to domain independetly services installed >> >> 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>: >> > Hey Fabio, >> > >> > If you do want to use kerberos you do not need to use winbindd there are >> > other options. >> > (I have not tried them both yet) >> > >> > Eliezer >> > >> > On 29/12/2015 16:30, Fabio Bucci wrote: >> >> >> >> Hi Amos, >> >> i'm trying to implement kerberos as you suggested me. But following >> >> the guide i read "Do not use this method if you run winbindd or other >> >> samba services as samba will reset the machine password every x days >> >> and thereby makes the keytab invalid !!" and my system guy told me we >> >> use winbindd method. >> >> >> >> How can i implement so? >> >> Thanks >> > >> > >> > _______________________________________________ >> > squid-users mailing list >> > squid-users@xxxxxxxxxxxxxxxxxxxxx >> > http://lists.squid-cache.org/listinfo/squid-users >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
