Ok, well. Its not only the squid conf you
need, so here is what you need in total. https, yes works to, but im dont use
sslbump etc. below is all based on debian packages 0
source installs are used. ( if you need squid 3.5.19 in debian
jessie amd64 i can share them to, ssl is enabled in my build ) Read through is, see what you can use, and
mail if you dont get it. Below works as of debian 3.4.8 up to
3.5.19 ( tested ) Squid: This is what i have in the auth lines : auth_param negotiate program
/usr/lib/squid/negotiate_wrapper_auth \ --kerberos
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld@REALM
\ --ntlm /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN auth_param negotiate children 50
startup=10 idle=1 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid/basic_ldap_auth
-R -v 3 \ -b
"ou=Company,dc=internal,dc=domain,dc=tld" \ -D ldap-bind@xxxxxxxxxxxxxxxxxxx \ -W /etc/squid/private/ldap-bind \ -f sAMAccountName=%s \ -H ldaps://ad-dc2.internal.domain.tld
\ -H ldaps://ad-dc1.internal.domain.tld auth_param basic children 5 startup=5
idle=1 auth_param basic realm Internet Proxy Auth auth_param basic credentialsttl 2 hours The samba smb.conf im using with it. About samba, last update is a complex one,
you must configure this correctly for samba and ldap. I’ll explain that below. [global] workgroup = NTDOMAIN security = ads realm = REALM netbios name = PROXY preferred master = no domain master = no host msdfs = no dns proxy = yes server signing = mandatory ntlm auth = no #Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/local/private/proxy.key.pem tls certfile = /etc/ssl/local/certs/proxy.cert.pem tls cafile = /etc/ssl/certs/personal-ca.pem ## map id's outside to domain to tdb
files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the range
may not overlap ! idmap config NTDOMAIN : backend = ad idmap config NTDOMAIN : schema_mode =
rfc2307 idmap config NTDOMAIN : range =
10000-3999999 dedicated keytab file =
/etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes # Use home directory and shell
information from AD winbind nss info = rfc2307 winbind trusted domains _only_ = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes # enable offline logins winbind offline logon = yes # check depth of nested groups, !
slows down you samba, if to much groups depth winbind expand groups = 4 # disable usershares creating, when
set empty no error log messages. usershare path = # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes the krb5.conf for this: [libdefaults] default_realm = REALM dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac
des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac
des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac
des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 For /etc/ldap/ldap.conf ( client conf ) A “correcty” ca-root and
client certs setup. Needed for samba and ldap clients Add in /etc/ldap/ldap.conf (
minimal ) TLS_CACERT
/etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow Setup your own
"rootCA" like this. ( if not done, apt-get
install ca-certificates ) mkdir -p
/usr/local/share/ca-certificates/yourCArootFolder copy your root CA cert (.crt
or it wont be detected) in /usr/local/share/ca-certificates/yourCArootFolder run : update-ca-certificates ! MUST BE
/usr/local/share/ca-certificates else its not picked up with the
update-ca-certificates command. you should see: update-ca-certificates Updating certificates in
/etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. Now after done above your CA
Cert is hashed in /etc/ssl/certs And its added in
/etc/ssl/certs/ca-certificates.crt For windows, now setup a GPO
to deploy the rootCa to your pc's and your good to go. How : https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx
This folder : /etc/ssl/local
is adviced for your personal certificates. Try to avoid mixing
personal/(un)official certificates in /etc/ssl/certs. So create a folders /etc/ssl/local/certs /etc/ssl/local/private Much easier to maintain this
way. Some advice on samba/winbind. Above only needs winbind installed and i
do advice 4.4.3 recompile it from debian SID. Of if your on debian jessie amd64, you can
use my deb files. Found here http://downloads.van-belle.nl/samba4/ Please do read the README.txt Greetz, Louis Van: Olivier CALVANO
[mailto:o.calvano@xxxxxxxxx] Hi thanks for your answer. Https work too ? because before we use 3.3.8 but NTLM/Kerberos walking randomly,
that's work very good 1 or 2 days but after a lot of user can't connect. We update in 3.5.x and now, all https don't work :< can you help me ? if you have a sample of your squid.conf regards olivier 2016-05-11 10:23 GMT+02:00 L.P.H. van Belle <belle@xxxxxxxxx>: Yes and it works great. My setup Debian Jessie, Squid tested : 3.4.8 upto 3.5.19 I use kerberos and ntlm and ldap auto in that order. Samba 4.4.3 AD DC So what do you want to know? Greetz, Louis Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
Namens Olivier CALVANO Hi is that someone
has actually used squid with ntlm AD authentication? because it don't
works really well and no there is no one who reponds to problems, it's a shame. there is
commercial support a squid? Regards Olivier
|
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users