adding this back to the mailing list, for the benefit of those who
search for it.
i do not have simple and easy to use instructions for mac os x and linux
participation in AD. it is not a simple task. on linux, you will need
to look into SSSD (Simple Security Services Daemon) and understand that
process.
i have a mac for work, and it is a domain member object, so i know it
can be done. i dont know how it is done, and would think there are
internet articles that you can search for on the subject.
On 03/09/2017 02:13 PM, Rafael Akchurin wrote:
Hello Brendan,
Yes by default we have NTLM disabled :)
Unfortunately we must keep the proxy solution in parity with DC capabilities in AD which luckily still support NTLM authentication through LDAP.
This allows us to relay the tokens without Samba as I described in previous mail.
BTW if you could share the ready to use (simple) instructions to have Kerberous auth supported ftom Mac/iPhone/iPad and Linux (Ubuntu/CentOS) it would be beneficial to all.
Best regards,
Rafael Akchurin
Op 9 mrt. 2017 om 19:47 heeft Brendan Kearney <bpk678@xxxxxxxxx> het volgende geschreven:
On 03/09/2017 01:17 PM, Rafael Akchurin wrote:
The thing is, when you got some machines in your network which are not joined to the domain (think apple, linux) you still need NTLM support on proxy :(
And having full blown Samba just because of those few is too much of admin's hassle - so we had to write NTLM relay that would rebind to domain controller with LDAP protocol passing NTLM token back and forth.
Joining Squid proxy to the domain (which is required to authenticate using Samba/NTLM) also prevents from successful reverts from vm snapshots after 30 days and requires rejoin - thus preventing us from creating easily provisioned/thrown away scalable web filter / proxy instances (think docker).
Best regards,
Rafael Akchurin
Op 9 mrt. 2017 om 19:09 heeft Mike Surcouf <mikes@xxxxxxxxxxxxx> het volgende geschreven:
Ah OK sorry
I am curious why you have a reason to use NTLM over Kerberos? :-)
-----Original Message-----
From: Rafael Akchurin [mailto:rafael.akchurin@xxxxxxxxxxxx]
Sent: 09 March 2017 18:01
To: Mike Surcouf
Cc: Amos Jeffries; squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: microsoft edge and proxy auth not working
Hello Mike,
I specifically was debugging our NTLM implementation with Edge :)
Kerberos works just fine, you are correct.
Best regards,
Rafael Akchurin
Op 9 mrt. 2017 om 18:57 heeft Mike Surcouf <mikes@xxxxxxxxxxxxx> het volgende geschreven:
Hi Rafael
Is there any reason you can't use Kerberos.
Note you will need to create a keytab but the setup is not that hard and in the docs.
I use it very successfully on window AD network.
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 20
auth_param negotiate keep_alive on
Thanks
Mike
-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
On Behalf Of Rafael Akchurin
Sent: 09 March 2017 17:01
To: Amos Jeffries; squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: microsoft edge and proxy auth not working
Hello Amos, Markus, all,
Just as a side note - I also suffered from this error sometime before with Edge and our custom NTLM relay to domain controllers (run as auth helper by Squid). The strange thing it went away after installing some (unknown) Windows update.
I do have the "auth_param ntlm keep_alive off" in the config though.
It all makes me quite suspicious the error was/is in Edge or in my curly hands.
Best regards,
Rafael Akchurin
Diladele B.V.
-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
On Behalf Of Amos Jeffries
Sent: Thursday, March 9, 2017 5:12 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: microsoft edge and proxy auth not working
On 8/03/2017 11:28 p.m., Rietzler, Markus (RZF, Aufg 324 /
<RIETZLER_SOFTWARE>) wrote:
i should add that we are using squid 3.5.24.
Try with "auth_param ntlm keep_alive off". Recently the browsers have been needing that.
Though frankly I am surprised if Edge supports NTLM at all. It was deprecated in April 2006 and MS announced removal was being actively pushed in all thier software since Win7.
-----Ursprüngliche Nachricht-----
Von: Rietzler, Markus
we have some windows 10 clients using microsoft edge browser.
access to internet is only allowed for authenticated users. we are
using samba/winbind auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5- ntlmssp auth_param ntlm children 64
startup=24 idle=12 auth_param ntlm keep_alive on acl auth_user
proxy_auth REQUIRED
on windows 10 clients with IE11 it is working (with ntlm automatic
auth) on the same machine, with Microsoft edge I get TCP_Denied/407 message.
seems I only get one single TCP_DENIED/407 line in accesslog and an
auth dialog pops up. I have disabled basic auth via ntlm.
shouldn't there be 3 lines for proxy auth? with IE11 I see those
three lines (2x TCP_DENIED/407 and 1x TCP_MISS/200), no popup at all.
Not specifically. There should be 1+ for NTLM. Success with NTLM shows
2+. Failure shows 1 or 3 or infinite loop (hello Safari and Firefox 30-ish).
winbind/samba itself seems to work, as I can do an user auth against
apache with winbind/samba - even over some squid proxies with
connection-auth allowed. but not for proxy-auth.
is there any option in squid.conf which prevents Edge to do a
successful auth?
If other software succeeds then the only thing that might be related is the keep-alive option mentioned above. Otherwise the problem is in Edge itself.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
mac os x and linux can be joined to the domain and use kerberos auth. it sounds like you have a "dont want to" situation, instead of a "cannot" situation there.
when both kerberos and ntlm are advertised as supported by the proxy, the client will negotiate which auth method is used. when both the client and the proxy support kerberos, that will be used. if the client is then not able to pull a ticket from the directory to satisfy the kerberos auth to the proxy, the auth fails. the fall back to ntlm as the auth method will not occur in this situation.
ntlm will only be used if one or both of the parties does not support kerberos, and therefore the negotiated auth method chosen is not kerberos.
in Edge, disable the IWA (Integrated Windows Authentication) under Advanced settings, and close/relaunch any browser windows. this should get you using only ntlm. effectively, you are forcing the client to not support kerberos and preventing that auth method from being negotiated for use.
hth,
brendan
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
