|
Hello list,
I need your help with a Squid-Proxy (3.5) NTLM Auth, the aim is to use SSO for my windows clients. My Windows-Clients are using Active-Directory running on a Samba4-PDC. I set up ldap basic auth in a developer environment, now I want to achieve SSO. (using NTLM?) The Documentation on http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm doesn't really help me enough (on my knowledge about squid and forms of authentication/samba).
Tests: -> testing Kerberos I'm able to obtain (kinit) tickets and list them (klist)
root@xxx-testproxy01:~# kinit Administrator
Password for Administrator@X-XXX.LOCAL: root@xxx-testproxy01:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@X-XXX.LOCAL Valid starting Expires Service principal 2017-05-09 08:43:25 2017-05-09 18:43:25 krbtgt/X-XXX.LOCAL@X-XXX.LOCAL renew until 2017-05-10 08:43:21 -> testing Samba: I joined my domain X-XXX. Test support for ntlm: root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
plaintext password authentication succeeded challenge/response password authentication succeeded root@xxx-testproxy01:~# wbinfo -a testuser%xxxxxxxxxxx
plaintext password authentication succeeded challenge/response password authentication succeeded root@xxx-testproxy01:~# wbinfo -t checking the trust secret for domain X-XXX via RPC calls succeeded root@xxx-testproxy01:~# wbinfo -g X-XXX\cert publishers ... X-XXX\webusers -> Testing NTLM-helper: Now here's my problem.
root@xxx-testproxy01:~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --username=testuser --password=xxxxxxxxxxx
x-xxx\testuser xxxxxxxxxxx SPNEGO request [testuser xxxxxxxxxxx] invalid prefix BH SPNEGO request invalid prefix root@xxx-testproxy01:~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxxxxx
x-xxx\testuser xxxxxxxxxxx OK What is ntlmssp? I read both helpers on tutorials. If I need both, why do I need both? My squid is starting how it should, logs are looking normal, PopUp for authentication appears aswell, but I can't log in. I shoudn't need to authenticate in the first place because it should use SSO. What is missing/faulty? The rest of squid is basic stuff: auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --username=testuser --password=Passme123
...auth_param ntlm children 10 auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic --username=testuser --password=Passme123 auth_param basic children 5 auth_param basic realm Proxy Server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off authenticate_cache_garbage_interval 10 seconds acl auth proxy_auth REQUIRED
Does anyone know further? Thanks in advance.acl SSL_ports port 443
acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ... http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localnet http_access allow localhost manager http_access deny !auth http_access allow auth http_access deny all
...url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5 - Kevin |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
