Re: Has anyone seen v3.5.x.x authenication work in an all windows environment?

Dijxie <dijxie@xxxxxxxxx> · Mon, 3 Jul 2017 13:33:31 +0200



    W dniu 03.07.2017 o 09:43, Todd Pearson
      pisze:

    
        I have
          spent the past few days working to get the latest version
          working in an all windows environment.  I am unable to get
          kerberos authentication to work.  I am struggling with getting
          the keytab file correct.  
        Wondering
          if there is anyone who has seen it actually work in an all
          windows environment.  I have had earlier version (v2.X stable)
          with NTLM authentication, but unfortunately I do not have the
          binaries to implement in v3.5.x.x.
        

        I
          continue to struggle to find the secret forumula for SPN and
          keytab.  
        

        Thanks,
        Todd
      
      
      _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    
    Hi,
    I have 4 squid serves, 3 of them are 3.5.9
        @centos 7.x. Everything is working fine, both pure NTLM and
        NEGOTIATE helpers are working flawlessly. I've created local
        group on squid servers like keytab-readers, then:

        chown root:keytab-readers /etc/krb5.keytab

        chmod 740 /etc/keytab-readers

        and added squid to keytab-readers.

      
    Squid clients are windows workstations, mostly
        8.1 and 10.

      
    Why do you need to have Squid on Windows server so
      badly? Less documentation, less support. And nowadays, my guess
      is  almost every MS security update can brake things down. 

      
      My guess is when you're using squid on Windows server, you have
      to, alternatively:

      1. Run squid on NT AUTHORITY/SYSTEM or NT AUTHORITY/NETWORK
      SERVICE account and put SPN  squid_accessible_name to AD machine
      account. So, if Your squid DNS name is squidproxy.corpo.local and
      your server name is srvSquid01.corpo.local, machine account
      srvSquid01$ has to have HOST/squidproxy SPN also. 

      2. Run squid on dedicated domain account (user account). Create
      user like "squid01", give it all nessecary permissions on squid
      server and then give this user SPN. And there's the problem: what
      kind of SPN in this configuration... I would say that
      HTTP/squidproxy, and then in DNS you'll have to have presumably
      CNAME (not A) pointing squidproxy to srvSquid01.corpo.local. And
      domain user squid01 will have to read acces to keytab, as well as
      keytab will have to have apropriate content (it should be a user,
      not machine keytab). 

      
https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on
      

    -- 
Greets, Dijx
  

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users