FW: AD user Login + Squid Proxy + Automatic Authentication

"L.P.H. van Belle" <belle@xxxxxxxxx> · Fri, 23 Aug 2019 09:30:20 +0200

  The most simple way to add SSO. 

  Install winbind krb5-user, then your smb.conf,  
  update this config : 
  [global]
    # Auth-Only setup with 
  winbind. ( no Shares )
    log level = 
  1
    workgroup = NTDOM
    security = 
  ADS
    realm = YOUR-REALM
    netbios 
  name = HOSTNAME

    preferred master = 
  no
    domain master = no
    host msdfs = 
  no
    dns proxy = yes

  interfaces = eth0 lo
    bind interfaces _only_ = 
  yes

      #Add and Update TLS Key
 # Add 
  the root cert and clients certs here, add the rootCA with GPO to the pc's. 

    tls enabled = yes
    tls keyfile = 
  /etc/ssl/private/HOSTNAME.key.pem
    tls certfile = 
  /etc/ssl/certs/HOSTNAME.cert.pem
    tls cafile = 
  /etc/ssl/certs/ROOT-ca.crt

      ## map id's outside to domain to tdb 
  files.
    idmap config *: backend = 
  tdb
    idmap config *: range = 
2000-9999

      ## map ids from the domain and (*) the 
  range may not overlap !
    idmap config NTDOM : backend = 
  rid
    idmap config NTDOM : schema_mode = 
  rfc2307
    idmap config NTDOM : range = 
  10000-3999999

   # Samba 4.6+ ( get primary group from AD ) ( Samba 
  AD-Backend )
    #idmap config NTDOM : unix_nss_info = 
  yes
 # Samba 4.6+ ( get primary group from unix primary group 
  )
    #idmap config NTDOM : unix_primary_group = 
  yes
###########

      kerberos method = secrets and 
  keytab
    dedicated keytab file = 
  /etc/krb5.keytab

      # renew the kerberos 
  ticket
    winbind refresh tickets = yes

      # We strip the domain (NTDOM\username) to 
  username
    winbind use default domain = 
  yes

      # enable offline 
  logins
    winbind offline logon = yes

      # check depth of nested groups, ! slows 
  down you samba, if to much groups depth
    # Not needed on 
  the VPN server.
    #winbind expand groups = 
  2

      # user Administrator workaround, without 
  it you are unable to set privileges
    username map = 
  /etc/samba/samba_usermapping

      # disable usershares 
  creating
    usershare path =

      # Disable printing 
  completely
    load printers = no

  printing = bsd
    printcap name = 
  /dev/null
    disable spoolss = yes

      # For ACL support on member servers with 
  shares, OBLIGATES
    vfs objects = 
  acl_xattr
    map acl inherit = Yes

  store dos attributes = Yes

  ######## SHARE DEFINITIONS 
  ################

  # Next TODO.  Join the AD-DC 
  domain. 
  kinit Administrator
  net ads join 

  # 
  setup keytab for squid. 

  export 
  KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
  net ads keytab ADD HTTP/$(hostname 
  -f)
# check keytab 
  file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset 
  KRB5_KTNAME

  # set rights.
chgrp proxy 
  /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname 
  -s).keytab

  and 
  use this for auth in squid. 
  ### 
  negotiate kerberos and ntlm authentication
auth_param negotiate program 
  /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos 
  /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab 
  \
      -s HTTP/hostname.fqdn@REALM 
  \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego 
  --domain=NTDOM
auth_param negotiate children 30 startup=5 
  idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive 
  on
If you serve 
  multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm 
  to
       the HTTP.keytab file and use the -s 
  GSS_C_NO_NAME option with negotiate_kerberos_auth. 

  Greetz, 

  Louis

    Van: squid-users 
    [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Randi 
    Indrawan
Verzonden: vrijdag 23 augustus 2019 3:28
Aan: 
    squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: [squid-users] AD user 
    Login + Squid Proxy + Automatic Authentication

    So I have setup a squid proxy on a CentOS 7 Server and now the authentication system uses ldap 
    and it works, I can set which groups get access through a 
    proxy
    The problem is ... can we setup the proxy read the domain id that is being logged, 
    so the proxy no longer asks for a 
    username and password. All the tutorials I've seen are pop-up 
    messages asking for the username and password. I would like this to happen 
    automatically so when the user logs in they automatically 
    authenticate
    Best Regards
    Randi IndrawanDISCLAIMER : The 
    information contained in this communication (including any attachments) is 
    privileged and confidential, and may be legally exempt from disclosure under 
    applicable law. It is intended only for the specific purpose of being used 
    by the individual or entity to whom it is addressed. If you are not the 
    addressee indicated in this message (or are responsible for delivery of the 
    message to such person), you must not disclose, disseminate, distribute, 
    deliver, copy, circulate, rely on or use any of the information contained in 
    this transmission. We apologize if you have received this communication in 
    error; kindly inform the sender accordingly. Please also ensure that this 
    original message and any record of it is permanently deleted from your 
    computer system. We do not give or endorse any opinions, conclusions and 
    other information in this message that do not relate to our official 
    business. 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users