Thanks Louis for this tips but we did not want to
use NTLM as it is an old way.
It requires a samba on the Squid Box
As Amos said, this is most a browser (that using Microsoft API )
issue
The best way is to make these browsers replicating the correct
Firefox behavior.
Means swith to basic auth instead of trying this stupid NTLM
method
Le 21/09/2021 à 09:38, L.P.H. van Belle
a écrit :
in your smb.conf add
# Added to enforced NTLM 2, must be set on all Samba AD-DC's and the needed members.
# This is used in combination with ntlm_auth --allow-mschapv2
ntlm auth = mschapv2-and-ntlmv2-only
In squid use:
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP.keytab \
-s HTTP/proxy.fq.dn.tld@xxxxxxxxxxxx \
--ntlm /usr/bin/ntlm_auth --allow-mschapv2 --helper-protocol=gss-spnego --domain=ADDOM
If you connecting for ldap.. Dont use -h 192.168.90.10
Uses -H ldaps://host.name.fq.dn
Also push the root-CA off the domain to pc's with GPO for example
And in that GPO you can set the parts you need to enable for the users/pcs to make it all work.
But your close, your almost there..
On thing i have not looked at myself yet, ext_kerberos_ldap_group_acl
https://fossies.org/linux/squid/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8
Thats one i'll be using with squid 5.1, im still compiling everyting i need, but then im setting
It up, i'll document it and make and howto of it.
Greetz,
Louis
________________________________
Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens David Touzeau
Verzonden: dinsdag 21 september 2021 1:49
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: squid 5.1: Kerberos: Unable to switch to basic auth with Edge - IE - Chrome
Hi all
i have setup Kerberos authentication with Windows 2019 domain using Squid 5.1 ( The Squid version did not fix the issue - Tested 4.x and 5.x)
In some cases, some computers are not joined to the domain and ween need to allow authenticate on Squid
To allow this, Basic Authentication is defined in Squid and we expect that browsers prompt a login to be authenticated and access to Internet
But the behavior is strange.
On a computer outside the windows domain:
Firefox is be able to be successfully authenticated to squid using basic auth.
Edge, Chrome and IE still try ujsing NTLM method and are allways rejected with a 407
When edge, chrome and IE try to establish a session, Squid claim
2021/09/21 01:17:27 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
This let us understanding that these 3 browsers try NTLM instead of a Basic Authentication.
I did not know why these browsers using NTLM as they did not connected to the Windows domain
Why squid never get the Basic Authentication credentials. ?
Did i miss something ?
Here it is my configuration.
auth_param negotiate program /lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NAME -k /etc/squid3/PROXY.keytab
auth_param negotiate children 20 startup=5 idle=1 concurrency=0 queue-size=80 on-persistent-overload=ERR
auth_param negotiate keep_alive on
auth_param basic program /lib/squid3/basic_ldap_auth -v -R -b "DC=articatech,DC=int" -D "administrator@xxxxxxxxxxxxxx" <mailto:administrator@xxxxxxxxxxxxxx> -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -v 3 -h 192.168.90.10
auth_param basic children 3
auth_param basic realm Active Directory articatech.int
auth_param basic credentialsttl 7200 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 1 seconds
authenticate_cache_garbage_interval 3600 seconds
acl AUTHENTICATED proxy_auth REQUIRED
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
|
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
