Re: [squid-users] Squid with NTLM auth behind netscaler
ok thanks. I think the system guys use samba and winbind to join linux machines to domain independetly services installed 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru: > Hey Fabio, > > If you do want to use kerberos you do not need to use winbindd there are > other options. > (I have not tried them both yet) > > Eliezer > > On 29/12/2015 16:30, Fabio Bucci wrote: >> >> Hi Amos, >> i'm trying to implement kerberos as you suggested me. But following >> the guide i read "Do not use this method if you run winbindd or other >> samba services as samba will reset the machine password every x days >> and thereby makes the keytab invalid !!" and my system guy told me we >> use winbindd method. >> >> How can i implement so? >> Thanks > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Hai, > ok thanks. I think the system guys use samba and winbind to join linux > machines to domain independetly services installed Thats good, but if you want fallback and make NTLM work ( for only kerberos its not needed ) You want something like : auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \ --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \ --domain=NTDOMAIN Or auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \ --kerberos /usr/lib/squid/negotiate_kerberos_auth \ -s HTTP/proxy.domain.tld@REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN For the --ntlm you MUST install samba, since its suplied by samba. And a basic fallback if above fails, then this one will give a popup to auth auth_param basic program /usr/lib/squid/basic_ldap_auth -R \ -b "ou=Users,dc=internal,dc=domain,dc=tld" \ -D bind2ad@User_domain -W /etc/squid/private/secretfile \ -f (sAMAccountName=%s) \ -h dc2.internal.domain.tld \ -h dc1.internal.domain.tld Above is all tested and running in my production env. Few very important pointers. 1) make sure your proxy has A and PTR record ( needed for kerberos ) 2) make sure you have the HTTP/ spn for the hostnames of your proxy servers 3) make sure you time is in sync on all servers and clients. In samba 4 i did it like this. Login with ssh on a DC. kinit Administrator samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password samba-tool user setexpiry squid-proxy --noexpiry samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy samba-tool spn add HTTP/proxy1. internal.domain.tld@REALM squid-proxy # export the keytab. samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. /root/keytabs/proxy1.keytab check if your hostname has all the SPNs. samba-tool spn list proxy1$ proxy1 is the name in smb.conf you must have: HOST/PROXY1 HOST/proxy1.internal.domain.tld. And make your you have : /etc/default/squid KRB5_KTNAME=/etc/squid/proxy1.keytab export KRB5_KTNAME Greetz, Louis > -Oorspronkelijk bericht- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Fabio Bucci > Verzonden: dinsdag 29 december 2015 16:21 > Aan: Eliezer Croitoru > CC: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler > > ok thanks. I think the system guys use samba and winbind to join linux > machines to domain independetly services installed > > 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru: > > Hey Fabio, > > > > If you do want to use kerberos you do not need to use winbindd there are > > other options. > > (I have not tried them both yet) > > > > Eliezer > > > > On 29/12/2015 16:30, Fabio Bucci wrote: > >> > >> Hi Amos, > >> i'm trying to implement kerberos as you suggested me. But following > >> the guide i read "Do not use this method if you run winbindd or other > >> samba services as samba will reset the machine password every x days > >> and thereby makes the keytab invalid !!" and my system guy told me we > >> use winbindd method. > >> > >> How can i implement so? > >> Thanks > > > > > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid reverse proxy and client certs
Hi I have squid 3.5.12 working as a reverse proxy cache_peer 127.0.0.1 \ parent 443 0 proxy-only no-query no-digest originserver \ login=PASS \ ssl \ sslcafile=/etc/pki/tls/certs/ca-bundle.crt \ sslflags=DONT_VERIFY_PEER \ name=webServer This points to httpd which has a DirectoryIndex index.shtml index.html Options -Indexes -Includes +IncludesNOEXEC -SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient optional_no_ca SSLVerifyDepth 4 Unfortunately the request for a client cert never makes it to the client. How can I change this to allow client certs to work Alex ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Assign multiple IP Address to squid
Hi. On 29.12.2015 17:05, Reet Vyas wrote: > Hi > > I have working squid3.5.4 configuration with ssl bump, I am using this > squid machine as router and have external IP to it and have a leased > line connection but with leased line I have 10 extra IP address and I > want to NAT those external ip to local ip on same network, like we do > in our router, so that I can assign those IP ip my machines having > webservers. > > Please suggest me way to configure it. > This has nothing to do with squid. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Assign multiple IP Address to squid
Hi I have working squid3.5.4 configuration with ssl bump, I am using this squid machine as router and have external IP to it and have a leased line connection but with leased line I have 10 extra IP address and I want to NAT those external ip to local ip on same network, like we do in our router, so that I can assign those IP ip my machines having webservers. Please suggest me way to configure it. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Hi Amos, i'm trying to implement kerberos as you suggested me. But following the guide i read "Do not use this method if you run winbindd or other samba services as samba will reset the machine password every x days and thereby makes the keytab invalid !!" and my system guy told me we use winbindd method. How can i implement so? Thanks 2015-12-16 21:12 GMT+01:00 Amos Jeffries: > On 17/12/2015 5:34 a.m., Fabio Bucci wrote: >> i'm planning to migrate to kerberos instead NTLM.i got a question for >> you Amos: sometimes a client reports issue in navigation and searching into >> log file i cannot see "username" and all the request are 407 >> >> In these cases is there a way to reset a user session or it's a completely >> client issue? > > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for > some reason. Some old Firefox, most Safari, and older IE can all get > stuck trying those credentials and ignoring the offers of Basic. > > It might be possible to figure out some LmCompatibility settings change > that makes the problem just go away (eg, forcing NTLM of all versions to > disabled on the client). > > Other than that Squid does have some workaround responses it can be made > to send back that might help the client reach the right conclusion: > > a) list Basic auth first in the config. Any properly working client will > re-sort the auth types by security level and do theKerberos anyway. But > the broken ones (particularly IE7 and older) will have more chance of > using Basic. > > b) sending 407 response with no auth headers. Such as a deny 407 status > generated by external ACL deny, or a URL-redirector. These tell the > client that auth failed, but there is no acceptible fallback. > > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is > the client prematurely attaching the credentials to the connection and > re-using them. That is supposed to have been fixed recently, but I've > not confirmed. > > d) sending 403 status response. To just flat-out block the client once > it enters the looping state. Hoping that later requests will start to > work again. > > > HTH > Amos > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid3 / debian stable / please update to 3.4.14
ciao Luigi I ask to update the distro to squid 3.4.14, the last stable version, released in august. Rationale : 1) various bugs and memory leaks fixed; 2) security fix for CVE 2015 5400; 3) support for Alternate-Protocol HTTP header. I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache videos. References : https://packages.debian.org/jessie/squid3 ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol Best regards, Massimo ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with NTLM auth behind netscaler
Hey Fabio, If you do want to use kerberos you do not need to use winbindd there are other options. (I have not tried them both yet) Eliezer On 29/12/2015 16:30, Fabio Bucci wrote: Hi Amos, i'm trying to implement kerberos as you suggested me. But following the guide i read "Do not use this method if you run winbindd or other samba services as samba will reset the machine password every x days and thereby makes the keytab invalid !!" and my system guy told me we use winbindd method. How can i implement so? Thanks ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users