[squid-users] squid 3.5.10 samba4 kerberos few questions (debain Jessie)
Hai, Im having the following running. Debian Jessie, squid 3.5.10 (recompiled from sid) with icap and authorisation agains a samba 4 AD DC. I begin with, this works great !.. so now my questions and the conf part for this. I am using the following authentications. First Kerberos: auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.tld@KERB.REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN And this works also #auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ # --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \ # --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \ I use as fallback basic auth. auth_param basic program /usr/lib/squid/basic_ldap_auth -R \ -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \ -D ldap-bind@ KERB.REALM -W /etc/squid/private/ldap-bind \ -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ -h samba4-dc2.internal.domain.tld \ -h samba4-dc1.internal.domain.tld I know the following: ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's. ## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. ## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth. ## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations. ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined. When people access websites a see a lot of : TCP_DENIED/407 Sometimes about 10-12 times the TCP_DENIED/407, even when the user already access the website and it authenticated. Is this because of pc’s auth, or user auth, or by design as i did read here : http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html acl AuthRequest http_status 407 access_log ... !AuthRequest ... is this the only solution to reduce the 407, or am i missing some setting here? If you need more info, just ask.. Greetz, Louis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.10 samba4 kerberos few questions (debain Jessie)
On 16/12/2015 11:48 p.m., L.P.H. van Belle wrote: > Hai, > > > > Im having the following running. > > Debian Jessie, squid 3.5.10 (recompiled from sid) with icap and > authorisation agains a samba 4 AD DC. > > I begin with, this works great !.. so now my questions and the conf part for > this. > > > > I am using the following authentications. > > First Kerberos: > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \ > > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > HTTP/hostname.domain.tld@KERB.REALM \ > > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN > > > > And this works also > > #auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > > #--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \ > > #--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= > NTDOMAIN \ > > > > I use as fallback basic auth. > > auth_param basic program /usr/lib/squid/basic_ldap_auth -R \ > > -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \ > > -D ldap-bind@ KERB.REALM -W /etc/squid/private/ldap-bind \ > > -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ > > -h samba4-dc2.internal.domain.tld \ > > -h samba4-dc1.internal.domain.tld > > > > I know the following: > > ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN > JOINED pc's. > > ##Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. > > ##NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in > always user popup for auth. > > ##Which will always fail because of NTLM TYPE 1 and TYPE 2, > authorisations. > > ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated > Windows PC's Not domain Joined. > AFAIK #2 is incorrect. Negotiate still needs the *joined* part to be true. They just do not have to have current connectivity to the DC provided the secret-token part of credentials that comes from the DC is still current on the client machine. > > When people access websites a see a lot of : TCP_DENIED/407 > > Sometimes about 10-12 times the TCP_DENIED/407, even when the user already > access the website and it authenticated. > > Is this because of pc’s auth, or user auth, or by design as i did read here : > > > http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html > > acl AuthRequest http_status 407 > access_log ... !AuthRequest ... > > is this the only solution to reduce the 407, or am i missing some setting > here? It just hides them from the logging. They still happen. Another workaround is suggested in that thread; to bypass and not require authentication for some popular domains. That has the added benefit of letting HTTP performance optimizations work - most HTTP features actually have to be disabled in the presence of NTLM or Negotiate. The solution is for clients to actually make use of the connection persistence that NTLM and Negotiate *require* Squid to setup just to perform those auth types. Tearing it all down after just one HTTP level transaction is very wasteful. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
