Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Amos Jeffries 
On 11/01/2016 9:34 p.m., Fabio Bucci wrote:
> Hi,
> could you help me in looking for what it's wrong?
> 

The client / browser thinks the credentials are wrong for some reason.

You need to run through all the troubleshooting checks to see if any
reason shows up. The recent posts "kerberos authentication with a
machine account doesn't work" might help there.

Amos


> Regar,ds
> Fabio
> 
> 2016-01-07 14:26 GMT+01:00 Fabio Bucci:
>> Hi Amos,
>> just configured squid.conf as:
>>
>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>> -d -s HTTP/myproxy.domain
>> auth_param negotiate children 100
>> auth_param negotiate keep_alive on
>>
>> acl auth proxy_auth REQUIRED
>>
>> http_access allow auth
>>
>> but it doesn't work and browser requires me credentials popup and even
>> if i put them it asks me again
>>
>> Thanks,
>> Fabio
>>
>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries:
>>> On 2015-12-31 03:42, Fabio Bucci wrote:

 Could you help me in kerberos configuration only? I don't want a fallback
>>>
>>>
>>> That should be blindingly obvious ... just use the Kerberos helper directly
>>> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
>>> helper parts.
>>>
>>> Amos
>>>
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Amos Jeffries 
On 11/01/2016 11:26 p.m., Fabio Bucci wrote:
> Yes of course. But i'm wondering if all the configuration are right.
> 

The Squid part of it looks okay to me. The issue is somewhere in the AD,
keytab or client setup I think.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Hi,
could you help me in looking for what it's wrong?

Regar,ds
Fabio

2016-01-07 14:26 GMT+01:00 Fabio Bucci :
> Hi Amos,
> just configured squid.conf as:
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> -d -s HTTP/myproxy.domain
> auth_param negotiate children 100
> auth_param negotiate keep_alive on
>
> acl auth proxy_auth REQUIRED
>
> http_access allow auth
>
> but it doesn't work and browser requires me credentials popup and even
> if i put them it asks me again
>
> Thanks,
> Fabio
>
> 2015-12-31 6:30 GMT+01:00 Amos Jeffries :
>> On 2015-12-31 03:42, Fabio Bucci wrote:
>>>
>>> Could you help me in kerberos configuration only? I don't want a fallback
>>
>>
>> That should be blindingly obvious ... just use the Kerberos helper directly
>> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
>> helper parts.
>>
>> Amos
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Yes of course. But i'm wondering if all the configuration are right.

Thanks,
Fabio

2016-01-11 9:43 GMT+01:00 Amos Jeffries :
> On 11/01/2016 9:34 p.m., Fabio Bucci wrote:
>> Hi,
>> could you help me in looking for what it's wrong?
>>
>
> The client / browser thinks the credentials are wrong for some reason.
>
> You need to run through all the troubleshooting checks to see if any
> reason shows up. The recent posts "kerberos authentication with a
> machine account doesn't work" might help there.
>
> Amos
>
>
>> Regar,ds
>> Fabio
>>
>> 2016-01-07 14:26 GMT+01:00 Fabio Bucci:
>>> Hi Amos,
>>> just configured squid.conf as:
>>>
>>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>>> -d -s HTTP/myproxy.domain
>>> auth_param negotiate children 100
>>> auth_param negotiate keep_alive on
>>>
>>> acl auth proxy_auth REQUIRED
>>>
>>> http_access allow auth
>>>
>>> but it doesn't work and browser requires me credentials popup and even
>>> if i put them it asks me again
>>>
>>> Thanks,
>>> Fabio
>>>
>>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries:
 On 2015-12-31 03:42, Fabio Bucci wrote:
>
> Could you help me in kerberos configuration only? I don't want a fallback


 That should be blindingly obvious ... just use the Kerberos helper directly
 as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
 helper parts.

 Amos


 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Yes of course. But i'm wondering if all the configuration are right.


2016-01-11 9:43 GMT+01:00 Amos Jeffries :
> On 11/01/2016 9:34 p.m., Fabio Bucci wrote:
>> Hi,
>> could you help me in looking for what it's wrong?
>>
>
> The client / browser thinks the credentials are wrong for some reason.
>
> You need to run through all the troubleshooting checks to see if any
> reason shows up. The recent posts "kerberos authentication with a
> machine account doesn't work" might help there.
>
> Amos
>
>
>> Regar,ds
>> Fabio
>>
>> 2016-01-07 14:26 GMT+01:00 Fabio Bucci:
>>> Hi Amos,
>>> just configured squid.conf as:
>>>
>>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>>> -d -s HTTP/myproxy.domain
>>> auth_param negotiate children 100
>>> auth_param negotiate keep_alive on
>>>
>>> acl auth proxy_auth REQUIRED
>>>
>>> http_access allow auth
>>>
>>> but it doesn't work and browser requires me credentials popup and even
>>> if i put them it asks me again
>>>
>>> Thanks,
>>> Fabio
>>>
>>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries:
 On 2015-12-31 03:42, Fabio Bucci wrote:
>
> Could you help me in kerberos configuration only? I don't want a fallback


 That should be blindingly obvious ... just use the Kerberos helper directly
 as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
 helper parts.

 Amos


 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Could you kindly write me what i need to post in order to review?

2016-01-11 11:53 GMT+01:00 Amos Jeffries :
> On 11/01/2016 11:26 p.m., Fabio Bucci wrote:
>> Yes of course. But i'm wondering if all the configuration are right.
>>
>
> The Squid part of it looks okay to me. The issue is somewhere in the AD,
> keytab or client setup I think.
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-07 Thread Fabio Bucci 
Hi Amos,
just configured squid.conf as:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
-d -s HTTP/myproxy.domain
auth_param negotiate children 100
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth

but it doesn't work and browser requires me credentials popup and even
if i put them it asks me again

Thanks,
Fabio

2015-12-31 6:30 GMT+01:00 Amos Jeffries :
> On 2015-12-31 03:42, Fabio Bucci wrote:
>>
>> Could you help me in kerberos configuration only? I don't want a fallback
>
>
> That should be blindingly obvious ... just use the Kerberos helper directly
> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
> helper parts.
>
> Amos
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-30 Thread Amos Jeffries 

On 2015-12-31 03:42, Fabio Bucci wrote:
Could you help me in kerberos configuration only? I don't want a 
fallback


That should be blindingly obvious ... just use the Kerberos helper 
directly as the auth_param helper. Omit the negotiate_wrapper helper and 
ntlm_auth helper parts.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-29 Thread Fabio Bucci 
ok thanks. I think the system guys use samba and winbind to join linux
machines to domain independetly services installed

2015-12-29 16:10 GMT+01:00 Eliezer Croitoru :
> Hey Fabio,
>
> If you do want to use kerberos you do not need to use winbindd there are
> other options.
> (I have not tried them both yet)
>
> Eliezer
>
> On 29/12/2015 16:30, Fabio Bucci wrote:
>>
>> Hi Amos,
>> i'm trying to implement kerberos as you suggested me. But following
>> the guide i read "Do not use this method if you run winbindd or other
>> samba services as samba will reset the machine password every x days
>> and thereby makes the keytab invalid !!" and my system guy told me we
>> use winbindd method.
>>
>> How can i implement so?
>> Thanks
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-29 Thread L . P . H . van Belle 
Hai, 

> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed

Thats good, but if you want fallback and make NTLM work 
( for only kerberos its not needed ) 

You want something like : 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \
--domain=NTDOMAIN 
Or

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth \ 
 -s HTTP/proxy.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN


For the --ntlm you MUST install samba, since its suplied by samba. 

And a basic fallback if above fails, then this one will give a popup to auth

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=Users,dc=internal,dc=domain,dc=tld" \
-D bind2ad@User_domain -W /etc/squid/private/secretfile \
-f (sAMAccountName=%s) \
-h dc2.internal.domain.tld \
-h dc1.internal.domain.tld 

Above is all tested and running in my production env. 
Few very important pointers. 
1) make sure your proxy has A and PTR record ( needed for kerberos ) 
2) make sure you have the HTTP/ spn for the hostnames of your proxy servers 
3) make sure you time is in sync on all servers and clients. 


In samba 4 i did it like this. Login with ssh on a DC. 
kinit Administrator 

samba-tool user create squid-proxy --description="Unprivileged user for 
SQUID-Proxy Services" --random-password
samba-tool user setexpiry squid-proxy --noexpiry
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1. internal.domain.tld@REALM squid-proxy

# export the keytab. 
samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. 
/root/keytabs/proxy1.keytab

check if your hostname has all the SPNs. 
samba-tool spn list proxy1$ 
proxy1 is the name in smb.conf 
you must have:
 HOST/PROXY1
 HOST/proxy1.internal.domain.tld.

And make your you have :
/etc/default/squid
KRB5_KTNAME=/etc/squid/proxy1.keytab
export KRB5_KTNAME


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Fabio Bucci
> Verzonden: dinsdag 29 december 2015 16:21
> Aan: Eliezer Croitoru
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
> 
> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed
> 
> 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru <elie...@ngtech.co.il>:
> > Hey Fabio,
> >
> > If you do want to use kerberos you do not need to use winbindd there are
> > other options.
> > (I have not tried them both yet)
> >
> > Eliezer
> >
> > On 29/12/2015 16:30, Fabio Bucci wrote:
> >>
> >> Hi Amos,
> >> i'm trying to implement kerberos as you suggested me. But following
> >> the guide i read "Do not use this method if you run winbindd or other
> >> samba services as samba will reset the machine password every x days
> >> and thereby makes the keytab invalid !!" and my system guy told me we
> >> use winbindd method.
> >>
> >> How can i implement so?
> >> Thanks
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-29 Thread Fabio Bucci 
Hi Amos,
i'm trying to implement kerberos as you suggested me. But following
the guide i read "Do not use this method if you run winbindd or other
samba services as samba will reset the machine password every x days
and thereby makes the keytab invalid !!" and my system guy told me we
use winbindd method.

How can i implement so?
Thanks

2015-12-16 21:12 GMT+01:00 Amos Jeffries :
> On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
>> i'm planning to migrate to kerberos instead NTLM.i got a question for
>> you Amos: sometimes a client reports issue in navigation and searching into
>> log file i cannot see "username" and all the request are 407
>>
>> In these cases is there a way to reset a user session or it's a completely
>> client issue?
>
> Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> some reason. Some old Firefox, most Safari, and older IE can all get
> stuck trying those credentials and ignoring the offers of Basic.
>
> It might be possible to figure out some LmCompatibility settings change
> that makes the problem just go away (eg, forcing NTLM of all versions to
> disabled on the client).
>
> Other than that Squid does have some workaround responses it can be made
> to send back that might help the client reach the right conclusion:
>
> a) list Basic auth first in the config. Any properly working client will
> re-sort the auth types by security level and do theKerberos anyway. But
> the broken ones (particularly IE7 and older) will have more chance of
> using Basic.
>
> b) sending 407 response with no auth headers. Such as a deny 407 status
> generated by external ACL deny, or a URL-redirector. These tell the
> client that auth failed, but there is no acceptible fallback.
>
> c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> the client prematurely attaching the credentials to the connection and
> re-using them. That is supposed to have been fixed recently, but I've
> not confirmed.
>
> d) sending 403 status response. To just flat-out block the client once
> it enters the looping state. Hoping that later requests will start to
> work again.
>
>
> HTH
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-29 Thread Eliezer Croitoru 

Hey Fabio,

If you do want to use kerberos you do not need to use winbindd there are 
other options.

(I have not tried them both yet)

Eliezer

On 29/12/2015 16:30, Fabio Bucci wrote:

Hi Amos,
i'm trying to implement kerberos as you suggested me. But following
the guide i read "Do not use this method if you run winbindd or other
samba services as samba will reset the machine password every x days
and thereby makes the keytab invalid !!" and my system guy told me we
use winbindd method.

How can i implement so?
Thanks


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-16 Thread Amos Jeffries 
On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
> i'm planning to migrate to kerberos instead NTLM.i got a question for
> you Amos: sometimes a client reports issue in navigation and searching into
> log file i cannot see "username" and all the request are 407
> 
> In these cases is there a way to reset a user session or it's a completely
> client issue?

Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
some reason. Some old Firefox, most Safari, and older IE can all get
stuck trying those credentials and ignoring the offers of Basic.

It might be possible to figure out some LmCompatibility settings change
that makes the problem just go away (eg, forcing NTLM of all versions to
disabled on the client).

Other than that Squid does have some workaround responses it can be made
to send back that might help the client reach the right conclusion:

a) list Basic auth first in the config. Any properly working client will
re-sort the auth types by security level and do theKerberos anyway. But
the broken ones (particularly IE7 and older) will have more chance of
using Basic.

b) sending 407 response with no auth headers. Such as a deny 407 status
generated by external ACL deny, or a URL-redirector. These tell the
client that auth failed, but there is no acceptible fallback.

c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
the client prematurely attaching the credentials to the connection and
re-using them. That is supposed to have been fixed recently, but I've
not confirmed.

d) sending 403 status response. To just flat-out block the client once
it enters the looping state. Hoping that later requests will start to
work again.


HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-16 Thread Fabio Bucci 
i'm planning to migrate to kerberos instead NTLM.i got a question for
you Amos: sometimes a client reports issue in navigation and searching into
log file i cannot see "username" and all the request are 407

In these cases is there a way to reset a user session or it's a completely
client issue?

thanks,
Fabio

2015-12-12 5:00 GMT+01:00 Amos Jeffries :

> On 12/12/2015 3:42 a.m., Fabio Bucci wrote:
> > Thank Amos i know you suggested kerberos. How can i implement it instead
> of
> > LDAP?
>
> 
>
> Amos
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-11 Thread Fabio Bucci 
No suggestions?

2015-12-07 14:57 GMT+01:00 Fabio Bucci :

> Thanks Amos.
> So, what do you suggest? Implement kerberos authetication instead NTLM one?
>
> I have to check if netscaler is able to perform that kind hack you wrote
> before.
>
> Thanks again,
> Fabio
>
> 2015-12-05 7:22 GMT+01:00 Amos Jeffries :
>
>> On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
>> > Thanks Amos.
>> > Actually my load balancing is configured to perform round robin
>> balancing
>> > between the two nodes. I added a session persistance by source ip in
>> order
>> > to avoid to login again with some sites.
>> >
>> > my squid.conf is very simple:
>> > auth_param ntlm program /usr/bin/ntlm_auth
>> > --helper-protocol=squid-2.5-ntlmssp
>> > auth_param ntlm children 100
>> > auth_param ntlm keep_alive off
>> >
>> > acl auth proxy_auth REQUIRED
>> >
>> > http_access allow auth
>> >
>>
>> Okay. That *should* work. With some NTLM-specific caveats.
>>
>>
>> > forwarded_for on
>> > follow_x_forwarded_for allow netscaler
>> >
>>
>> If the LB is touching the traffic enough to add headers then it is a
>> proxy. NTLM does not work at all well through proxies. NTLM as a whole
>> is based on the assumption that there is one (and only one) TCP
>> connection between it and the proxy - the credentials are tied to the
>> TCP connection state.
>>
>> There is one VERY slim hack that lets NTLM pass straight through a
>> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
>> connections together. This is not just session persistence, but absolute
>> prohibition on any other traffic (even from other connections by the
>> same client) being sent to that outbound LB->proxy connection. Some LB
>> can do it, some can't.
>>
>>
>> I recommend advertising both/all proxy IPs to the clients and letting
>> each select the one(s) it wants to contact. That way the client can
>> perform NTLM directly to the Squid.
>>
>>
>> On the other hand NTLM was deprecated back in 2006, you should try
>> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
>> and can be tricky working with older client software. But is *way* more
>> efficient and friendlier to HTTP (but still not fully).
>>
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-11 Thread Amos Jeffries 
On 12/12/2015 3:08 a.m., Fabio Bucci wrote:
> No suggestions?
> 

I've already suggested several times to use Kerberos. But the choice is
yours.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-11 Thread Fabio Bucci 
Thank Amos i know you suggested kerberos. How can i implement it instead of
LDAP?

2015-12-11 15:39 GMT+01:00 Amos Jeffries :

> On 12/12/2015 3:08 a.m., Fabio Bucci wrote:
> > No suggestions?
> >
>
> I've already suggested several times to use Kerberos. But the choice is
> yours.
>
> Amos
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-11 Thread Amos Jeffries 
On 12/12/2015 3:42 a.m., Fabio Bucci wrote:
> Thank Amos i know you suggested kerberos. How can i implement it instead of
> LDAP?



Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-07 Thread Fabio Bucci 
Thanks Amos.
So, what do you suggest? Implement kerberos authetication instead NTLM one?

I have to check if netscaler is able to perform that kind hack you wrote
before.

Thanks again,
Fabio

2015-12-05 7:22 GMT+01:00 Amos Jeffries :

> On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
> > Thanks Amos.
> > Actually my load balancing is configured to perform round robin balancing
> > between the two nodes. I added a session persistance by source ip in
> order
> > to avoid to login again with some sites.
> >
> > my squid.conf is very simple:
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 100
> > auth_param ntlm keep_alive off
> >
> > acl auth proxy_auth REQUIRED
> >
> > http_access allow auth
> >
>
> Okay. That *should* work. With some NTLM-specific caveats.
>
>
> > forwarded_for on
> > follow_x_forwarded_for allow netscaler
> >
>
> If the LB is touching the traffic enough to add headers then it is a
> proxy. NTLM does not work at all well through proxies. NTLM as a whole
> is based on the assumption that there is one (and only one) TCP
> connection between it and the proxy - the credentials are tied to the
> TCP connection state.
>
> There is one VERY slim hack that lets NTLM pass straight through a
> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
> connections together. This is not just session persistence, but absolute
> prohibition on any other traffic (even from other connections by the
> same client) being sent to that outbound LB->proxy connection. Some LB
> can do it, some can't.
>
>
> I recommend advertising both/all proxy IPs to the clients and letting
> each select the one(s) it wants to contact. That way the client can
> perform NTLM directly to the Squid.
>
>
> On the other hand NTLM was deprecated back in 2006, you should try
> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
> and can be tricky working with older client software. But is *way* more
> efficient and friendlier to HTTP (but still not fully).
>
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-04 Thread Amos Jeffries 
On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
> Thanks Amos.
> Actually my load balancing is configured to perform round robin balancing
> between the two nodes. I added a session persistance by source ip in order
> to avoid to login again with some sites.
> 
> my squid.conf is very simple:
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 100
> auth_param ntlm keep_alive off
> 
> acl auth proxy_auth REQUIRED
> 
> http_access allow auth
> 

Okay. That *should* work. With some NTLM-specific caveats.


> forwarded_for on
> follow_x_forwarded_for allow netscaler
> 

If the LB is touching the traffic enough to add headers then it is a
proxy. NTLM does not work at all well through proxies. NTLM as a whole
is based on the assumption that there is one (and only one) TCP
connection between it and the proxy - the credentials are tied to the
TCP connection state.

There is one VERY slim hack that lets NTLM pass straight through a
frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
connections together. This is not just session persistence, but absolute
prohibition on any other traffic (even from other connections by the
same client) being sent to that outbound LB->proxy connection. Some LB
can do it, some can't.


I recommend advertising both/all proxy IPs to the clients and letting
each select the one(s) it wants to contact. That way the client can
perform NTLM directly to the Squid.


On the other hand NTLM was deprecated back in 2006, you should try
migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
and can be tricky working with older client software. But is *way* more
efficient and friendlier to HTTP (but still not fully).


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users