Re: [squid-users] Re: AD authentiction with squid
In more detail the required steps for squid_kerb_auth (from https://sourceforge.net/project/showfiles.php?group_id=196348 or from latest squid distribution) are: 1) Install kerberos client package 2) Install msktutil package from http://dag.wieers.com/rpm/packages/msktutil/ 3) Configure krb5.conf 4) Configure squid by adding auth_param negotiate program /usr/sbin/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on 5) Create keytab for HTTP/fqdn with msktutil. a) kinit administra...@domain b) msktutil -c -b CN=COMPUTERS -s HTTP/fqdn -h fqdn -k /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn HTTP/fqdn --server domain controller --verbose 6) Add the following to thw squid startup script KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME 7) Done Markus Thanks Markus apprecite your quick reply. actually i was jus workin on plain text authentication with my win2003 AD server bascially following from http://www.itinfusion.ca/linux/squid-proxy-server-with-windows-ad-authentication/ i jus managed to have my linux box to authenticate with AD server runing the following command /usr/lib/squid/squid_ldap_auth -v 3 -b dc=baladia,dc=local -D cn=Administrator,cn=Users,dc=baladia,dc=local -w xx -f sAMAccountName=%s -h aa.aa.aa.aa where xxx is the password of administrator aa.aa.aa.aa is the IP address of AD server after i put the username n password i get OK so authentication is OK i will jus try having acls in my squid conf n testing it out regards n thnks once again simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[squid-users] Re: AD authentiction with squid
In more detail the required steps for squid_kerb_auth (from https://sourceforge.net/project/showfiles.php?group_id=196348 or from latest squid distribution) are: 1) Install kerberos client package 2) Install msktutil package from http://dag.wieers.com/rpm/packages/msktutil/ 3) Configure krb5.conf 4) Configure squid by adding auth_param negotiate program /usr/sbin/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on 5) Create keytab for HTTP/fqdn with msktutil. a) kinit administra...@domain b) msktutil -c -b CN=COMPUTERS -s HTTP/fqdn -h fqdn -k /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn HTTP/fqdn --server domain controller --verbose 6) Add the following to thw squid startup script KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME 7) Done Markus
Re: [squid-users] Re: AD authentiction with squid
Markus Moeller wrote: In more detail the required steps for squid_kerb_auth (from https://sourceforge.net/project/showfiles.php?group_id=196348 or from latest squid distribution) are: 1) Install kerberos client package 2) Install msktutil package from http://dag.wieers.com/rpm/packages/msktutil/ 3) Configure krb5.conf 4) Configure squid by adding auth_param negotiate program /usr/sbin/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on 5) Create keytab for HTTP/fqdn with msktutil. a) kinit administra...@domain b) msktutil -c -b CN=COMPUTERS -s HTTP/fqdn -h fqdn -k /etc/squid/HTTP.keytab --computer-name squid-HTTP --upn HTTP/fqdn --server domain controller --verbose 6) Add the following to thw squid startup script KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME 7) Done Markus Thank you. I was going to ask you for this soon. Added to the wiki: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Is there anything we can/should add to the krb5.conf section? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6
[squid-users] Re: AD authentiction with squid
Benedict simon si...@kmun.gov.kw wrote in message news:dde908b0d0e692cbfa0d7d7490dce7f2.squir...@webmail.baladia.gov.kw... Dear Amos, Thanks and really apprecite for ur quick reply i will try the link and n check it out. me too a novice in Ldap n not a professional in ADS regards simon Benedict simon wrote: Dear All, i have squid Proxy server on Centos 5 working perfectly for a quite sometime and now we would like to have squid authenticating with ADS for more control . so that only users that have logged into domain are asked allowed for internet and others who dont log in have internet access denied but only local network services avaliable. i am not a professional in ADS so wd really apprecite your help i have been googling arround and tried but was only able to authenticate with squid by getting the popup window but not accept the password. i would like plain text authentication since i guess its the easiest one the setup Centos 5 Squid stable 2.6 the domain is ADS WINDOWS 2003 Domain Name: baladia.local computer name :kmun jus cut and paste some squid entries . auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=baladia,dc=local -D cn=Administrator,cn=Users,dc=baladia,dc=local -w -f sAMAccountName=%s -h 172.16.2.227 auth_param basic children 5 auth_param basic realm PROXY SERVER auth_param basic credentialsttl 5 minutes where is the administrtor password 172.16.2.227 is the IP address of the domain will the above help me to authenticate user with ADS when i log into the domain and user my browser the window pops up but when i enter the username and password it ask me the same dialog again also if i dont log into domain its the same the squid accesslog error is 1237471571.612 13 xx.xx.xx.xx TCP_DENIED/407 1761 GET http://vcs2.msg.yahoo.com/capacity testuser where testuser is the username on my domain apprecite if someone can help me with example or some links with examples thanks and really wd apprecite your kinf help http://wiki.squid-cache.org/ConfigExamples has a section for authentication templates and how-tos. I'm not clued up on LDAP or AD requirements so can;t help any further on this. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. You could use squid_kerb_auth. Regards Markus
