Re: [squid-users] NTLM Authentication Failing

Tue, 20 Oct 2015 21:18:46 -0700 

On 2015-10-21 15:38, Ilias Clifton wrote:


On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
> Hi All,
> I've been following the guide at this location for Active Directory 
integration
> 
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/>Active_Directory_Integrated_Squid_Proxy]
>
> First, some versions for sanity..
> Ubuntu : 14.04.3 LTS
> Squid : 3.3.8 (from ubuntu repositories)
> Samba : 4.1.6-Ubuntu
> DC : Windows Server 2012 R2
>
> I am currently testing the authentication, negotiate kerberos and basic ldap 
are
> both working correctly. However ntlm is not and I don't seem to making any
> progress on debugging further.

Date: Tue, 20 Oct 2015 18:06:17 +1300
From: Amos Jeffries <squ...@treenet.co.nz>



Your version of Squid has big problems with (4) and some with (2), and
your DC server version has big problems with (1) and (3).


Amos





Hi Amos,

Thank you for your detailed answer.

So what is the best way to authenticate users in a mixed environment?
I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
plus various mobile devices.

I've tried getting rid of ntlm and just using negotiate kerberos and
ldap for basic, is that all I need?



I believe thats at least very close to the solution. The getting rid of 
NTLM is something that needs to happen at the client end though, so IE 
does not attempt to use it over Negotiate scheme.





On the non-domain joined PCs, if I disable 'Enable Integrated Windows
Authentication', they now correctly use basic ldap.



And thats the way to do it IIRC. Someone more familiar may know a better 
way.





My config now looks like..

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### provide basic authentication via ldap for clients not
authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
"DC=domain,DC=local" -D proxyuser at domain.local -W
/etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 30 minutes

### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
/etc/squid3/ldappass.txt -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
-h dc1.domain.local

Does that look ok?



Looks reasonable for a small installation. If you have a medium to large 
network you may find Squid mentioning queue issues and requesting more 
helper children be configured. Simply increasing the numbers there 
should resolve that.


Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to