Hai,
Im having the following running. Debian Jessie, squid 3.5.10 (recompiled from sid) with icap and authorisation agains a samba 4 AD DC. I begin with, this works great !.. so now my questions and the conf part for this. I am using the following authentications. First Kerberos: auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.tld@KERB.REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN And this works also #auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ # --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \ # --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain= NTDOMAIN \ I use as fallback basic auth. auth_param basic program /usr/lib/squid/basic_ldap_auth -R \ -b "ou=SOMEOU,dc=internal,dc=domain.dc=tld" \ -D ldap-bind@ KERB.REALM -W /etc/squid/private/ldap-bind \ -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ -h samba4-dc2.internal.domain.tld \ -h samba4-dc1.internal.domain.tld I know the following: ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's. ## Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. ## NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth. ## Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations. ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined. When people access websites a see a lot of : TCP_DENIED/407 Sometimes about 10-12 times the TCP_DENIED/407, even when the user already access the website and it authenticated. Is this because of pc’s auth, or user auth, or by design as i did read here : http://www.squid-cache.org/mail-archive/squid-users/201310/0006.html acl AuthRequest http_status 407 access_log ... !AuthRequest ... is this the only solution to reduce the 407, or am i missing some setting here? If you need more info, just ask.. Greetz, Louis
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users