In addition, due to last samba and windows security fixes there was a behavior change.
So beware with squid and samba/winbind/ldap/windows auth. Read : https://www.samba.org/samba/history/samba-4.4.2.html This was a big impact.. BUt beware, use samba 4.2.12 4.3.9 or 4.4.3 All version bug release (4.4.2 4.3.8 4.2.11 ) had some nasty bugs. I had to reconfigure my squid auth. I've tested with latest squid 3.5.17 on my debian jessie, all fine again. And to Sampei, add a samba 4 AD ( preffered 4.4.3 ) to you domain, Move FSMO roles to samba, and drop your unsupported windows AD. I dropped all my windows servers, only samba now. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Amos Jeffries > Verzonden: woensdag 4 mei 2016 14:23 > Aan: Sampei; squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] ldap authentication with encrypted > credentials > > On 4/05/2016 11:56 p.m., Sampei wrote: > > I'll explain better: > > Squid is running on Debian 5 older server and every Windows (XP/7/10) > > client uses it to surf on web. > > Clients are configured in outofdate Microsoft domain where Domain > > Controllers are based on Windows 2000 server. > > So far I permit Internet access to clients by specify IP address of > > computers in squid.conf file but now I'd like to manage internet access > > by asking to user its AD credentials. > > Now I'm not able to update systems so I have to schedule it upgrade for > > next year. > > I've been in those shoes myself, and recommed you may want to keep the > IP based authorization until you can get a better AD system. > > > > >>>> Look into Negotiate/Kerberos authentication. You will need that for > >>>> the Win7 and Win10 clients anyway > > For Windows 7/10 clients, the Basic authentication (Squid 2.7) with LDAP > > helper will not able to work ? > > While Kerberos will work both with older clients and newer ones? > > > > Yes they all still support Basic, but you said that was not desirable. > > The secure methods that leaves you with are NTLMv2 (definitely *not* > NTLMv1) or Negotiate/Kerberos. > > NTLM was deprecated by MS in 2006. All software produced by MS since > then is increasingly hostile to NTLM being used and preferring Kerberos. > XP can handle Kerberos with maybe a little config. And it is both more > secure and faster so a double-win once you get over the learning curve > for its management tools. > > I'm not sure if or how the Win2k server can handle Kerberos. You will > need to find that out. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
