Would it be fair to say best practice is to get kerbose working in favour of ntlm ? On 21/10/2015 3:18 PM, "Amos Jeffries" <squ...@treenet.co.nz> wrote:
> On 2015-10-21 15:38, Ilias Clifton wrote: > >> >>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote: >>> > Hi All, >>> > I've been following the guide at this location for Active Directory >>> integration >>> > >>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/ >>> >Active_Directory_Integrated_Squid_Proxy] >>> > >>> > First, some versions for sanity.. >>> > Ubuntu : 14.04.3 LTS >>> > Squid : 3.3.8 (from ubuntu repositories) >>> > Samba : 4.1.6-Ubuntu >>> > DC : Windows Server 2012 R2 >>> > >>> > I am currently testing the authentication, negotiate kerberos and >>> basic ldap are >>> > both working correctly. However ntlm is not and I don't seem to making >>> any >>> > progress on debugging further. >>> >>> Date: Tue, 20 Oct 2015 18:06:17 +1300 >>> From: Amos Jeffries <squ...@treenet.co.nz> >>> >>> >>> >>> Your version of Squid has big problems with (4) and some with (2), and >>> your DC server version has big problems with (1) and (3). >>> >>> >>> Amos >>> >>> >>> >>> >> Hi Amos, >> >> Thank you for your detailed answer. >> >> So what is the best way to authenticate users in a mixed environment? >> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with >> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome - >> plus various mobile devices. >> >> I've tried getting rid of ntlm and just using negotiate kerberos and >> ldap for basic, is that all I need? >> > > I believe thats at least very close to the solution. The getting rid of > NTLM is something that needs to happen at the client end though, so IE does > not attempt to use it over Negotiate scheme. > > > >> On the non-domain joined PCs, if I disable 'Enable Integrated Windows >> Authentication', they now correctly use basic ldap. >> > > And thats the way to do it IIRC. Someone more familiar may know a better > way. > > > >> My config now looks like.. >> >> ### negotiate kerberos and ntlm authentication >> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth >> -d -s GSS_C_NO_NAME >> auth_param negotiate children 10 >> auth_param negotiate keep_alive off >> >> ### provide basic authentication via ldap for clients not >> authenticated via kerberos/ntlm >> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b >> "DC=domain,DC=local" -D proxyuser at domain.local -W >> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local >> auth_param basic children 10 >> auth_param basic realm Internet Proxy >> auth_param basic credentialsttl 30 minutes >> >> ### ldap authorisation >> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl >> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W >> /etc/squid3/ldappass.txt -f >> >> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))" >> -h dc1.domain.local >> >> Does that look ok? >> > > Looks reasonable for a small installation. If you have a medium to large > network you may find Squid mentioning queue issues and requesting more > helper children be configured. Simply increasing the numbers there should > resolve that. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
