Ok, well. Its not only the squid conf you need, so here is what you need in total.
https, yes works to, but im dont use sslbump etc. below is all based on debian packages 0 source installs are used. ( if you need squid 3.5.19 in debian jessie amd64 i can share them to, ssl is enabled in my build ) Read through is, see what you can use, and mail if you dont get it. Below works as of debian 3.4.8 up to 3.5.19 ( tested ) Squid: This is what i have in the auth lines : auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld@REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN auth_param negotiate children 50 startup=10 idle=1 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \ -b "ou=Company,dc=internal,dc=domain,dc=tld" \ -D ldap-b...@internal.domain.tld \ -W /etc/squid/private/ldap-bind \ -f sAMAccountName=%s \ -H ldaps://ad-dc2.internal.domain.tld \ -H ldaps://ad-dc1.internal.domain.tld auth_param basic children 5 startup=5 idle=1 auth_param basic realm Internet Proxy Auth auth_param basic credentialsttl 2 hours The samba smb.conf im using with it. About samba, last update is a complex one, you must configure this correctly for samba and ldap. I’ll explain that below. [global] workgroup = NTDOMAIN security = ads realm = REALM netbios name = PROXY preferred master = no domain master = no host msdfs = no dns proxy = yes server signing = mandatory ntlm auth = no #Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/local/private/proxy.key.pem tls certfile = /etc/ssl/local/certs/proxy.cert.pem tls cafile = /etc/ssl/certs/personal-ca.pem ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the range may not overlap ! idmap config NTDOMAIN : backend = ad idmap config NTDOMAIN : schema_mode = rfc2307 idmap config NTDOMAIN : range = 10000-3999999 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes # Use home directory and shell information from AD winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes # enable offline logins winbind offline logon = yes # check depth of nested groups, ! slows down you samba, if to much groups depth winbind expand groups = 4 # disable usershares creating, when set empty no error log messages. usershare path = # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes the krb5.conf for this: [libdefaults] default_realm = REALM dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 For /etc/ldap/ldap.conf ( client conf ) A “correcty” ca-root and client certs setup. Needed for samba and ldap clients Add in /etc/ldap/ldap.conf ( minimal ) TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT allow Setup your own "rootCA" like this. ( if not done, apt-get install ca-certificates ) mkdir -p /usr/local/share/ca-certificates/yourCArootFolder copy your root CA cert (.crt or it wont be detected) in /usr/local/share/ca-certificates/yourCArootFolder run : update-ca-certificates ! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command. you should see: update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. Now after done above your CA Cert is hashed in /etc/ssl/certs And its added in /etc/ssl/certs/ca-certificates.crt For windows, now setup a GPO to deploy the rootCa to your pc's and your good to go. How : https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx This folder : /etc/ssl/local is adviced for your personal certificates. Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs. So create a folders /etc/ssl/local/certs /etc/ssl/local/private Much easier to maintain this way. Some advice on samba/winbind. Above only needs winbind installed and i do advice 4.4.3 recompile it from debian SID. Of if your on debian jessie amd64, you can use my deb files. Found here http://downloads.van-belle.nl/samba4/ Please do read the README.txt Greetz, Louis Van: Olivier CALVANO [mailto:o.calv...@gmail.com] Verzonden: woensdag 11 mei 2016 13:34 Aan: L.P.H. van Belle Onderwerp: Re: [squid-users] Squid and AD => That' s don't work ! Hi thanks for your answer. Https work too ? because before we use 3.3.8 but NTLM/Kerberos walking randomly, that's work very good 1 or 2 days but after a lot of user can't connect. We update in 3.5.x and now, all https don't work :< can you help me ? if you have a sample of your squid.conf regards olivier 2016-05-11 10:23 GMT+02:00 L.P.H. van Belle <be...@bazuin.nl>: Yes and it works great. My setup Debian Jessie, Squid tested : 3.4.8 upto 3.5.19 I use kerberos and ntlm and ldap auto in that order. Samba 4.4.3 AD DC So what do you want to know? Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Olivier CALVANO Verzonden: woensdag 11 mei 2016 10:08 Aan: Squid Users Onderwerp: [squid-users] Squid and AD => That' s don't work ! Hi is that someone has actually used squid with ntlm AD authentication? because it don't works really well and no there is no one who reponds to problems, it's a shame. there is commercial support a squid? Regards Olivier _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
