Hi Hernan Saltiel, I can tell you my working NTLM auth configuration for Squid 4.6 (will work for 4.7 too). My documentation is an ansible playbook created by myself for the need of our company, so I don't remember from where I got all the information for a working configuration. Whenever I have to re-install one of our 17+ proxies, I just run the playbook once on a provisioned server :#)
IMHO: Kerberos is better than NTLM, because Kerberos is a standard protocol while NTLM is Windows only. But my config below is for the moment also NTLM only. NTLM is easier to setup while KRB5 takes a little time to understand the keytab file generation things. About the wrapper in Squid: The names of this wrapper_files may changed and they are sometimes on other places. In my case the NTLM wrapper for Squid4 is /usr/lib/squid/ext_ldap_group_acl. About NTLM and [mydomain][user01]@[MYPC] failed due to [Reading winbind reply failed!]: You should test if NTLM auth with winbind is working on your server before run ntlm auth in squid, with: wbinfo -g or wbinfo -u on the command line which must give you as an answer the users or groups from your AD (winbind > smb.conf). There is also somewhere a wrapper-file to check wbinfo with squid wrapper too, but i dont remember which it is. So below is a working configuration (for me) on Ubuntu 18.04 server with squid 4.6 compiled from debian testing source (with ssl bump). - name: Install AD WinBind Authentification Packages apt: state: present name: - samba - winbind notify: restart winbind smbd when: activedirectory_winbind_authentification == True - name: Upload smb.conf for WinBind template: src: smb.conf.j2 dest: /etc/samba/smb.conf notify: restart winbind smbd when: activedirectory_winbind_authentification == True ################################################################ #/etc/samba/smb.conf ################################################################ #======================= Global Settings ======================= [global] netbios name = proxy01xx workgroup = DOM-COMPANY realm = companydomain.DE server string = security = ADS encrypt passwords = true log level = 3 log file = /var/log/samba/%m wins support = no preferred master = no domain master = no local master = no template shell = /bin/false template homedir = /home/%D/%U winbind uid = 10000-20000 winbind gid = 10000-20000 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOM-COMPANY:backend = rid idmap config DOM-COMPANY:schema_mode = rfc2307 idmap config DOM-COMPANY:range = 8000-80000 enhanced browsing = no winbind use default domain = yes winbind enum users = no winbind enum groups = no idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 password server = 192.168.xx.xx 172.16.x.x 172.16.x.x 172.16.x.x load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ################################################################ - name: Add "winbind" to /etc/nsswitch.conf at the end of passwd line replace: backup: yes dest: /etc/nsswitch.conf regexp: '^(group(?!.*bwinbindb).*)$' replace: '1 winbind' notify: restart winbind smbd when: activedirectory_winbind_authentification == True tags: nsswitch ################################################################ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd winbind group: compat systemd winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ################################################################ - name: adding existing user "proxy" to group "winbindd_priv", via https://www.linuxquestions.org/questions/linux-server-73/prompts-password-for-squid-using-ntlm-673036/#post4977410 user: name: proxy groups: winbindd_priv append: yes notify: restart squid when: activedirectory_winbind_authentification == True ################################################################ #/etc/group ################################################################ #(...) winbindd_priv:x:116:proxy #(...) #This is the only step I don't have yet in my ansible playbook automated, but its required once after installing winbind for sure: #Winbind join the server into the domain: net ads join -U administrator #test if winbind works: wbinfo -g wbinfo -u - name: Upload squid.conf template: src: "{{ item }}.j2" dest: /etc/squid/{{ item }} owner: proxy group: proxy backup: yes with_items: - squid.conf notify: restart squid tags: squidconfonly ################################################################ #/etc/squid.conf #relevant content for NTLM auth ################################################################ ######################################################### NTLM ######################################################### # NTLM authentication, caching not neccessary, because the connection will be authenticated against the token auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --use-cached-creds --offline-logon auth_param ntlm realm Proxy-Anmeldung NTLM: Bitte DomaeneBenutzername und Windows-Kennwort eingeben. auth_param ntlm children 50 #Allow fetch intermediate certs before required authentication (required when SSL Bump + proxy_auth REQUIRED) acl fetched_certificate transaction_initiator certificate-fetching cache allow fetched_certificate cache deny all http_access allow fetched_certificate ######################################################### Allow based on group membership ######################################################### # Authentication required, otherwise Login Pop-Up acl Authenticated_Users proxy_auth REQUIRED http_access deny !Authenticated_Users # Define external acl external_acl_type ldap_group ipv4 ttl=3600 negative_ttl=1800 children-max=150 children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -K -S -R -b "DC=companydomain,DC=de" -D "CN=anLDAPuserwithREADaccess,OU=Sonstige,DC=companydomain,DC=de" -w PASSWORDHERE -f "(&(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=companydomain,DC=de))" -h 192.168.xx.xx 172.16.xx.xx 172.16.xx.xx 172.16.xx.xx ## Get group "InternetAccess3" from AD/LDAP and use this group in squid.conf as "ldap_InternetAccess3" acl ldap_InternetAccess3 external ldap_group InternetAccess3 acl FTP_ports port 21 acl SSL_ports port 443 acl SSL_ports port 8443 acl SSH_ports port 22 acl Safe_ports port 21 #FTP acl Safe_ports port 22 # SSH acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8443 # Plesk acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports !SSH_ports !FTP_ports http_access allow ldap_InternetAccess3 !FTP_ports !SSH_ports !streaming !badfileending http_access allow localhost manager http_access deny manager acl localdom dstdomain .ourcompany.de ourcompanydomain2.com acl NOCACHE dstdomain ourcompany.de no_cache allow NOCACHE http_access allow localhost http_access deny all ################################################################ Hope it helps. Good luck Schroeffu 27. Mai 2019 16:16, "Hernan Saltiel" <hsalt...@gmail.com (mailto:hsalt...@gmail.com?to=%22Hernan%20Saltiel%22%20<hsalt...@gmail.com>)> schrieb: Hi all, I'm trying to install a brand new Squid 4.7 on an Arch GNU/Linux (Kernel 5.0.7), authorizing its users against Active Directory, based on a Windows 2008 R2 Domain. I configured samba4 on the Arch machine, and it looks working well. wbinfo commands get executed and with correct output. But when using the Squid, I get all the time messages like: 2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid 2019/05/27 04:08:12 kid1| Starting Squid Cache version 4.7 for x86_64-pc-linux-gnu... 2019/05/27 04:08:12 kid1| Service Name: squid 2019/05/27 04:08:12 kid1| Process ID 7584 2019/05/27 04:08:12 kid1| Process Roles: worker 2019/05/27 04:08:12 kid1| With 1024 file descriptors available 2019/05/27 04:08:12 kid1| Initializing IP Cache... 2019/05/27 04:08:12 kid1| DNS Socket created at [::], FD 7 2019/05/27 04:08:12 kid1| DNS Socket created at 0.0.0.0, FD 10 2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf 2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf 2019/05/27 04:08:12 kid1| Adding nameserver 192.168.32.5 from /etc/resolv.conf 2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'negotiate_wrapper' processes 2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'negotiate_wrapper' processes needed. 2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'ntlm_auth' processes 2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'ntlm_auth' processes needed. 2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'basic_ldap_auth' processes 2019/05/27 04:08:12 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed. 2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/5 'ext_ldap_group_acl' processes 2019/05/27 04:08:12 kid1| helperOpenServers: No 'ext_ldap_group_acl' processes needed. 2019/05/27 04:08:12 kid1| Logfile: opening log /var/log/squid/access.log 2019/05/27 04:08:12 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log' 2019/05/27 04:08:12 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2019/05/27 04:08:12 kid1| Store logging disabled 2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2019/05/27 04:08:12 kid1| Target number of buckets: 1008 2019/05/27 04:08:12 kid1| Using 8192 Store buckets 2019/05/27 04:08:12 kid1| Max Mem size: 262144 KB 2019/05/27 04:08:12 kid1| Max Swap size: 0 KB 2019/05/27 04:08:12 kid1| Using Least Load store dir selection 2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid 2019/05/27 04:08:12 kid1| Finished loading MIME types and icons. 2019/05/27 04:08:12 kid1| HTCP Disabled. 2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0 2019/05/27 04:08:12 kid1| Adaptation support is off. 2019/05/27 04:08:12 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9 2019/05/27 04:08:13 kid1| storeLateRelease: released 0 objects 2019/05/27 04:08:22 kid1| Starting new negotiateauthenticator helpers... 2019/05/27 04:08:22 kid1| helperOpenServers: Starting 1/10 'negotiate_wrapper' processes negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_7586 directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock cmdline_messaging_context: Unable to initialize messaging context. lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[Global]" GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got NTLMSSP neg_flags=0xe2088297 Got user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304 Login for user [mydomain][user01]@[MYPC] failed due to [Reading winbind reply failed!] GENSEC login failed: NT_STATUS_UNSUCCESSFUL 2019/05/27 04:08:22 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }} Some questions I have: 1) About the message: directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock cmdline_messaging_context: Unable to initialize messaging context. Checking the permissions, it has 755, so I really do not understand why it´s showing this. Don't know if there is some ownership rule or something like this... 2) About the message: Login for user [mydomain][user01]@[MYPC] failed due to [Reading winbind reply failed!] I tried debugging Samba, but see no message indicating something here. Any help would be really appreciated. 3) Is there any example configuration for Squid 4 + Samba 4 + Active Directory? Sorry for this, but I see tons of information about Active Directory for Samba 4 and Squid3, but not much about the configuration I'm trying to have. I see several differences, for instance: 1) Use of "negotiate_wrapper". 2) Several aspects of files located on /var/lib/squid, where I do not see the equivalence between them and the ones listed for Squid3, and visible on tons of documentation. 3) Some docs say NTLM is deprecated, some are still showing ntlm_auth on config files. This is why I really need to see if there is any example for this config... Thanks a lot in advance for your time and attention, and best regards. --HeCSa
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
