Hi,
we are running squid-3.0.STABLE9-1.el5 on Centos 5.4 with Kerberos-Authentication against an Active Directory. It works fine, but IE6, some Java-Applets and some Linux Workstations can�t use the proxy. It seems, that they don�t support kerberos SSO against the AD. Newer IEs and Firefox works well.
Is it possible, to use ntlm-Authentication as a fallback ? I�ve installed samba 3.4.5, wbinfo -g works.
I then added the lines with ntlm to the squid.conf:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -s HTTP/proxy-kerberos.heidelberg.bw-online.de
auth_param negotiate children 50
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=WWW
auth_param ntlm children 5
auth_param ntlm keep_alive on
external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "DC=heidelberg,DC=bw-online,DC=de" -D "CN=USER,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf=CN=%a,CN=Users,DC=heidelberg,DC=bw-online,DC=de))" -v 3 -h "10.141.1.57 10.141.1.55" -K
.
acl SSL_ports port 443
acl Safe_ports port 80��������� # http
acl Safe_ports port 81-84������ # Gebaudetechnik StaBue
acl Safe_ports port 21��������� # ftp
acl Safe_ports port 443�������� # https
acl Safe_ports port 70��������� # gopher
acl Safe_ports port 210�������� # wais
acl Safe_ports port 1025-65535� # unregistered ports
acl Safe_ports port 280�������� # http-mgmt
acl Safe_ports port 488�������� # gss-http
acl Safe_ports port 591�������� # filemaker
acl Safe_ports port 777�������� # multiling http
acl CONNECT method CONNECT
# Konfiguration Stadt Heidelberg
# All elements of an acl entry are OR'ed together.
# All elements of an access entry are AND'ed together
acl AD-AUTH proxy_auth REQUIRED
http_access allow AD-AUTH
.
#fuer ziegelhausen, linux, macht kein kerberos passthrough bzw. kein domaenenuser
acl amt62 src 10.141.20.245 10.141.20.26 10.141.20.24
http_access allow amt62
#Java-Anwendung, kann kein Kerberos-Auth und keine Auto.pac
acl teleteach url_regex lc-prod.teleteach.de
http_access allow teleteach
.
# ACL mit ldap
acl ldapgroup-www external ldapgroup www
acl ldapgroup-ebay external ldapgroup ebay
acl blocklist dstdomain "/etc/squid/blocklist"
acl ldapgroup-teamviewer external ldapgroup proxy_teamviewer
acl blocklist-teamviewer dstdomain "/etc/squid/blocklist_teamviewer"
acl ldapgroup-filesharing external ldapgroup proxy_filesharing
acl blocklist-filesharing dstdomain "/etc/squid/blocklist_filesharing"
acl ldapgroup-amt80 external ldapgroup proxy_amt80
acl blocklist-amt80 dstdomain "/etc/squid/blocklist_amt80"
.
http_access allow ldapgroup-ebay all
#http_access allow schul340
http_access deny blocklist
http_access allow ldapgroup-filesharing
http_access deny blocklist-filesharing
http_access allow ldapgroup-teamviewer
http_access deny blocklist-teamviewer
http_access allow ldapgroup-amt80
http_access deny blocklist-amt80
http_access allow ldapgroup-www all
# And finally deny all other access to this proxy
#http_access allow localhost
http_access deny all
www ist the AD-group that has access to the internet
The browser then pops-up for usercredentials, but will not get authenticatet. The access.log writes no user information with the DENIED-entries.
Has anyone an idea if kerberos and ntlm as fallback should work ?
Best Regards
Ralf Lutz
Received on Mon May 10 2010 - 14:47:35 MDT
This archive was generated by hypermail 2.2.0 : Mon May 10 2010 - 12:00:04 MDT