Hi all!
Please help me.
My problem is: I want to setup squid with two auth methods. The first
method is: kerberos auth. The second is: BASIC ldap auth as a fail back
method for users without a kerberos ticket.
I see that is don't work. When user wants to login without kerberos,
browser (IE 8/9/10 ; FF 30/31 ; chrome) asks for a BASIC login and
password, after insert a correct login and pass browser ask again for
BASIC auth - and again and again. - In access.log I see only 407 code
and nothing any and an error about NTLM auth. If I disable kerberos
auth , I can use BASIC auth without any problem. Why Windows wants to
use NTLM..?
I use samba 4.1.9 as a DC/kerberos server. Kerberos works fine in
Windows client, but not good for linux - it get proxy refuse connection
from time to time.
I use squid from ubuntu 14.04 repo:
# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
# cat krb5.conf
[libdefaults]
default_realm = COMPANY.RU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
COMPANY.RU = {
kdc = domainctrl.company.ru
admin_server = domainctrl.company.ru
default_domain = COMPANY.RU
}
[domain_realm]
domainctrl.company.ru = COMPANY.RU
.domainctrl.company.ru = COMPANY.RU
# egrep -v '^($|#)' /etc/squid3/squid.conf
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r
auth_param negotiate children 150 startup=20 idle=20
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid3/basic_pam_auth -n squid -t 300 -o
auth_param basic children 5 startup=5 idle=1
auth_param basic credentialsttl 10800 seconds
acl auth proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow auth
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# cat /etc/pam.d/squid
auth sufficient pam_krb5.so alt_auth_map=%s...@company.ru
account required pam_krb5.so
I have played with BASIC ldap auth with the same result. I have played
with krb5.conf without success.
Best regards,
Victor.
