Re: [squid-users] Squid with NTLM auth behind netscaler

[Fabio Bucci]

ok thanks. I think the system guys use samba and winbind to join linux
machines to domain independetly services installed

2015-12-29 16:10 GMT+01:00 Eliezer Croitoru :
> Hey Fabio,
>
> If you do want to use kerberos you do not need to use winbindd there are
> other options.
> (I have not tried them both yet)
>
> Eliezer
>
> On 29/12/2015 16:30, Fabio Bucci wrote:
>>
>> Hi Amos,
>> i'm trying to implement kerberos as you suggested me. But following
>> the guide i read "Do not use this method if you run winbindd or other
>> samba services as samba will reset the machine password every x days
>> and thereby makes the keytab invalid !!" and my system guy told me we
>> use winbindd method.
>>
>> How can i implement so?
>> Thanks
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

[L . P . H . van Belle]

Hai, 

> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed

Thats good, but if you want fallback and make NTLM work 
( for only kerberos its not needed ) 

You want something like : 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME -d \
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \
--domain=NTDOMAIN 
Or

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth \ 
 -s HTTP/proxy.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN


For the --ntlm you MUST install samba, since its suplied by samba. 

And a basic fallback if above fails, then this one will give a popup to auth

auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=Users,dc=internal,dc=domain,dc=tld" \
-D bind2ad@User_domain -W /etc/squid/private/secretfile \
-f (sAMAccountName=%s) \
-h dc2.internal.domain.tld \
-h dc1.internal.domain.tld 

Above is all tested and running in my production env. 
Few very important pointers. 
1) make sure your proxy has A and PTR record ( needed for kerberos ) 
2) make sure you have the HTTP/ spn for the hostnames of your proxy servers 
3) make sure you time is in sync on all servers and clients. 


In samba 4 i did it like this. Login with ssh on a DC. 
kinit Administrator 

samba-tool user create squid-proxy --description="Unprivileged user for 
SQUID-Proxy Services" --random-password
samba-tool user setexpiry squid-proxy --noexpiry
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1. internal.domain.tld@REALM squid-proxy

# export the keytab. 
samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld. 
/root/keytabs/proxy1.keytab

check if your hostname has all the SPNs. 
samba-tool spn list proxy1$ 
proxy1 is the name in smb.conf 
you must have:
 HOST/PROXY1
 HOST/proxy1.internal.domain.tld.

And make your you have :
/etc/default/squid
KRB5_KTNAME=/etc/squid/proxy1.keytab
export KRB5_KTNAME


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens
> Fabio Bucci
> Verzonden: dinsdag 29 december 2015 16:21
> Aan: Eliezer Croitoru
> CC: squid-users@lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
> 
> ok thanks. I think the system guys use samba and winbind to join linux
> machines to domain independetly services installed
> 
> 2015-12-29 16:10 GMT+01:00 Eliezer Croitoru :
> > Hey Fabio,
> >
> > If you do want to use kerberos you do not need to use winbindd there are
> > other options.
> > (I have not tried them both yet)
> >
> > Eliezer
> >
> > On 29/12/2015 16:30, Fabio Bucci wrote:
> >>
> >> Hi Amos,
> >> i'm trying to implement kerberos as you suggested me. But following
> >> the guide i read "Do not use this method if you run winbindd or other
> >> samba services as samba will reset the machine password every x days
> >> and thereby makes the keytab invalid !!" and my system guy told me we
> >> use winbindd method.
> >>
> >> How can i implement so?
> >> Thanks
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid reverse proxy and client certs

[Alex Samad]

Hi

I have squid 3.5.12 working as a reverse proxy

cache_peer 127.0.0.1 \
 parent 443 0 proxy-only no-query no-digest originserver \
 login=PASS \
 ssl \
 sslcafile=/etc/pki/tls/certs/ca-bundle.crt \
 sslflags=DONT_VERIFY_PEER \
 name=webServer

This points to httpd which has a

DirectoryIndex index.shtml index.html
Options -Indexes -Includes +IncludesNOEXEC
-SymLinksIfOwnerMatch -ExecCGI -FollowSymLinks

SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient optional_no_ca
SSLVerifyDepth 4


Unfortunately the request for a client cert never makes it to the client.

How can I change this to allow client certs to work

Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Assign multiple IP Address to squid

[Eugene M. Zheganin]

Hi.

On 29.12.2015 17:05, Reet Vyas wrote:
> Hi
>
> I have working squid3.5.4 configuration with ssl bump, I am using this
> squid machine as router and have external IP to it and have a leased
> line connection but with leased line I have 10 extra IP address and I
> want to NAT those external ip to local ip on same network, like we do
> in our router, so that I can assign those IP ip my machines having
> webservers.
>
> Please suggest me way to configure it.
>
This has nothing to do with squid.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Assign multiple IP Address to squid

[Reet Vyas]

Hi

I have working squid3.5.4 configuration with ssl bump, I am using this
squid machine as router and have external IP to it and have a leased line
connection but with leased line I have 10 extra IP address and I want to
NAT those external ip to local ip on same network, like we do in our
router, so that I can assign those IP ip my machines having webservers.

Please suggest me way to configure it.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

[Fabio Bucci]

Hi Amos,
i'm trying to implement kerberos as you suggested me. But following
the guide i read "Do not use this method if you run winbindd or other
samba services as samba will reset the machine password every x days
and thereby makes the keytab invalid !!" and my system guy told me we
use winbindd method.

How can i implement so?
Thanks

2015-12-16 21:12 GMT+01:00 Amos Jeffries :
> On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
>> i'm planning to migrate to kerberos instead NTLM.i got a question for
>> you Amos: sometimes a client reports issue in navigation and searching into
>> log file i cannot see "username" and all the request are 407
>>
>> In these cases is there a way to reset a user session or it's a completely
>> client issue?
>
> Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> some reason. Some old Firefox, most Safari, and older IE can all get
> stuck trying those credentials and ignoring the offers of Basic.
>
> It might be possible to figure out some LmCompatibility settings change
> that makes the problem just go away (eg, forcing NTLM of all versions to
> disabled on the client).
>
> Other than that Squid does have some workaround responses it can be made
> to send back that might help the client reach the right conclusion:
>
> a) list Basic auth first in the config. Any properly working client will
> re-sort the auth types by security level and do theKerberos anyway. But
> the broken ones (particularly IE7 and older) will have more chance of
> using Basic.
>
> b) sending 407 response with no auth headers. Such as a deny 407 status
> generated by external ACL deny, or a URL-redirector. These tell the
> client that auth failed, but there is no acceptible fallback.
>
> c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> the client prematurely attaching the credentials to the connection and
> re-using them. That is supposed to have been fixed recently, but I've
> not confirmed.
>
> d) sending 403 status response. To just flat-out block the client once
> it enters the looping state. Hoping that later requests will start to
> work again.
>
>
> HTH
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid3 / debian stable / please update to 3.4.14

[Massimo . Sala]

ciao Luigi

I ask to update the distro to squid 3.4.14, the last stable version, 
released in august.

Rationale :
1) various bugs and memory leaks fixed;
2) security fix for CVE 2015 5400;
3) support for Alternate-Protocol HTTP header.

I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache 
videos.

References :
https://packages.debian.org/jessie/squid3

ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt
http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol


Best regards, Massimo

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

[Eliezer Croitoru]

Hey Fabio,

If you do want to use kerberos you do not need to use winbindd there are 
other options.

(I have not tried them both yet)

Eliezer

On 29/12/2015 16:30, Fabio Bucci wrote:

Hi Amos,
i'm trying to implement kerberos as you suggested me. But following
the guide i read "Do not use this method if you run winbindd or other
samba services as samba will reset the machine password every x days
and thereby makes the keytab invalid !!" and my system guy told me we
use winbindd method.

How can i implement so?
Thanks


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users