Re: [squid-users] active directory 2008.

2020-10-20 Thread Amos Jeffries 
On 21/10/20 1:24 am, Christophe Leloup wrote:
> Hi,
> 
> I have connected my debian to my active directory. I don't have machine
> authentication by user but only by ip. attached my squid.conf.
> 
> 

Have a read of this:
 

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] active directory 2008.

2020-10-20 Thread Amos Jeffries 
On 21/10/20 1:24 am, Christophe Leloup wrote:
> Hi,
> 
> I have connected my debian to my active directory. I don't have machine
> authentication by user but only by ip. attached my squid.conf.
> 

Well. Yes, that looks true.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] active directory 2008.

2020-10-20 Thread Christophe Leloup 


Hi,I have connected my debian to my active directory. I don't have machine authentication by user but only by ip. attached my squid.conf.thanks## LDAP & Kerberos (Active Directory) Authentication## Negociate kerberos and ntlm authenticationauth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TRIEFUS --kerberos /usr/lib/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAMEauth_param negotiate children 10auth_param negotiate keep_alive off# Pure ntlm Authenticationauth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 20auth_param ntlm keep_alive off# Provide basic ldap authentication for clients not authenticated via kerberos/ntlmauth_param basic program /usr/lib/squid/basic_ldap_auth -h SRVMASTER-BIS.triefus.home -D "CN=squid,CN=Users,DC=triefus,DC=home“ -b ”dc=triefus,dc=home" -W /etc/squid/ldappass.txt -f "(samaccountname=%s)"auth_param basic children 5auth_param basic realm “Proxy Authentication”auth_param basic credentialsttl 2 hours# ldap authorisationexternal_acl_type memberof %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=triefus,dc=home“ -D ”CN=squid,CN=Users,DC=triefus,DC=home" -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v))" -h SRVMASTER-BIS.triefus.home envoyé : 20 octobre 2020 à 13:42de : Amos Jeffries à : squid-users@lists.squid-cache.orgobjet : Re: [squid-users] active directory 2008.On 20/10/20 10:44 pm, Christophe Leloup wrote:Good morning all,I am French. excuse me for my English.I am looking for a tutorial. how integrated an active directory 2008 with squid.do you have any leads or websites?That depends on what you are trying to make Squid do, which you have notmentioned. For better help please provide details. has a lot of info.Amos___squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] active directory 2008.

2020-10-20 Thread Amos Jeffries 
On 20/10/20 10:44 pm, Christophe Leloup wrote:
> Good morning all,
> 
> I am French. excuse me for my English.
> I am looking for a tutorial. how integrated an active directory 2008 with 
> squid.
> 
> do you have any leads or websites?
> 

That depends on what you are trying to make Squid do, which you have not
mentioned. For better help please provide details.

 has a lot of info.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication?

2018-06-20 Thread Amos Jeffries 
On 19/06/18 04:53, Beto Moreno wrote:
> Hi guys.
> 
> Just wondering, if we want squid Authenticate users from our Active
> Directory Windows 2012 server, do we need to have our Linux-Squid
> 3.5.x be part of the domain or a LDAP query can work without be part
> of the domain?

See my response to the identical question a few days ago


You will need to provide more details about what _exactly_ you want to
do in order to get a proper answer. Your description is too vague right
now to answer.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Integration?

2018-06-17 Thread Amos Jeffries 
On 17/06/18 18:36, Periko Support wrote:
> Hi people.
> 
> If we need to integrate squid 3.5+ with a windows domain AD(2008+) and
> authenticated users from the domain.
> 
> Linux(squid) need to be part of the domain?

Depends on what authentication types you want to use, and how you want
to use them.

The proxy needs the ability to ask the DC about credentials.  If you use
a prepared helper, decide the auth scheme and look at what the helpers
for that scheme can do.


> Or we can just enable a common LDAP query to the AD server?

What do you mean by "common" ?

LDAP requires credentials for the proxy to login to the DC with, in
order to check credentials etc. So it may or may not work off-domain.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-17 Thread dolson 
-users@lists.squid-cache.org
Subject: Re: [squid-users] Active Directory Authentication failing at the 
browser

On 17/11/2015 9:17 a.m., Amos Jeffries wrote:
> On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
>> Hi.
>>
>> On 16.11.2015 18:46, dolson wrote:
>>>
>>> Squid Version:  Squid 3.4.8
>>>
>>> OS Version:  Debian 8 (8.2)
>>>
>>> I have installed Squid on a server using Debian 8 and seem to have 
>>> the basics operating, at least when I start the squid service, I 
>>> have am no longer getting any error messages.  At this time, the 
>>> goal is to authenticate users from Active Directory and log the user and 
>>> the websites they are accessing.
>>>
>>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 
>>> 7 workstation to use the Squid proxy, I am getting the log in page (image 
>>> below).
>>>
>>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squ
>>> id-users%3E58459?header=quotebody=1.1.2=image001.png
>>>
>>> I have tried entering my user name in various form EXAMPLE/USERID, 
>>> USERID, EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I 
>>> have not had a successful at this time.
>>>
>>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log 
>>> files for review.  If you would like to see the cache.log file, 
>>> please contact me as the file is too large to include in this post.
>>>
>>>
>> I suggest you first make Basic and NTLM working with active 
>> directory, and only then, having these 2 schemes working, you move to 
>> the GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is 
>> overcomplicated and difficult to debug, as it uses lots of components and 
>> can fall apart easily on any stage.
>>
> 
> I suggest also using a current Firefox release. I am finding the 4x's 
> series work a lot better than the earlier 3x's did on Windows 7.
> 
> Kerberos also uses the USER@DOMAIN format for user labeling. Sending 
> it Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.
> 
> Kerberos and NTLM are both PITA protocols. But NTLM makes everything 
> worse. If you are able to avoid using it at all and to actively turn 
> NTLM off around your network the Kerberos side of things will work better.
> 

Also, since you are using what looks to be an outdated copy-n-paste of the 
Squid official wiki article on Windows AD integration. Not the living-document 
original itself you missed seeing one critical detail about winbind bugs on 
Debian that have come to light a few months back.

<http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory?highlight=%28winbind%29#NTLM>
or
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm#winbind_privileged_pipe_permissions>

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-17 Thread Amos Jeffries 
On 18/11/2015 9:36 a.m., dol...@ihcrc.org wrote:
> Thank you for your help Amos,
> 
> I think I am a little further, but I'm still having some issues.
> 
> I updated my proxy address from the IP to the FQDN and this removed the login 
> page that I previously mentioned, but I still could not get to any external 
> websites.  Internal sites work working correctly.  I have attached the screen 
> shot of the message.
> 
> I have followed the new links that you provided and changed the permissions 
> on the /var/lib/samba/winbindd_privileged file as directed, and tested 
> winbind using the instructions and everything is working.
> 
> Per your suggestion, I upgraded Firefox to 4.2.  What was really interesting 
> is, when I used the link from the About Firefox window, I was able to access 
> the Mozilla website, and download the file with no errors on the webpage in 
> the browser, but continue to get it if I now go to the site by entering the 
> address in the address bar.
> 
> I have included below excerpts from the access.log and cache.log files from 
> the last attempts to see if you or someone else can help me understand the 
> information in the files so I can see where the problem may be.
> 
> Access.log:
> 
> 1447788372.600  7 10.1.3.56 TCP_DENIED/407 3826 GET 
> http://srv-joomla/portal/ - HIER_NONE/- text/html
> 1447788372.812 63 10.1.3.56 TCP_MISS/500 6727 GET 
> http://srv-joomla/portal/ dol...@ihcrc.org HIER_NONE/- text/html
> 1447788372.903  0 10.1.3.56 TCP_MISS/500 4085 GET 
> http://www.squid-cache.org/Artwork/SN.png dol...@ihcrc.org HIER_NONE/- 
> text/html
> 1447788373.059  0 10.1.3.56 TCP_MISS/500 4025 GET 
> http://srv-joomla/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788373.106  0 10.1.3.56 TCP_MISS/500 4025 GET 
> http://srv-joomla/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788377.958  0 10.1.3.56 TCP_DENIED/407 3903 POST 
> http://ocsp.digicert.com/ - HIER_NONE/- text/html
> 1447788378.163 45 10.1.3.56 TCP_MISS/500 6792 POST 
> http://ocsp.digicert.com/ dol...@ihcrc.org HIER_NONE/- text/html
> 1447788378.207  0 10.1.3.56 TCP_MISS/500 4110 POST 
> http://clients1.google.com/ocsp dol...@ihcrc.org HIER_NONE/- text/html
> 1447788378.786  0 10.1.3.56 TCP_MISS/500 4004 GET http://www.google.com/ 
> dol...@ihcrc.org HIER_NONE/- text/html
> 1447788378.832  0 10.1.3.56 TCP_MISS/500 4080 GET 
> http://www.squid-cache.org/Artwork/SN.png dol...@ihcrc.org HIER_NONE/- 
> text/html
> 1447788378.894  0 10.1.3.56 TCP_MISS/500 4037 GET 
> http://www.google.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788379.051  0 10.1.3.56 TCP_MISS/500 4037 GET 
> http://www.google.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788381.219  0 10.1.3.56 TCP_MISS/500 4092 POST 
> http://ocsp.digicert.com/ dol...@ihcrc.org HIER_NONE/- text/html
> 1447788383.357  0 10.1.3.56 TCP_MISS/500 3995 GET http://www.cnn.com/ 
> dol...@ihcrc.org HIER_NONE/- text/html
> 1447788383.516  0 10.1.3.56 TCP_MISS/500 4077 GET 
> http://www.squid-cache.org/Artwork/SN.png dol...@ihcrc.org HIER_NONE/- 
> text/html
> 1447788383.577  0 10.1.3.56 TCP_MISS/500 4028 GET 
> http://www.cnn.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788383.749 15 10.1.3.56 TCP_MISS/500 4028 GET 
> http://www.cnn.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788432.030  0 10.1.3.56 TCP_MISS/500 4092 POST 
> http://ocsp.digicert.com/ dol...@ihcrc.org HIER_NONE/- text/html
> 

The above and the cache.log show the authentication apparently working
fine. The problem is elsewhere.

The "some possible problems" section of the error message list the
things you need to look at fixing.

The access.log lines with "TCP_MISS/500" and "HIER_NONE/-" indicate that
Squid is not able to connect to any external server to fetch the objects
it is being asked for. Something is broken at the TCP layer; firewall
settings? DNS resolution? NAT from 10/8 to public Internet?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-17 Thread dolson 
Thank you Amos!  That helps me a great deal!

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Tuesday, November 17, 2015 3:15 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Active Directory Authentication failing at the 
browser

On 18/11/2015 9:36 a.m., dol...@ihcrc.org wrote:
> Thank you for your help Amos,
> 
> I think I am a little further, but I'm still having some issues.
> 
> I updated my proxy address from the IP to the FQDN and this removed the login 
> page that I previously mentioned, but I still could not get to any external 
> websites.  Internal sites work working correctly.  I have attached the screen 
> shot of the message.
> 
> I have followed the new links that you provided and changed the permissions 
> on the /var/lib/samba/winbindd_privileged file as directed, and tested 
> winbind using the instructions and everything is working.
> 
> Per your suggestion, I upgraded Firefox to 4.2.  What was really interesting 
> is, when I used the link from the About Firefox window, I was able to access 
> the Mozilla website, and download the file with no errors on the webpage in 
> the browser, but continue to get it if I now go to the site by entering the 
> address in the address bar.
> 
> I have included below excerpts from the access.log and cache.log files from 
> the last attempts to see if you or someone else can help me understand the 
> information in the files so I can see where the problem may be.
> 
> Access.log:
> 
> 1447788372.600  7 10.1.3.56 TCP_DENIED/407 3826 GET 
> http://srv-joomla/portal/ - HIER_NONE/- text/html
> 1447788372.812 63 10.1.3.56 TCP_MISS/500 6727 GET 
> http://srv-joomla/portal/ dol...@ihcrc.org HIER_NONE/- text/html
> 1447788372.903  0 10.1.3.56 TCP_MISS/500 4085 GET 
> http://www.squid-cache.org/Artwork/SN.png dol...@ihcrc.org HIER_NONE/- 
> text/html
> 1447788373.059  0 10.1.3.56 TCP_MISS/500 4025 GET 
> http://srv-joomla/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788373.106  0 10.1.3.56 TCP_MISS/500 4025 GET 
> http://srv-joomla/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788377.958  0 10.1.3.56 TCP_DENIED/407 3903 POST 
> http://ocsp.digicert.com/ - HIER_NONE/- text/html
> 1447788378.163 45 10.1.3.56 TCP_MISS/500 6792 POST 
> http://ocsp.digicert.com/ dol...@ihcrc.org HIER_NONE/- text/html
> 1447788378.207  0 10.1.3.56 TCP_MISS/500 4110 POST 
> http://clients1.google.com/ocsp dol...@ihcrc.org HIER_NONE/- text/html
> 1447788378.786  0 10.1.3.56 TCP_MISS/500 4004 GET http://www.google.com/ 
> dol...@ihcrc.org HIER_NONE/- text/html
> 1447788378.832  0 10.1.3.56 TCP_MISS/500 4080 GET 
> http://www.squid-cache.org/Artwork/SN.png dol...@ihcrc.org HIER_NONE/- 
> text/html
> 1447788378.894  0 10.1.3.56 TCP_MISS/500 4037 GET 
> http://www.google.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788379.051  0 10.1.3.56 TCP_MISS/500 4037 GET 
> http://www.google.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788381.219  0 10.1.3.56 TCP_MISS/500 4092 POST 
> http://ocsp.digicert.com/ dol...@ihcrc.org HIER_NONE/- text/html
> 1447788383.357  0 10.1.3.56 TCP_MISS/500 3995 GET http://www.cnn.com/ 
> dol...@ihcrc.org HIER_NONE/- text/html
> 1447788383.516  0 10.1.3.56 TCP_MISS/500 4077 GET 
> http://www.squid-cache.org/Artwork/SN.png dol...@ihcrc.org HIER_NONE/- 
> text/html
> 1447788383.577  0 10.1.3.56 TCP_MISS/500 4028 GET 
> http://www.cnn.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788383.749 15 10.1.3.56 TCP_MISS/500 4028 GET 
> http://www.cnn.com/favicon.ico dol...@ihcrc.org HIER_NONE/- text/html
> 1447788432.030  0 10.1.3.56 TCP_MISS/500 4092 POST 
> http://ocsp.digicert.com/ dol...@ihcrc.org HIER_NONE/- text/html
> 

The above and the cache.log show the authentication apparently working fine. 
The problem is elsewhere.

The "some possible problems" section of the error message list the things you 
need to look at fixing.

The access.log lines with "TCP_MISS/500" and "HIER_NONE/-" indicate that Squid 
is not able to connect to any external server to fetch the objects it is being 
asked for. Something is broken at the TCP layer; firewall settings? DNS 
resolution? NAT from 10/8 to public Internet?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Eugene M. Zheganin 
Hi.

On 16.11.2015 18:46, dol...@ihcrc.org wrote:
>
> Squid Version:  Squid 3.4.8
>
> OS Version:  Debian 8 (8.2)
>
>  
>
> I have installed Squid on a server using Debian 8 and seem to have the
> basics operating, at least when I start the squid service, I have am
> no longer getting any error messages.  At this time, the goal is to
> authenticate users from Active Directory and log the user and the
> websites they are accessing.
>
>  
>
> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7
> workstation to use the Squid proxy, I am getting the log in page
> (image below).
>
>  
>
> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody=1.1.2=image001.png
>
>  
>
> I have tried entering my user name in various form EXAMPLE/USERID,
> USERID, EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I
> have not had a successful at this time.
>
>  
>
> I have attached the squid.conf, smb.conf, krb5.conf, and access.log
> files for review.  If you would like to see the cache.log file, please
> contact me as the file is too large to include in this post.
>
>  
>
>
I suggest you first make Basic and NTLM working with active directory,
and only then, having these 2 schemes working, you move to the
GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is overcomplicated
and difficult to debug, as it uses lots of components and can fall apart
easily on any stage.

Eugene.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
> Hi.
> 
> On 16.11.2015 18:46, dolson wrote:
>>
>> Squid Version:  Squid 3.4.8
>>
>> OS Version:  Debian 8 (8.2)
>>
>> I have installed Squid on a server using Debian 8 and seem to have the 
>> basics 
>> operating, at least when I start the squid service, I have am no longer 
>> getting any error messages.  At this time, the goal is to authenticate users 
>> from Active Directory and log the user and the websites they are accessing.
>>
>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>> workstation to use the Squid proxy, I am getting the log in page (image 
>> below).
>>
>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody=1.1.2=image001.png
>>
>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, 
>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a 
>> successful at this time.
>>
>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files 
>> for 
>> review.  If you would like to see the cache.log file, please contact me as 
>> the 
>> file is too large to include in this post.
>>
>>
> I suggest you first make Basic and NTLM working with active directory, and 
> only 
> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. This 
> is 
> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it 
> uses 
> lots of components and can fall apart easily on any stage.
> 

I suggest also using a current Firefox release. I am finding the 4x's
series work a lot better than the earlier 3x's did on Windows 7.

Kerberos also uses the USER@DOMAIN format for user labeling. Sending it
Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.

Kerberos and NTLM are both PITA protocols. But NTLM makes everything
worse. If you are able to avoid using it at all and to actively turn
NTLM off around your network the Kerberos side of things will work better.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Rafael Akchurin 
Hello all,

If I am not terribly mistaken when you have a Kerberos auth scheme active - you 
are actually using SSO - i.e. when everything is configured normally you should 
*never* see the popup box - the fact that you see it means Kerberos is not 
working.

What I would check first is that you set your browser to use the proxy *by 
FQDN* and not by IP as you seem to (see the proxy address at screenshot). I 
would humbly recommend to check the trouble shooting checklist we have on our 
site - 
http://docs.diladele.com/administrator_guide_4_3/active_directory/troubleshooting.html

Best regards,
Rafael Akchurin
Diladele B.V.


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Monday, November 16, 2015 9:18 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Active Directory Authentication failing at the 
browser

On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
> Hi.
> 
> On 16.11.2015 18:46, dolson wrote:
>>
>> Squid Version:  Squid 3.4.8
>>
>> OS Version:  Debian 8 (8.2)
>>
>> I have installed Squid on a server using Debian 8 and seem to have 
>> the basics operating, at least when I start the squid service, I have 
>> am no longer getting any error messages.  At this time, the goal is 
>> to authenticate users from Active Directory and log the user and the 
>> websites they are accessing.
>>
>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>> workstation to use the Squid proxy, I am getting the log in page (image 
>> below).
>>
>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squi
>> d-users%3E58459?header=quotebody=1.1.2=image001.png
>>
>> I have tried entering my user name in various form EXAMPLE/USERID, 
>> USERID, EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I 
>> have not had a successful at this time.
>>
>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log 
>> files for review.  If you would like to see the cache.log file, 
>> please contact me as the file is too large to include in this post.
>>
>>
> I suggest you first make Basic and NTLM working with active directory, 
> and only then, having these 2 schemes working, you move to the 
> GSS-SPNEGO scheme. This is because GSS-SPNEGO scheme is 
> overcomplicated and difficult to debug, as it uses lots of components and can 
> fall apart easily on any stage.
> 

I suggest also using a current Firefox release. I am finding the 4x's series 
work a lot better than the earlier 3x's did on Windows 7.

Kerberos also uses the USER@DOMAIN format for user labeling. Sending it Basic 
USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.

Kerberos and NTLM are both PITA protocols. But NTLM makes everything worse. If 
you are able to avoid using it at all and to actively turn NTLM off around your 
network the Kerberos side of things will work better.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory Authentication failing at the browser

2015-11-16 Thread Amos Jeffries 
On 17/11/2015 9:17 a.m., Amos Jeffries wrote:
> On 17/11/2015 3:19 a.m., Eugene M. Zheganin wrote:
>> Hi.
>>
>> On 16.11.2015 18:46, dolson wrote:
>>>
>>> Squid Version:  Squid 3.4.8
>>>
>>> OS Version:  Debian 8 (8.2)
>>>
>>> I have installed Squid on a server using Debian 8 and seem to have the 
>>> basics 
>>> operating, at least when I start the squid service, I have am no longer 
>>> getting any error messages.  At this time, the goal is to authenticate 
>>> users 
>>> from Active Directory and log the user and the websites they are accessing.
>>>
>>> The problem I am having is, when I set Firefox 35.0.1 on my Windows 7 
>>> workstation to use the Squid proxy, I am getting the log in page (image 
>>> below).
>>>
>>> imap://e...@mail.norma.perm.ru:143/fetch%3EUID%3E/INBOX/maillists/squid-users%3E58459?header=quotebody=1.1.2=image001.png
>>>
>>> I have tried entering my user name in various form EXAMPLE/USERID, USERID, 
>>> EXAMPLE/ADMINISTRATOR, ADMINISTRATOR and the password and I have not had a 
>>> successful at this time.
>>>
>>> I have attached the squid.conf, smb.conf, krb5.conf, and access.log files 
>>> for 
>>> review.  If you would like to see the cache.log file, please contact me as 
>>> the 
>>> file is too large to include in this post.
>>>
>>>
>> I suggest you first make Basic and NTLM working with active directory, and 
>> only 
>> then, having these 2 schemes working, you move to the GSS-SPNEGO scheme. 
>> This is 
>> because GSS-SPNEGO scheme is overcomplicated and difficult to debug, as it 
>> uses 
>> lots of components and can fall apart easily on any stage.
>>
> 
> I suggest also using a current Firefox release. I am finding the 4x's
> series work a lot better than the earlier 3x's did on Windows 7.
> 
> Kerberos also uses the USER@DOMAIN format for user labeling. Sending it
> Basic USERID) or NTLM (DOMAIN/USERID) formatted labels may be the problem.
> 
> Kerberos and NTLM are both PITA protocols. But NTLM makes everything
> worse. If you are able to avoid using it at all and to actively turn
> NTLM off around your network the Kerberos side of things will work better.
> 

Also, since you are using what looks to be an outdated copy-n-paste of
the Squid official wiki article on Windows AD integration. Not the
living-document original itself you missed seeing one critical detail
about winbind bugs on Debian that have come to light a few months back.


or


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Active Directory and user agents - complete ISA replacement

2012-01-14 Thread James Robertson 
 Super! Everything works fine including groups for basic, ntlm and negotiate.

 Is it possible to have Digest authentication with Windows 2003 AD?

 add following for your wiki page:

 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
 auth_param ntlm children 5
 auth_param ntlm keep_alive on

Excellent!  And thanks for the feedback will review and add to the
wikis.  Not sure about digest auth sorry.

Re: [squid-users] Active Directory and user agents - complete ISA replacement

2012-01-12 Thread James Robertson 
 When I try to use Opera browser I am getting ugly message after
 entering credentials:

 authenticateNegotiateHandleReply: Error validating user via Negotiate.
 Error returned 'BH received type 1 NTLM token'

Opera  does not support Kerberos as far as I know.  You will still
need to support NTLM. you will have issues with iTunes and possibly
various other apps as that need NTLM support.

 Is there any universal, well tested configuration/manual that will
 make all clients work?

I just completed a guide based on Debian that supports Kerberos, NTLM
and basic auth and was planning on updating the Squid Wiki also
sometime soon.  You should be able to translate that to your RH.

HTH.

http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

Re: [squid-users] Active Directory and user agents - complete ISA replacement

2012-01-12 Thread George Machitidze 
Hello James

Great job! Thanks for reply

I will check and update with tests :)

Best regards,
George Machitidze



On Thu, Jan 12, 2012 at 1:00 PM, James Robertson j...@mesrobertson.com wrote:
 When I try to use Opera browser I am getting ugly message after
 entering credentials:

 authenticateNegotiateHandleReply: Error validating user via Negotiate.
 Error returned 'BH received type 1 NTLM token'

 Opera  does not support Kerberos as far as I know.  You will still
 need to support NTLM. you will have issues with iTunes and possibly
 various other apps as that need NTLM support.

 Is there any universal, well tested configuration/manual that will
 make all clients work?

 I just completed a guide based on Debian that supports Kerberos, NTLM
 and basic auth and was planning on updating the Squid Wiki also
 sometime soon.  You should be able to translate that to your RH.

 HTH.

 http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

Re: [squid-users] Active Directory and user agents - complete ISA replacement

2012-01-12 Thread George Machitidze 
Here are first issues:

[root@proxy ~]# kdestroy

NOW RESET DONE FOR HOST squid-k IN AD

[root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
 -- init_password: Wiping the computer password structure
 -- get_dc_host: Attempting to find a Domain Controller to use
 -- get_dc_host: Found Domain Controller: TEST-admsdc02
 -- get_default_keytab: Obtaining the default keytab name:
/etc/squid/HTTP.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-iN2kxe
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: squid-k$
 -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/proxy
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for squid-k$ with password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- try_user_creds: Error: krb5_cc_get_principal failed (No
credentials cache found)
 -- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
 default machine password, nor calling user's tickets worked. Try
 kiniting yourself some tickets with permission to create computer
 objects, or pre-creating the computer object in AD and selecting
 'reset account'.
 -- ~KRB5Context: Destroying Kerberos Context

[root@proxy ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.GE
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_keytab_name = /etc/squid/HTTP.keytab
 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
 TEST.GE = {
  kdc = TEST-admsdc01.test.ge
  kdc = TEST-admsdc01.test.ge
  admin_server = TEST-admsdc01.test.ge
  default_domain = test.ge
 }

[domain_realm]
 test.ge = TEST.GE
 .test.ge = TEST.GE

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Where can I find the reason?

Best regards,
George Machitidze



On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze gio...@gmail.com wrote:
 Hello James

 Great job! Thanks for reply

 I will check and update with tests :)

 Best regards,
 George Machitidze



 On Thu, Jan 12, 2012 at 1:00 PM, James Robertson j...@mesrobertson.com 
 wrote:
 When I try to use Opera browser I am getting ugly message after
 entering credentials:

 authenticateNegotiateHandleReply: Error validating user via Negotiate.
 Error returned 'BH received type 1 NTLM token'

 Opera  does not support Kerberos as far as I know.  You will still
 need to support NTLM. you will have issues with iTunes and possibly
 various other apps as that need NTLM support.

 Is there any universal, well tested configuration/manual that will
 make all clients work?

 I just completed a guide based on Debian that supports Kerberos, NTLM
 and basic auth and was planning on updating the Squid Wiki also
 sometime soon.  You should be able to translate that to your RH.

 HTH.

 http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

Re: [squid-users] Active Directory and user agents - complete ISA replacement

2012-01-12 Thread George Machitidze 
Nevermind - my fault

On Redhat winbind is running with root and owner of file is root:root,
i've changed it to squid.


Best regards,
George Machitidze



On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze gio...@gmail.com wrote:
 Here are first issues:

 [root@proxy ~]# kdestroy

 NOW RESET DONE FOR HOST squid-k IN AD

 [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
  -- init_password: Wiping the computer password structure
  -- get_dc_host: Attempting to find a Domain Controller to use
  -- get_dc_host: Found Domain Controller: TEST-admsdc02
  -- get_default_keytab: Obtaining the default keytab name:
 /etc/squid/HTTP.keytab
  -- create_fake_krb5_conf: Created a fake krb5.conf file:
 /tmp/.msktkrb5.conf-iN2kxe
  -- reload: Reloading Kerberos Context
  -- finalize_exec: SAM Account Name is: squid-k$
  -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
 local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
 (Client not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_keytab_princ: Trying to authenticate for host/proxy
 from local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
 (Client not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_password: Trying to authenticate for squid-k$ with password.
  -- try_machine_password: Error: krb5_get_init_creds_keytab failed
 (Client not found in Kerberos database)
  -- try_machine_password: Authentication with password failed
  -- try_user_creds: Checking if default ticket cache has tickets...
  -- try_user_creds: Error: krb5_cc_get_principal failed (No
 credentials cache found)
  -- try_user_creds: User ticket cache was not valid.
 Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     kiniting yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.
  -- ~KRB5Context: Destroying Kerberos Context

 [root@proxy ~]# cat /etc/krb5.conf
 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
  default_realm = TEST.GE
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes
  default_keytab_name = /etc/squid/HTTP.keytab
  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

 [realms]
  TEST.GE = {
  kdc = TEST-admsdc01.test.ge
  kdc = TEST-admsdc01.test.ge
  admin_server = TEST-admsdc01.test.ge
  default_domain = test.ge
  }

 [domain_realm]
  test.ge = TEST.GE
  .test.ge = TEST.GE

 [appdefaults]
  pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
  }

 Where can I find the reason?

 Best regards,
 George Machitidze



 On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze gio...@gmail.com wrote:
 Hello James

 Great job! Thanks for reply

 I will check and update with tests :)

 Best regards,
 George Machitidze



 On Thu, Jan 12, 2012 at 1:00 PM, James Robertson j...@mesrobertson.com 
 wrote:
 When I try to use Opera browser I am getting ugly message after
 entering credentials:

 authenticateNegotiateHandleReply: Error validating user via Negotiate.
 Error returned 'BH received type 1 NTLM token'

 Opera  does not support Kerberos as far as I know.  You will still
 need to support NTLM. you will have issues with iTunes and possibly
 various other apps as that need NTLM support.

 Is there any universal, well tested configuration/manual that will
 make all clients work?

 I just completed a guide based on Debian that supports Kerberos, NTLM
 and basic auth and was planning on updating the Squid Wiki also
 sometime soon.  You should be able to translate that to your RH.

 HTH.

 http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

Re: [squid-users] Active Directory and user agents - complete ISA replacement

2012-01-12 Thread George Machitidze 
Hello

Super! Everything works fine including groups for basic, ntlm and negotiate.

Is it possible to have Digest authentication with Windows 2003 AD?

add following for your wiki page:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

Best regards,
George Machitidze



On Thu, Jan 12, 2012 at 4:29 PM, George Machitidze gio...@gmail.com wrote:
 Nevermind - my fault

 On Redhat winbind is running with root and owner of file is root:root,
 i've changed it to squid.


 Best regards,
 George Machitidze



 On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze gio...@gmail.com wrote:
 Here are first issues:

 [root@proxy ~]# kdestroy

 NOW RESET DONE FOR HOST squid-k IN AD

 [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
  -- init_password: Wiping the computer password structure
  -- get_dc_host: Attempting to find a Domain Controller to use
  -- get_dc_host: Found Domain Controller: TEST-admsdc02
  -- get_default_keytab: Obtaining the default keytab name:
 /etc/squid/HTTP.keytab
  -- create_fake_krb5_conf: Created a fake krb5.conf file:
 /tmp/.msktkrb5.conf-iN2kxe
  -- reload: Reloading Kerberos Context
  -- finalize_exec: SAM Account Name is: squid-k$
  -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
 local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
 (Client not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_keytab_princ: Trying to authenticate for host/proxy
 from local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
 (Client not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_password: Trying to authenticate for squid-k$ with password.
  -- try_machine_password: Error: krb5_get_init_creds_keytab failed
 (Client not found in Kerberos database)
  -- try_machine_password: Authentication with password failed
  -- try_user_creds: Checking if default ticket cache has tickets...
  -- try_user_creds: Error: krb5_cc_get_principal failed (No
 credentials cache found)
  -- try_user_creds: User ticket cache was not valid.
 Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     kiniting yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.
  -- ~KRB5Context: Destroying Kerberos Context

 [root@proxy ~]# cat /etc/krb5.conf
 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
  default_realm = TEST.GE
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes
  default_keytab_name = /etc/squid/HTTP.keytab
  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

 [realms]
  TEST.GE = {
  kdc = TEST-admsdc01.test.ge
  kdc = TEST-admsdc01.test.ge
  admin_server = TEST-admsdc01.test.ge
  default_domain = test.ge
  }

 [domain_realm]
  test.ge = TEST.GE
  .test.ge = TEST.GE

 [appdefaults]
  pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
  }

 Where can I find the reason?

 Best regards,
 George Machitidze



 On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze gio...@gmail.com wrote:
 Hello James

 Great job! Thanks for reply

 I will check and update with tests :)

 Best regards,
 George Machitidze



 On Thu, Jan 12, 2012 at 1:00 PM, James Robertson j...@mesrobertson.com 
 wrote:
 When I try to use Opera browser I am getting ugly message after
 entering credentials:

 authenticateNegotiateHandleReply: Error validating user via Negotiate.
 Error returned 'BH received type 1 NTLM token'

 Opera  does not support Kerberos as far as I know.  You will still
 need to support NTLM. you will have issues with iTunes and possibly
 various other apps as that need NTLM support.

 Is there any universal, well tested configuration/manual that will
 make all clients work?

 I just completed a guide based on Debian that supports Kerberos, NTLM
 and basic auth and was planning on updating the Squid Wiki also
 sometime soon.  You should be able to translate that to your RH.

 HTH.

 http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-10 Thread berry guru 
Wow! I just feel dumb now.  That's my mistake.  I copied and pasted
and it worked like a charm.  Thanks James!  Excellent wiki on the
topic too, it's very helpful.

On Mon, Jan 9, 2012 at 5:43 PM, James Robertson j...@mesrobertson.com wrote:
 I'm having some trouble with the Kerberos part where I need to install
 the following package:
 apt-get install libsasl2-modules-gssapi-mit libsasl2-modules

 It returns
 unable to locate package libsasl2-modules-gssapi-mit
 unable to locate package libsas12-modules

 Are you copying and pasting the command or typing it?

 You have a typo in the output from apt-get libsas12-modules (note
 the 1 where you should have a lower case L), but not in the apt-get
 install command?

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-10 Thread berry guru 
Thanks for responding back James.  I'm new to Linux, and new to Squid
but I'm very intrigued and would like to learn.  So I did a little
more digging through the configuration and I came across something.
I'm currently running Squid 2.7 (I'm a little afraid to do the upgrade
and mess something up, and don't know how yet) but in the config line
'default_keytab_name = /etc/squid3/PROXY.keytab' you list Squid3.
Could that be a problem?

As for my resolv.conf I simply have both of my internal DNS servers
listed.  Not quite sure what else to verify.  I've also added my Squid
box to the unlimited policy on my network to make sure nothing is
blocking it.

How can I go about troubleshooting this with logs maybe, if possible?


On Tue, Jan 10, 2012 at 1:15 PM, James Robertson j...@mesrobertson.com wrote
 Hi Evan,

 You should probably double check your DNS on the proxy (resolv.conf)
 and the domain and look for any typo's in that and your kerberos
 config.

 The fact that it could not resolve one (or possibly more) of your KDC
 addresses could cause you problems later on - especially when msktutil
 needs to do --auto-updates.

 Cheers

 On 11 January 2012 07:33, berry guru berryg...@gmail.com wrote:
 Hi James,

 So I don't mean to be a pest, but I've ran into another issue.  I've
 ran the kinit administrator command but I'm getting the following
 error:

 kinit: Cannot resolve network address for KDC in realm COMPANY.LOCAL
 while getting initial credentials.

 I poked around online and I saw a few issues regarding my error, but
 the resolve was making the realm all caps.


 Cheers,

 Evan


 On Sun, Jan 8, 2012 at 9:58 PM, James Robertson j...@mesrobertson.com 
 wrote:
 Hi Everyone,

 I just thought I would share a guide I am working on, it's not quite
 finished so expect errors, typo's etc.  I would love any feedback or
 critique about it.

 http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

 There is probably things that the developers and users will cringe at,
 if so I would like to know.

 Thanks for maintaining squid and the for the friendly mailing lists.

 Kind Regards,

 James

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-10 Thread berry guru 
I forgot to mention that I'm running Server 2008 R2 domain
controllers.  Secondly, when I do a 'locate PROXY.keytab' I can't find
it which should be in the squid correctly if I'm not mistaken.



On Tue, Jan 10, 2012 at 5:00 PM, berry guru berryg...@gmail.com wrote:
 Thanks for responding back James.  I'm new to Linux, and new to Squid
 but I'm very intrigued and would like to learn.  So I did a little
 more digging through the configuration and I came across something.
 I'm currently running Squid 2.7 (I'm a little afraid to do the upgrade
 and mess something up, and don't know how yet) but in the config line
 'default_keytab_name = /etc/squid3/PROXY.keytab' you list Squid3.
 Could that be a problem?

 As for my resolv.conf I simply have both of my internal DNS servers
 listed.  Not quite sure what else to verify.  I've also added my Squid
 box to the unlimited policy on my network to make sure nothing is
 blocking it.

 How can I go about troubleshooting this with logs maybe, if possible?


 On Tue, Jan 10, 2012 at 1:15 PM, James Robertson j...@mesrobertson.com wrote
 Hi Evan,

 You should probably double check your DNS on the proxy (resolv.conf)
 and the domain and look for any typo's in that and your kerberos
 config.

 The fact that it could not resolve one (or possibly more) of your KDC
 addresses could cause you problems later on - especially when msktutil
 needs to do --auto-updates.

 Cheers

 On 11 January 2012 07:33, berry guru berryg...@gmail.com wrote:
 Hi James,

 So I don't mean to be a pest, but I've ran into another issue.  I've
 ran the kinit administrator command but I'm getting the following
 error:

 kinit: Cannot resolve network address for KDC in realm COMPANY.LOCAL
 while getting initial credentials.

 I poked around online and I saw a few issues regarding my error, but
 the resolve was making the realm all caps.


 Cheers,

 Evan


 On Sun, Jan 8, 2012 at 9:58 PM, James Robertson j...@mesrobertson.com 
 wrote:
 Hi Everyone,

 I just thought I would share a guide I am working on, it's not quite
 finished so expect errors, typo's etc.  I would love any feedback or
 critique about it.

 http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

 There is probably things that the developers and users will cringe at,
 if so I would like to know.

 Thanks for maintaining squid and the for the friendly mailing lists.

 Kind Regards,

 James

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-10 Thread James Robertson 
 I forgot to mention that I'm running Server 2008 R2 domain
 controllers.  Secondly, when I do a 'locate PROXY.keytab' I can't find
 it which should be in the squid correctly if I'm not mistaken.

You may need to run updatedb to update the index before running the
find command.

 I'm currently running Squid 2.7 (I'm a little afraid to do the upgrade
 and mess something up, and don't know how yet) but in the config line
 'default_keytab_name = /etc/squid3/PROXY.keytab' you list Squid3.
 Could that be a problem?

Yes that's a problem.  Debian uses /etc/squid for v 2 and /etc/squid3
for v 3.  This will also be a problem in /etc/default/squid3 and it's
contents.
You may be better of using an independant directory or even the
default Keytab path in case you forget about it in future, after
upgrades etc.

If you are doing this on a production system it's probably a bit risky
given that you are new to Linux and Squid - make sure you are taking
backups of you conf files and server along the way :).
If you have the option (perhaps through a vm) I would suggest setting
up a new dev/testing machine.  Until implementation of the wpad stuff
the dev/testing proxy will have no affect on your network.

Also, I don't know if negotiate_wrapper works with squid 2.X.  Perhaps
Markus or another list subscriber could clarify that?

 As for my resolv.conf I simply have both of my internal DNS servers
 listed.  Not quite sure what else to verify.  I've also added my Squid
 box to the unlimited policy on my network to make sure nothing is
 blocking it.

Are the hostnames of your kdc's correct in /etc/krb5.conf (in the
[realms] section).  can you resolve their hostnames from the squid
box?

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-10 Thread Amos Jeffries 

On 11.01.2012 15:18, James Robertson wrote:

I forgot to mention that I'm running Server 2008 R2 domain
controllers.  Secondly, when I do a 'locate PROXY.keytab' I can't 
find

it which should be in the squid correctly if I'm not mistaken.


You may need to run updatedb to update the index before running the
find command.

I'm currently running Squid 2.7 (I'm a little afraid to do the 
upgrade
and mess something up, and don't know how yet) but in the config 
line



The same caveats apply as for multi-instance installations. Keep the 
port, cache_dir etc. separated.


The Debian packages are named differently so you can install them side 
by side and take care of most of the problems related to default 
locations and helpers for you.


I have not done it myself, so watch the install options apt give you to 
ensure its not removing one during install of the other


HTH
Amos

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-09 Thread Amos Jeffries 

On 9/01/2012 6:58 p.m., James Robertson wrote:

Hi Everyone,

I just thought I would share a guide I am working on, it's not quite
finished so expect errors, typo's etc.  I would love any feedback or
critique about it.

http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

There is probably things that the developers and users will cringe at,
if so I would like to know.

Thanks for maintaining squid and the for the friendly mailing lists.

Kind Regards,

James


Some notes on squid.conf:
* you did not configure Squid to use plain NTLM, so auth_param ntlm 
... lines are useless. Remove.


* using \ to escape whitespace is not valid in any of the officially 
released Squid configs.
 - what you have configured is the helper to test for three groups: 
Internet\, Users\, and Blocked etc.
 To use groups with whitespace in their names place the group name in a 
file by itself and load the file into the ACL definition like you do the 
allowedsites.txt etc.
When that is fixed you will be able to use memberof=cn=%g in the LDAP 
parameters instead of hard-coding  the different group names. Thus you 
only need one external_acl_type helper definition in total.


* no_cache has not existed in many years. Remove the no_ part and 
re-read the line to see if it matches your intended policy.



Considered updating the official Squid wiki documentation about active 
directory integration?

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Editing is open to all real persons. How to get edit access is detailed 
at the top of http://wiki.squid-cache.org/FrontPage


Amos

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-09 Thread James Robertson 
 Considered updating the official Squid wiki documentation about active
 directory integration?
 http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Thanks for the feedback Amos - appreciate it.  I'll make some updates.

I would be very happy to update the official documentation.  I have
never used MoinMoin but will start having a look and how easy it is to
migrate (I really like mediawiki and have become very familiar with
it).

Frankly I would be happy to have the documentation maintained purely
on the squid wiki, but since I have some Debian customisation and
mention of Cyfin Reporter would this fit with the squid wiki or would
it need to be more general?

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-09 Thread Amos Jeffries 

On 9/01/2012 11:37 p.m., James Robertson wrote:

Considered updating the official Squid wiki documentation about active
directory integration?
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Thanks for the feedback Amos - appreciate it.  I'll make some updates.

I would be very happy to update the official documentation.  I have
never used MoinMoin but will start having a look and how easy it is to
migrate (I really like mediawiki and have become very familiar with
it).

Frankly I would be happy to have the documentation maintained purely
on the squid wiki, but since I have some Debian customisation and
mention of Cyfin Reporter would this fit with the squid wiki or would
it need to be more general?


I was only thinking the central bit about Squid and AD auth integration 
for the above linked page. Cyfin appears from your texts to be a fully 
separate software installation. Not even integrating with the Squid log 
modules.
Of course, a fully separate page can be created as a whole-system config 
example. We have a few of those for various OS.


Amos

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-09 Thread James Robertson 
 I was only thinking the central bit about Squid and AD auth integration for
 the above linked page.

Will do, I have just requested write access and will look at making
some changes when time allows.

 Of course, a fully separate page can be created as a whole-system config
 example. We have a few of those for various OS.

I would be happy to create a separate more concise Debian centric
guide, basically a copy of my guide on the squid wiki and perhaps
maintain it from there...

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-09 Thread berry guru 
Hi James,

Thanks for taking the time to write the following wiki entry.

I'm having some trouble with the Kerberos part where I need to install
the following package:
apt-get install libsasl2-modules-gssapi-mit libsasl2-modules

It returns
unable to locate package libsasl2-modules-gssapi-mit
unable to locate package libsas12-modules

I'm attempting to install this all under Squid 2.7 if that makes a
difference.  Am I doing something wrong when entering that command?


On Mon, Jan 9, 2012 at 3:28 AM, James Robertson j...@mesrobertson.com wrote:
 I was only thinking the central bit about Squid and AD auth integration for
 the above linked page.

 Will do, I have just requested write access and will look at making
 some changes when time allows.

 Of course, a fully separate page can be created as a whole-system config
 example. We have a few of those for various OS.

 I would be happy to create a separate more concise Debian centric
 guide, basically a copy of my guide on the squid wiki and perhaps
 maintain it from there...

Re: [squid-users] Active Directory Integrated Squid Proxy Guide

2012-01-09 Thread James Robertson 
 I'm having some trouble with the Kerberos part where I need to install
 the following package:
 apt-get install libsasl2-modules-gssapi-mit libsasl2-modules

 It returns
 unable to locate package libsasl2-modules-gssapi-mit
 unable to locate package libsas12-modules

Are you copying and pasting the command or typing it?

You have a typo in the output from apt-get libsas12-modules (note
the 1 where you should have a lower case L), but not in the apt-get
install command?

Re: [squid-users] Active Directory based URL control

2010-02-19 Thread Henrik Nordström 
fre 2010-02-19 klockan 11:27 -0200 skrev Fabio Almeida:

 I'm wondering if I can use AD to store words, phrases and URLs instead
 of a plain file.

Theoretically yes, but will need both the AD schema to be extended and a
new helper to be written using the data.

 Is it possible, practical and as fast as files?

Storing host/domain rules in a directory server is certainly plausible.

Storing patterns (regex / words etc) is perhaps not.. processing such
patterns require access to the complete list. But still doable.

Regards
Henrik

Re: [squid-users] Active Directory based URL control

2010-02-19 Thread Chris Robertson 

Fabio Almeida wrote:

Hi all,

Can I use Active Directory to store URLs, Words, etc with external_acl
statement?
  


As long as you can craft an external_acl script to query it, yes.


I've sucessfully configured squid to authenticate users and groups
against Active Directory.
I'm wondering if I can use AD to store words, phrases and URLs instead
of a plain file.

Is it possible,

Probably.

 practical

Questionably.

 and as fast as files?
  

Not a chance.

Any directions would be appreciated.

My best regards,
Fábio Almeida
  

Chris

Re: [squid-users] Active Directory based URL control

2010-02-19 Thread Mike Ely 
Here¹s an example from our config that works fine.  We have a (largish)
group of users we don¹t want surfing the web but they do need access to the
fedex website for shipping - you can obviously configure it to suit your own
needs.  I created the OU containers in the root of the domain tree and
somehow I remember (from two years ago) fighting with it when I had them
nested deeper than that, but that's AD 2000 for you... Also the OU container
names are case-sensitive IIRC.  Make an LDAP user who has read-only access
for production use.

# Set up group queries against AD.
external_acl_type InetGroup %LOGIN /usr/lib64/squid/squid_ldap_group \
-b dc=[domain],dc=net -D cn=[username],cn=Users,dc=[domain],dc=net \
-s sub \
-w [password] \
 \
-h ldap

# Destinations here
acl fedex dstdomain .fedex.com

# User groups here
acl localnet proxy_auth REQUIRED src 10.0.0.0/8
acl AllWebAccess external InetGroup allweb
acl FedexWebAccess external InetGroup fedexweb
acl BlockedWebAccess external InetGroup blockedweb

http_access allow fedex FedexWebAccess
http_access allow AllWebAccess
http_access allow !BlockedWebAccess
http_access deny all


On 2/19/10 12:12 PM, Chris Robertson crobert...@gci.net wrote:

 Fabio Almeida wrote:
 Hi all, 
 
 Can I use Active Directory to store URLs, Words, etc with external_acl
 statement? 
   
 
 As long as you can craft an external_acl script to query it, yes.
 
 I've sucessfully configured squid to authenticate users and groups
 against Active Directory.
 I'm wondering if I can use AD to store words, phrases and URLs instead
 of a plain file.
 
 Is it possible, 
 Probably. 
  practical 
 Questionably. 
  and as fast as files?
   
 Not a chance. 
 Any directions would be appreciated.
 
 My best regards,
 Fábio Almeida 
   
 Chris

Re: [squid-users] Active Directory Single Sign-on

2010-02-18 Thread Henrik Nordström 
tor 2010-02-18 klockan 10:30 +0100 skrev Khaled Blah:

 This mechanism is not used for HTTP authentication to HTTP proxies.
 
 Does that mean HTTP proxy authentication or the actual HTTP
 authentication. I am wondering whether that means that Squid cannot use
 SPNEGO based proxy authentication or that a client cannot HTTP
 authenticate to a target through a proxy. I found the RFC to be ambigous
 concerning this.

Squid can handle it since negotiate support was added to Squid.

Firefox can handle it.

Late versions of MSIE can also handle it, but at the time Microsoft
wrote that document MSIE could not handle it.

Regards
Henrik

Re: [squid-users] Active Directory Single Sign-on

2010-02-18 Thread Khaled Blah 
Thx for your replay, Henrik!

With it I think you mean Proxy Authentication, right? Sorry, if that's a 
trivial question for you. I just would like to clarify this.


Regards,

Khaled

 Original-Nachricht 
 Datum: Thu, 18 Feb 2010 11:38:11 +0100
 Von: Henrik Nordström hen...@henriknordstrom.net
 An: Khaled Blah khaled.b...@gmx.de
 CC: squid-users@squid-cache.org
 Betreff: Re: [squid-users] Active Directory Single Sign-on

 tor 2010-02-18 klockan 10:30 +0100 skrev Khaled Blah:
 
  This mechanism is not used for HTTP authentication to HTTP proxies.
  
  Does that mean HTTP proxy authentication or the actual HTTP
  authentication. I am wondering whether that means that Squid cannot use
  SPNEGO based proxy authentication or that a client cannot HTTP
  authenticate to a target through a proxy. I found the RFC to be ambigous
  concerning this.
 
 Squid can handle it since negotiate support was added to Squid.
 
 Firefox can handle it.
 
 Late versions of MSIE can also handle it, but at the time Microsoft
 wrote that document MSIE could not handle it.
 
 Regards
 Henrik

Re: [squid-users] Active Directory Single Sign-on

2010-02-18 Thread Henrik Nordström 
tor 2010-02-18 klockan 12:16 +0100 skrev Khaled Blah:
 Thx for your replay, Henrik!
 
 With it I think you mean Proxy Authentication, right? Sorry, if that's a 
 trivial question for you. I just would like to clarify this.

Yes.

Regards
Henrik

RE: [squid-users] active directory

2008-10-10 Thread UK SquidUser (AXA-TECH-UK) 
Hi,
 
we recently set up several proxy servers using transparent AD
authentication. Pretty much all seems to be ok except at completely
random times several of these servers (not all) have lost winbind
connectivity to the AD server.
The cache log shows 
 
utils/ntlm_auth.c:get_winbind_domain(140)
  could not obtain winbind domain name!

Does anyone know the reason, or is there somewhere else I need to look
for clues other than the cache log?
winbind logs and messages log contain nothing of help.
 
thanks in anticipation...
 
K.

This email originates from AXA Technology Services UK Limited (reg. 
no. 1854856) which has its registered office at 5 Old Broad Street, 
London EC2N 1AD, England.

This message and any files transmitted with it are confidential and 
intended solely for the individual or entity to whom they are addressed.  
If you have received this in error, you should not disseminate or copy 
this email.  Please notify the sender immediately and delete this email 
from your system.  

Please also note that any opinions presented in this email are solely 
those of the author and do not necessarily represent those of The AXA 
UK Plc Group.

Email transmission cannot be guaranteed to be secure, or error free as 
information could be intercepted, corrupted, lost, destroyed, late in 
arriving or incomplete as a result of the transmission process.  The 
sender therefore does not accept liability for any errors or omissions in 
the contents of this message which arise as a result of email 
transmission.

Finally, the recipient should check this email and any attachments for 
viruses.  The AXA UK Plc Group accept no liability for any damage 
caused by any virus transmitted by this email.

Re: [squid-users] active directory authentication

2007-11-16 Thread Adrian Chadd 
http://wiki.squid-cache.org/ConfigExamples/


On Fri, Nov 16, 2007, piyush joshi wrote:
 Dear All,
I am using squid proxy server i want to use
 authentication from the active directory what to do in squid.conf file
 .
 
 Thanks in advance ...
 -- 
 Regards
 
 Piyush Joshi
 9415414376

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

Re: [squid-users] active directory

2007-07-31 Thread Henrik Nordstrom 
On tis, 2007-07-31 at 16:53 +0100, UK SquidUser (AXA-TECH-UK) wrote:
 hi, i'm trying to migrate to a new platform of squid proxy servers using
 active directory. I can't seem to find any pointers on configuring
 squid/kerberos/samba to use multiple domains for authentication..

You need a trust between the domains, then it should just work..

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] active directory

2007-07-31 Thread D E Radel 

UK SquidUser (AXA-TECH-UK) wrote:

hi, i'm trying to migrate to a new platform of squid proxy servers using
active directory. I can't seem to find any pointers on configuring
squid/kerberos/samba to use multiple domains for authentication.. i've
configured a test box to point through a single domain using ad fine,
but i'm unsure if i can actually use cross domain authentication... can
anybody point me in the right direction please 
Kev.


TS Data Networks
AXA Tech


I use the following script for ldap authentication from multiple domains. This should be modifiable 
for other forms of authentication:


#
#!/bin/sh

# This script checks a username and password provided by squid
# against 2 domains. If the creditials are accepted by either
# domain, output OK. Otherwise, output ERR.

# read from stdin until EOF is received
while read INP; do

  # Use username and password to authenticate against FIRST domain
  DOMAIN1=`echo $INP | /usr/lib/squid/ldap_auth -R -b dc=first,dc=my,dc=domain,dc=com -D 
cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com -w admin_password -f 
sAMAccountName=%s -h 192.168.1.1`


  # User username and password to authenticate against SECOND domain
  DOMAIN2=`echo $INP | /usr/lib/squid/ldap_auth -R -b dc=second,dc=my,dc=domain,dc=com -D 
cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com -w admin_password -f 
sAMAccountName=%s -h 192.168.1.2`


  # If username and password is correct for either domain, output OK
  if [ $DOMAIN1 == OK ]; then
echo OK
  elif [ $DOMAIN2 == OK ]; then
echo OK
  else
echo ERR
 fi
done
#



I then call this from my squid.conf with:



#
# Authenticate against TWO domains using LDAP, not SAMBA
#
# Uses the custom script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an OK or an ERR back to Squid.

auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm MyCompany Proxy
auth_param basic credentialsttl 5 hours
#


I hope that this is useful to you.

Cheers,
Dietrich

Re: [squid-users] active directory

2007-07-31 Thread D E Radel 
Whoops. Change replace that dc=second with dc=first in the DOMAIN1 part of the script and you'll 
understand what I meant. I didn't proof read after making the edits.


Cheers,
Dietrich


D  E Radel wrote:

UK SquidUser (AXA-TECH-UK) wrote:

hi, i'm trying to migrate to a new platform of squid proxy servers using
active directory. I can't seem to find any pointers on configuring
squid/kerberos/samba to use multiple domains for authentication.. i've
configured a test box to point through a single domain using ad fine,
but i'm unsure if i can actually use cross domain authentication... can
anybody point me in the right direction please Kev.

TS Data Networks
AXA Tech


I use the following script for ldap authentication from multiple 
domains. This should be modifiable for other forms of authentication:


#
#!/bin/sh

# This script checks a username and password provided by squid
# against 2 domains. If the creditials are accepted by either
# domain, output OK. Otherwise, output ERR.

# read from stdin until EOF is received
while read INP; do

  # Use username and password to authenticate against FIRST domain
  DOMAIN1=`echo $INP | /usr/lib/squid/ldap_auth -R -b 
dc=first,dc=my,dc=domain,dc=com -D 
cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com -w 
admin_password -f sAMAccountName=%s -h 192.168.1.1`


  # User username and password to authenticate against SECOND domain
  DOMAIN2=`echo $INP | /usr/lib/squid/ldap_auth -R -b 
dc=second,dc=my,dc=domain,dc=com -D 
cn=Administrator,cn=Users,dc=second,dc=my,dc=domain,dc=com -w 
admin_password -f sAMAccountName=%s -h 192.168.1.2`


  # If username and password is correct for either domain, output OK
  if [ $DOMAIN1 == OK ]; then
echo OK
  elif [ $DOMAIN2 == OK ]; then
echo OK
  else
echo ERR
 fi
done
#



I then call this from my squid.conf with:



#
# Authenticate against TWO domains using LDAP, not SAMBA
#
# Uses the custom script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an OK or an ERR back to Squid.

auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm MyCompany Proxy
auth_param basic credentialsttl 5 hours
#


I hope that this is useful to you.

Cheers,
Dietrich

Re: [squid-users] Active Directory computer login restrictions stops Squid authentication for these users

2005-08-26 Thread B 
if i get you right, you use properties of the user objects.

my first thought about this was to create organizational units in ad and
restrict logon locally for these users in the computer objects. that way
users would not have a rstriction to ip's in them but only the workstations
do.

due to the number of ou's (for every computer there will be one) in the
directory this will only be useful with a limitde number of users and
workstations.

hope this helps.

Quoting D  E Radel [EMAIL PROTECTED]:

 Hi there
 
 Squid is authenticating with no problems with our domain via LDAP.
 
 I wish to use the built-in Active Directory account option to restrict 
 which computers a user on our domain can log into (i.e. instead of being 
 able to log into 'all computers', just their own). If I enable this 
 setting, these users no longer access the www through the Squid proxy. 
 Obviously there is an option to add other computer names to the list of 
 computers that a user can log into (e.g. our squid box).
 
 Our Squid runs on Linux and has not been made a member computer of our 
 domain as we are not using winbind or samba. I am not sure how to get 
 our Squid box to register its IP in the DNS server on our Domain 
 Controller. I manually added a record in the DNS, but only the full 
 computer name (including domain name suffix) resolves. There is not 
 enough space to type the whole name in, under the Active Directory 
 options.
 
 So I am wondering if figuring out whether investigating any of these 
 will allow me to still authenticate the users in squid as well as 
 restricting their ability to log into various local pcs. Or whether it's 
 a waste of time. I am not sure on the specifics of how Squid exactly 
 interacts with AD and whether or not this is possible.
 
 The easiest solution is not to restrict what computers our users can log 
 into. But, I'd like to figure out if it's possible to restrict them and 
 still have squid authenticate them.
 
 Any tips or ideas greatly appreciated. Many thanks in advance. :-)
 D.Radel. 
 
 


-

b .

Re: [squid-users] Active Directory computer login restrictions stops Squid authentication for these users

2005-08-26 Thread D E Radel 

Hi B.

Thanks for your reply. Yes, I am using the properties of the users 
objects. I forget how many user accounts we have, but its over 200 
users. It's about 20 - 40 that we are trying to restrict though.


Regards,
D.
- Original Message - 
From: B [EMAIL PROTECTED]

To: squid-users@squid-cache.org
Sent: Saturday, August 27, 2005 12:11 AM
Subject: Re: [squid-users] Active Directory computer login restrictions 
stops Squid authentication for these users




if i get you right, you use properties of the user objects.

my first thought about this was to create organizational units in ad 
and
restrict logon locally for these users in the computer objects. that 
way
users would not have a rstriction to ip's in them but only the 
workstations

do.

due to the number of ou's (for every computer there will be one) in 
the

directory this will only be useful with a limitde number of users and
workstations.

hope this helps.

Quoting D  E Radel [EMAIL PROTECTED]:


Hi there

Squid is authenticating with no problems with our domain via LDAP.

I wish to use the built-in Active Directory account option to 
restrict
which computers a user on our domain can log into (i.e. instead of 
being

able to log into 'all computers', just their own). If I enable this
setting, these users no longer access the www through the Squid 
proxy.
Obviously there is an option to add other computer names to the list 
of

computers that a user can log into (e.g. our squid box).

Our Squid runs on Linux and has not been made a member computer of 
our

domain as we are not using winbind or samba. I am not sure how to get
our Squid box to register its IP in the DNS server on our Domain
Controller. I manually added a record in the DNS, but only the full
computer name (including domain name suffix) resolves. There is not
enough space to type the whole name in, under the Active Directory
options.

So I am wondering if figuring out whether investigating any of these
will allow me to still authenticate the users in squid as well as
restricting their ability to log into various local pcs. Or whether 
it's

a waste of time. I am not sure on the specifics of how Squid exactly
interacts with AD and whether or not this is possible.

The easiest solution is not to restrict what computers our users can 
log
into. But, I'd like to figure out if it's possible to restrict them 
and

still have squid authenticate them.

Any tips or ideas greatly appreciated. Many thanks in advance. :-)
D.Radel.





-

b .

Re: [squid-users] Active Directory computer login restrictions stops Squid authentication for these users

2005-08-26 Thread Serassio Guido 

Hi,

At 13.53 26/08/2005, D  E Radel wrote:


Hi there

Squid is authenticating with no problems with our domain via LDAP.

I wish to use the built-in Active Directory account option to 
restrict which computers a user on our domain can log into (i.e. 
instead of being able to log into 'all computers', just their own). 
If I enable this setting, these users no longer access the www 
through the Squid proxy. Obviously there is an option to add other 
computer names to the list of computers that a user can log into 
(e.g. our squid box).


Our Squid runs on Linux and has not been made a member computer of 
our domain as we are not using winbind or samba. I am not sure how 
to get our Squid box to register its IP in the DNS server on our 
Domain Controller. I manually added a record in the DNS, but only 
the full computer name (including domain name suffix) resolves. 
There is not enough space to type the whole name in, under the 
Active Directory options.


So I am wondering if figuring out whether investigating any of these 
will allow me to still authenticate the users in squid as well as 
restricting their ability to log into various local pcs. Or whether 
it's a waste of time. I am not sure on the specifics of how Squid 
exactly interacts with AD and whether or not this is possible.


The easiest solution is not to restrict what computers our users can 
log into. But, I'd like to figure out if it's possible to restrict 
them and still have squid authenticate them.


Any tips or ideas greatly appreciated. Many thanks in advance. :-)


Try adding to the allowed list the LDAP server (= Domain Controller) 
used from the LDAP helper for authentication.


Regards

Guido



-

Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Lucia Savarino, 1   10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135  Fax. : +39.011.9781115
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/

Re: [squid-users] Active Directory computer login restrictions stops Squid authentication for these users

2005-08-26 Thread D E Radel 


From: Serassio Guido [EMAIL PROTECTED]
To: D  E Radel [EMAIL PROTECTED]; squid-users@squid-cache.org
Sent: Saturday, August 27, 2005 3:27 AM

The easiest solution is not to restrict what computers our users can 
log into. But, I'd like to figure out if it's possible to restrict 
them and still have squid authenticate them.


Any tips or ideas greatly appreciated. Many thanks in advance. :-)


Try adding to the allowed list the LDAP server (= Domain Controller) 
used from the LDAP helper for authentication.


Hi Guido,

Many thanks for that!!! It worked a-ok! :-)

regards,
D.Radel.

Re: [squid-users] active directory authentication - not working

2005-01-22 Thread Serassio Guido 
Hi,
At 12.10 21/01/2005, [EMAIL PROTECTED] wrote:
hello,
please can you help me with subject?
i have last version, i red about win32_check_group.exe, i have in AD2003
created group..
but it doesnt work..
when i try to run win32_check_group.exe -G nothing happens... no response,
anything...
This is correct: win32_check_group.exe is only an helper program, so to 
verify if it's working from command prompt you must manually type something 
into (in the following example debug is enabled):

C:\squid\libexecwin32_check_group -G -d
win32_check_group[692]: Member of Domain ACMECONSULTING
win32_check_group[692]: External ACL win32 group helper build Jan  7 2005, 
11:02:22 starting up...

win32_check_group[692]: Domain Global group mode enabled.
acmeconsulting\\guido.serassio Staff
win32_check_group[692]: Got 'acmeconsulting\\guido.serassio Staff' from 
Squid (length: 36).

win32_check_group[692]: Valid_Global_Groups: checking group membership of 
'acmeconsulting\guido.serassio'.

win32_check_group[692]: Using '\\HERA' as DC for 'acmeconsulting' local domain.
win32_check_group[692]: Using '\\HERA' as DC for 'acmeconsulting' user's 
domain.

win32_check_group[692]: Windows group: Staff, Squid group: Staff
OK
Regards
Guido

-

Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426  Fax. : +39.011.3293665
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/

Re: [squid-users] Active Directory

2004-10-14 Thread Henrik Nordstrom 
On Thu, 14 Oct 2004, Strickland, Lawrence P wrote:
Can I user Active Directory authentication with Squid?
Yes, either by accessing Activer Directory using LDAP, or via Samba 
member server services (winbind).

Regards
Henrik

RE: [squid-users] Active Directory.

2003-12-18 Thread Daniel Palmer 
There are several better options than smb_auth for use against Active Directory:
* LDAP (reliable) - The FAQ has info on configuring LDAP helpers
* Samba Winbind (a little more complicated - but using NTLM authentication IE users 
won't need to type in a username/password - it'll pull it directly).  Don't forget you 
need Samba 3.  http://itmanagers.net/[EMAIL PROTECTED] has details of getting it going.



-Original Message-
From: Ampugnani, Fernando [mailto:[EMAIL PROTECTED] 
Sent: Friday, 19 December 2003 7:00 AM
To: [EMAIL PROTECTED]
Subject: [squid-users] Active Directory.


Hi all,
Can squid + smb_auth works with windows 2000 Active Directory.?, If can´t what 
I might use to authenticate MSAD.

Thanks in advance.


Fernando Ampugnani
EDS Argentina - Software, Storage  Network
Global Operation Solution Delivery
Tel: 5411 4704 3428
Mail: [EMAIL PROTECTED]

Re: [squid-users] Active Directory.

2003-12-18 Thread Henrik Nordstrom 
On Thu, 18 Dec 2003, Ampugnani, Fernando wrote:

 Can squid + smb_auth works with windows 2000 Active Directory.?

Most likely.

 If can´t what I might use to authenticate MSAD.

The LDAP helpers for sure work (squid_ldap_auth + squid_ldap_group)

Regards
Henrik