Re: [squid-users] Kerberos auth and users in another AD domain
On Thu, Dec 08, 2011 at 09:14:51PM +0100, Emmanuel Lacour wrote: As negotiate is proposed and IE support it, it always try to authenticate with negotiate and so it fails every time. this is by design since XP SP2: http://support.microsoft.com/kb/891559 I did not found any workaround. here is a setup that I tested, which allow evry kind of auth, exept from an IE client not in the AD domain: auth_param negotiate program /usr/lib/squid3/negotiate_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 5 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST auth_param ntlm children 5 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b dc=test,dc=local -D cn=Administrator,cn=Users,dc=test,dc=local -w x -f sAMAccountName=%s -h win-hlbivo4bbdl.test.local -d auth_param basic casesensitive off auth_param basic children 5 auth_param basic realm Proxy TEST NB: setting a default domain for ntlm allow users to just use the login, without domain\ before NB: keep_alive off, as written in the docs helps at least FF to not prompt multiple time for auth
Re: [squid-users] Kerberos auth and users in another AD domain
(sorry for the thread break, I loosed original messages and cannot find the Message-ID) Amos, thanks for your hints. I did some tests to connect to a kerberos enabled squid from a windows client not within the AD domain: squid auth setup is: negotiate squid_kerb_auth ntlm basic (ldap) As negotiate is proposed and IE support it, it always try to authenticate with negotiate and so it fails every time. I tried to invert the auth order, putting basic at first, IE always try negotiate (when Firefox just use the first one). With the negotiate,ntlm,basic order, firefox seems to try different methods, because after three tries of login in, it works. If I remove negotiate, then I can authenticate using ntlm by specifying as username DOMAIN\user. So as I understand, the only way to go is to have two squids: - one with kerberos for 'domain' users (with ntlm fallback for clients not knowing negotiate support, but ntlm and with basic fallback for client without negotiate/ntlm support) - and a second one with only basic auth
Re: [squid-users] Kerberos auth and users in another AD domain
On Tue, 22 Nov 2011 15:34:53 +0100, Emmanuel Lacour wrote: I enabled kerberos auth on an AD domain with a fallback to ldap basic auth. It seems that if someone use the proxy from another lan in another AD domain on which I have no control, the basic auth is not used. Is this understandable? Any way to work around this? Yes this is common. The client application is in complete control over which authentication methods it uses. All Squid does is offer a set of possibilities. Also, Basic auth is sent to the client with a realm= parameter stating which domain/realm it Squid supports that method from. NTLM and Kerberos were built around SSO principles, in which a client only has one set of credentials which are globally accepted or not. The validating process (Squid) needs access to the DC (AD server) for that users credentials. Marcus has updated the Kerberos wiki pages with a great overview of how both of those work. http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Amos
