Re: [squid-users] Re: Re: Re: SSO with Active Directory-Squid Clients

From: Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>
Date: Fri, 9 Apr 2010 10:46:04 +0100

Ah, just seem this - apologies for my post. I think I understand this and will give it a go..

On 08/04/2010 20:08, "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:

Hi Nick,

  Did you use samba to create the keytab. I have seen that if you use samba
for more then squid (e.g. cifs, winbind, etc) it will update regularly the
AD entry and key for the host/fqdn principal which is the same as for
HTTP/fqdn. I usually use msktutil and create a second AD entry called
<short-hostname>-HTTP to be independent of samba which usually uses
<short-hostname>.

Regards
Markus

"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
news:C7E35DA9.1EB06%Nick.Cairncross_at_condenast.co.uk...
Bilal,

I'm working on much the same thing, with added Apple Mac just to complicate
things. My aim is to create an SSO environment for all my Windows, OSX and
nix machines. I want to use Kerberos as my primary authentication as IE7 and
FF onwards are moving that way..but for my situation some browsers or
applications do not support this and I must also use NTLM. However, Opera
on my Macs seems to not like either and prefers Basic.. It's been a struggle
to get each element to work but not impossible.

I have found that all Negotiate/Kerberos supporting browsers have worked
extremely well with the helper developed by Markus. Many of the
authentication breaking elements have disappeared when compared to my Blue
Coat and ISA experiences. Those machines joined to the domain using browsers
that support Neg/Kerb work seamlessly with Kerberos - FF and IE - and pass
through credentials. Mac Safari relies on NTLM and prompts as such. Mac
Opera prompts for Basic. Therefore if you're just Windows I would answer
fairly confidently that your question 1 answer is Yes.

Users not on the domain would be prompted for credentials. I haven't tested
this and depending on which helper you are using (Samba or Squids) and
whether you're joined to the domain I believe Negotiate should fall back to
NTLM and work providing you supply a valid domain user/pass! So the answer
to 2 would be 'depends..' :)

As for the issue of not being to able to use Squid at all and taking into
account what I said earlier, then yes there could be a scenario where Squid
will not work for your users. However, it is less of a problem in just
Windows. It's all about testing your various Windows configurations, apps
and browsers until you are sure you have covered the conceivable setups of
all your users.
Finally, I have been struggling against an issue where my KVNO Keytab
increments in AD and gets out of sync with the exported version making Squid
un-useable until it's regenerated. Have you experienced this? Happy to
discuss any of this off list or on.

Cheers,
Nick

On 08/04/2010 04:06, "GIGO ." <gigoz_at_msn.com> wrote:

If i select negotiate/Kerberos as authentication protocol for my Squid on
Linux and configure no FallBack Authentication.what would be the consequence
?

1. Isnt it that all of my users who have logged into Active Directory and
where browser is supported will be able to use squid?

2. Only those users who will try to use squid from a workgroup giving their
domain passoword (domainname/userid) will fail as there will be no fallback
aviablable.

3. Is there any other scenario in which these users will not be able to use
squid?

I would be really thankful if you guide me further as i am failing to
understand why a fallback authentication is necessary if it is. What could
be the scenario when windows clients have no valid TGT even if they are
login to the domain? I hope you can understand me and help me to clear my
self.

regards,

Bilal Aslam

----------------------------------------
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Wed, 7 Apr 2010 20:17:20 +0100
> Subject: Re: [squid-users] Re: Re: SSO with Active Directory-Squid Clients
>
> Sorry I knew that but forgot to mention that I was talking about the Unix
> version.
>
> Thank you
> Markus
>
> "Guido Serassio" wrote in message
> news:58FD293CE494AF419A59EF7E597FA4E64002FA_at_hermes.acmeconsulting.loc...
> Hi Markus,
>
>> If you have a Windows client and the proxy send WWW-Proxy-Authorize:
>> Negotiate the Windows client will try first to get a Kerberos ticket
> and
>> if that succeeds sends a Negotiate response with a Kerberos token to
> the
>> proxy.
>> If the Windows client fails to get a Kerberos ticket the client will
> send
>> a Negotiate response with a NTLM token to the proxy. Unfortunately
> there> is yet no squid helper which can handle both a
> Negotiate/Kerberos response
>> and a Negotiate/NTLM response (although maybe the samba ntlm helper
> can).> So there is a fallback when you use Negotiate, but it has some
> caveats.
>
> This is not true when Squid is running on Windows: the Windows native
> Negotiate Helper can handle both Negotiate/Kerberos and Negotiate/NTLM
> responses.
>
> Regards
>
>
> Guido Serassio
> Acme Consulting S.r.l.
> Microsoft Gold Certified Partner
> VMware Professional Partner
> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
> Tel. : +39.011.9530135 Fax. : +39.011.9781115
> Email: guido.serassio_at_acmeconsulting.it
> WWW: http://www.acmeconsulting.it
>
>

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Fri Apr 09 2010 - 09:47:50 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 09 2010 - 12:00:03 MDT