[squid-users] squid with kerberos against AD, ntlm as fallback

From: <Ralf.Lutz_at_Heidelberg.de>
Date: Mon, 10 May 2010 14:47:19 +0000


we are running squid-3.0.STABLE9-1.el5 on Centos 5.4 with Kerberos-Authentication against an Active Directory. It works fine, but IE6, some Java-Applets and some Linux Workstations canīt use the proxy. It seems, that they donīt support kerberos SSO against the AD. Newer IEs and Firefox works well.

Is it possible, to use ntlm-Authentication as a fallback ? Iīve installed samba 3.4.5, wbinfo -g works.

I then added the lines with ntlm to the squid.conf:

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -s HTTP/proxy-kerberos.heidelberg.bw-online.de
auth_param negotiate children 50
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=WWW
auth_param ntlm children 5
auth_param ntlm keep_alive on

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "DC=heidelberg,DC=bw-online,DC=de" -D "CN=USER,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf=CN=%a,CN=Users,DC=heidelberg,DC=bw-online,DC=de))" -v 3 -h "" -K


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 81-84       # Gebaudetechnik StaBue
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

# Konfiguration Stadt Heidelberg
# All elements of an acl entry are OR'ed together.
# All elements of an access entry are AND'ed together

acl AD-AUTH proxy_auth REQUIRED
http_access allow AD-AUTH


#fuer ziegelhausen, linux, macht kein kerberos passthrough bzw. kein domaenenuser
acl amt62 src
http_access allow amt62

#Java-Anwendung, kann kein Kerberos-Auth und keine Auto.pac
acl teleteach url_regex lc-prod.teleteach.de
http_access allow teleteach


# ACL mit ldap
acl ldapgroup-www external ldapgroup www
acl ldapgroup-ebay external ldapgroup ebay
acl blocklist dstdomain "/etc/squid/blocklist"
acl ldapgroup-teamviewer external ldapgroup proxy_teamviewer
acl blocklist-teamviewer dstdomain "/etc/squid/blocklist_teamviewer"
acl ldapgroup-filesharing external ldapgroup proxy_filesharing
acl blocklist-filesharing dstdomain "/etc/squid/blocklist_filesharing"
acl ldapgroup-amt80 external ldapgroup proxy_amt80
acl blocklist-amt80 dstdomain "/etc/squid/blocklist_amt80"


http_access allow ldapgroup-ebay all
#http_access allow schul340
http_access deny blocklist
http_access allow ldapgroup-filesharing
http_access deny blocklist-filesharing
http_access allow ldapgroup-teamviewer
http_access deny blocklist-teamviewer
http_access allow ldapgroup-amt80
http_access deny blocklist-amt80
http_access allow ldapgroup-www all

# And finally deny all other access to this proxy
#http_access allow localhost

http_access deny all

www ist the AD-group that has access to the internet

The browser then pops-up for usercredentials, but will not get authenticatet. The access.log writes no user information with the DENIED-entries.

Has anyone an idea if kerberos and ntlm as fallback should work ?

Best Regards
Ralf Lutz
Received on Mon May 10 2010 - 14:47:35 MDT

This archive was generated by hypermail 2.2.0 : Mon May 10 2010 - 12:00:04 MDT