[squid-users] squid with kerberos against AD, ntlm as fallback

Hi,

we are running squid-3.0.STABLE9-1.el5 on Centos 5.4 with Kerberos-Authentication against an Active Directory. It works fine, but IE6, some Java-Applets and some Linux Workstations can´t use the proxy. It seems, that they don´t support kerberos SSO against the AD. Newer IEs and Firefox works well.

Is it possible, to use ntlm-Authentication as a fallback ? I´ve installed samba 3.4.5, wbinfo -g works.

I then added the lines with ntlm to the squid.conf:

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -s HTTP/proxy-kerberos.heidelberg.bw-online.de
auth_param negotiate children 50
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=WWW
auth_param ntlm children 5
auth_param ntlm keep_alive on

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "DC=heidelberg,DC=bw-online,DC=de" -D "CN=USER,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf=CN=%a,CN=Users,DC=heidelberg,DC=bw-online,DC=de))" -v 3 -h "10.141.1.57 10.141.1.55" -K

.

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 81-84       # Gebaudetechnik StaBue
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Konfiguration Stadt Heidelberg
# All elements of an acl entry are OR'ed together.
# All elements of an access entry are AND'ed together

acl AD-AUTH proxy_auth REQUIRED
http_access allow AD-AUTH

.

#fuer ziegelhausen, linux, macht kein kerberos passthrough bzw. kein domaenenuser
acl amt62 src 10.141.20.245 10.141.20.26 10.141.20.24
http_access allow amt62

#Java-Anwendung, kann kein Kerberos-Auth und keine Auto.pac
acl teleteach url_regex lc-prod.teleteach.de
http_access allow teleteach

.

# ACL mit ldap
acl ldapgroup-www external ldapgroup www
acl ldapgroup-ebay external ldapgroup ebay
acl blocklist dstdomain "/etc/squid/blocklist"
acl ldapgroup-teamviewer external ldapgroup proxy_teamviewer
acl blocklist-teamviewer dstdomain "/etc/squid/blocklist_teamviewer"
acl ldapgroup-filesharing external ldapgroup proxy_filesharing
acl blocklist-filesharing dstdomain "/etc/squid/blocklist_filesharing"
acl ldapgroup-amt80 external ldapgroup proxy_amt80
acl blocklist-amt80 dstdomain "/etc/squid/blocklist_amt80"

.

http_access allow ldapgroup-ebay all
#http_access allow schul340
http_access deny blocklist
http_access allow ldapgroup-filesharing
http_access deny blocklist-filesharing
http_access allow ldapgroup-teamviewer
http_access deny blocklist-teamviewer
http_access allow ldapgroup-amt80
http_access deny blocklist-amt80
http_access allow ldapgroup-www all

# And finally deny all other access to this proxy
#http_access allow localhost

http_access deny all

www ist the AD-group that has access to the internet

The browser then pops-up for usercredentials, but will not get authenticatet. The access.log writes no user information with the DENIED-entries.

Has anyone an idea if kerberos and ntlm as fallback should work ?

Best Regards
Ralf Lutz
Received on Mon May 10 2010 - 14:47:35 MDT