Re: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5

From: Murilo Moreira de Oliveira <murilo.moreira_at_gmail.com>
Date: Tue, 15 Jun 2010 11:05:07 -0300

Hello. Follow bellow the steps I've used to get NTLM authentication working.

 1.# yum -y install authconfig krb5-workstation samba-common

2.[root_at_proxyweb ~]# authconfig --enableshadow --enablemd5
--passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
--krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
--smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
--smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
--disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins
--disablecache --enablelocauthorize --updateall

3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
This is the user that proxy will use to validate users credentials.

4.# chown root:squid /var/cache/samba/winbindd_privileged

2010/6/14 Edouard Zorrilla <ezorrilla_at_tsf.com.pe>:
> Hi Guys,
>
> Did anyone make it works ? :
>
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
>
> # authconfig --enableshadow --enablemd5 --passalgo=md5
> --krb5kdc=ads.example.local \
> --krb5realm=EXAMPLE.LOCAL --smbservers=ads.example.local
> --smbworkgroup=EXAMPLE \
> --enablewinbind --enablewinbindauth --smbsecurity=ads
> --smbrealm=EXAMPLE.LOCAL \
> --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
> --winbindseparator="+" \
> --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
> --disablewinbindoffline \
> --winbindjoin=Administrator --disablewins --disablecache
> --enablelocauthorize --updateall
>
> I just want to authenticate against a Windows Domain Controller but no luck
> yet, could someone give one advice how can I do that ?. Maybe I am going
> through the wrong path, I want to use the NTLM since as far as I have seen
> this is best way I can do that.
>
> The error that I get is :
>
> [2010/06/14 16:39:42, 0] libads/kerberos.c:ads_kinit_password(228)
>  kerberos_kinit_password user_at_abc.xyz.COM failed: Client not found in
> Kerberos database
>
> Any help would be greatly appreciated.
>
> Thanks.,
>
>
>
Received on Tue Jun 15 2010 - 14:05:13 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 17 2010 - 12:00:03 MDT