[squid-users] Re: Kerberos-authentication and ntlm-fallback with AD-group-membership-checking

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 9 Jul 2010 10:52:04 +0100

Hi Tom,

 Which version do you use ? The latest squid_kerb_ldap version has a -D
option to define a default Kerberos domain for usernames without domain
info.

  /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" -D
Kerberos-Domain

Regards
Markus

----- Original Message -----
From: "Tom Tux" <tomtux80_at_gmail.com>
To: "Markus Moeller" <huaraz_at_moeller.plus.com>
Sent: Thursday, July 08, 2010 1:54 PM
Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
with AD-group-membership-checking

> Hi Markus
>
> I think, that the output from the log with just the username instead
> of "netbios-name\username" is because of the setting "winbind use
> default domain = yes" in the smb.conf.
>
> The debug-output is this:
> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group_at_domain
> Internet Users_at_NULL
> 2010/07/08 07:13:39| squid_kerb_ldap: Found group_at_domain Internet
> Users_at_NULL
> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
> group_at_domain Internet Users_at_NULL
> 2010/07/08 07:13:39| squid_kerb_ldap: ERR
>
>
>
> For my question:
> Is it necessary to have winbindd runnning for authentication our
> IE6-clients with ntlm? Or can I handle this without a
> winbind-domain-join? Just with squid_kerb_ldap?
>
> Thank you.
> Regards
> Tom
>
>
> 2010/7/8 Markus Moeller <huaraz_at_moeller.plus.com>:
>> Hi Tom,
>>
>> Squid_kerb_ldap with -d will give more debug output. Could you send it to
>> me. What suprises me is that your username is only user1 not
>> NETBIOSNAME\user1
>>
>> Markus
>>
>> ----- Original Message ----- From: "Tom Tux" <tomtux80_at_gmail.com>
>> To: "Markus Moeller" <huaraz_at_moeller.plus.com>
>> Sent: Thursday, July 08, 2010 6:30 AM
>> Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
>> with AD-group-membership-checking
>>
>>
>> Hi Markus
>>
>> Thank you. I have tried it out, but this didn't worked. In my
>> squid.conf I have the following entry:
>>
>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users"
>> -N NETBIOSNAME_at_XX.YY
>> acl inetAccess external SQUID_KERB_LDAP
>>
>> For the "NETBIOSNAME", I've entered this one, which I have defined in
>> the smb.conf in the string "workgroup".
>>
>> The cache.log-output looks like this:
>> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group_at_domain
>> Internet Users_at_NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: Found group_at_domain Internet
>> Users_at_NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
>> group_at_domain Internet Users_at_NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: ERR
>>
>> Without the "-N"-Parameter, all clients >IE6 are successfully able to
>> authenticate with kerberos and squid_kerb_ldap.
>>
>> In the smb.conf, I have set "winbind use default domain = yes". So the
>> "wbinfo -u" gives me back just the username without any domain-suffix.
>>
>> For my understanding: Is it necessary to have winbindd runnning for
>> authentication our IE6-clients with ntlm? Or can I handle this without
>> a winbind-domain-join? Just with squid_kerb_ldap?
>>
>> Thank you.
>>
>> Regards,
>> Tom
>>
>> 2010/7/7 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> Hi Tom
>>>
>>> It should work if squid sends Negotiate and NTLM authentication requests
>>> to
>>> the client. IE6 will ignore the Negotiate request and reply to NTLM,
>>> whereas
>>> IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
>>> like Netbios-Domain\user in contrast to user_at_Kerberos-Realm.
>>> squid_kerb_ldap
>>> can deal with this through the -N option e.g. -N
>>> Netbios-Domain_at_Kerberos-Realm and if you have two domains use -N
>>> Netbios-Domain_at_Kerberos-Realm:Netbios-Domain2_at_Kerberos-Realm2.
>>>
>>> Regards
>>> Markus
>>>
>>> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
>>> news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5_at_mail.gmail.com...
>>>>
>>>> Hi
>>>>
>>>> I'm searching a way to authenticate IE6-clients with ntlm based on
>>>> group-membership and all other clients (IE7, IE8) with kerberos (also
>>>> group-membership-based).
>>>>
>>>> I'm able to authenticate with kerberos AND group-membership
>>>> (squid_kerb_ldap), but the IE6-clients will then prompt for the
>>>> squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper
>>>> away, then all users are able to authenticate without checking the
>>>> group-membership.
>>>>
>>>> How can I achieve to have a proper single-sign-on
>>>> kerberos-authentication (with squid_kerb_ldap) and a
>>>> fallback-ntlm-authentication for the IE6-browser (also with checking
>>>> group-membership) without prompting for username/password?
>>>>
>>>> Thank you.
>>>> Regards
>>>> Tom
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
Received on Fri Jul 09 2010 - 09:52:35 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 09 2010 - 12:00:04 MDT