Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback with AD-group-membership-checking

From: Tom Tux <tomtux80_at_gmail.com>
Date: Fri, 9 Jul 2010 12:25:44 +0200

Hi Markus

I'm using squid_kerb_ldap-1.2.1a. I will try it with the "-D"-Option.
Is it possible to have a Single-Sign-On-solution with IE6 without
winbind? Can I take "squid_kerb_ldap" for this purpose?

Thank you.
Regards,
Tom

2010/7/9 Markus Moeller <huaraz_at_moeller.plus.com>:
> Hi Tom,
>
> Which version do you use ?  The latest squid_kerb_ldap version has a -D
> option to define a default Kerberos domain for usernames without domain
> info.
>
>  /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" -D
> Kerberos-Domain
>
> Regards
> Markus
>
> ----- Original Message ----- From: "Tom Tux" <tomtux80_at_gmail.com>
> To: "Markus Moeller" <huaraz_at_moeller.plus.com>
> Sent: Thursday, July 08, 2010 1:54 PM
> Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
> with AD-group-membership-checking
>
>
>> Hi Markus
>>
>> I think, that the output from the log with just the username instead
>> of "netbios-name\username" is because of the setting "winbind use
>> default domain = yes" in the smb.conf.
>>
>> The debug-output is this:
>> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group_at_domain
>> Internet Users_at_NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: Found group_at_domain Internet
>> Users_at_NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
>> group_at_domain Internet Users_at_NULL
>> 2010/07/08 07:13:39| squid_kerb_ldap: ERR
>>
>>
>>
>> For my question:
>> Is it necessary to have winbindd runnning for authentication our
>> IE6-clients with ntlm? Or can I handle this without a
>> winbind-domain-join? Just with squid_kerb_ldap?
>>
>> Thank you.
>> Regards
>> Tom
>>
>>
>> 2010/7/8 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> Hi Tom,
>>>
>>> Squid_kerb_ldap with -d will give more debug output. Could you send it to
>>> me. What suprises me is that your username is only user1 not
>>> NETBIOSNAME\user1
>>>
>>> Markus
>>>
>>> ----- Original Message ----- From: "Tom Tux" <tomtux80_at_gmail.com>
>>> To: "Markus Moeller" <huaraz_at_moeller.plus.com>
>>> Sent: Thursday, July 08, 2010 6:30 AM
>>> Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback
>>> with AD-group-membership-checking
>>>
>>>
>>> Hi Markus
>>>
>>> Thank you. I have tried it out, but this didn't worked. In my
>>> squid.conf I have the following entry:
>>>
>>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users"
>>> -N NETBIOSNAME_at_XX.YY
>>> acl inetAccess external SQUID_KERB_LDAP
>>>
>>> For the "NETBIOSNAME", I've entered this one, which I have defined in
>>> the smb.conf in the string "workgroup".
>>>
>>> The cache.log-output looks like this:
>>> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL
>>> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: group_at_domain
>>> Internet Users_at_NULL
>>> 2010/07/08 07:13:39| squid_kerb_ldap: Found group_at_domain Internet
>>> Users_at_NULL
>>> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of
>>> group_at_domain Internet Users_at_NULL
>>> 2010/07/08 07:13:39| squid_kerb_ldap: ERR
>>>
>>> Without the "-N"-Parameter, all clients >IE6 are successfully able to
>>> authenticate with kerberos and squid_kerb_ldap.
>>>
>>> In the smb.conf, I have set "winbind use default domain = yes". So the
>>> "wbinfo -u" gives me back just the username without any domain-suffix.
>>>
>>> For my understanding: Is it necessary to have winbindd runnning for
>>> authentication our IE6-clients with ntlm? Or can I handle this without
>>> a winbind-domain-join? Just with squid_kerb_ldap?
>>>
>>> Thank you.
>>>
>>> Regards,
>>> Tom
>>>
>>> 2010/7/7 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>
>>>> Hi Tom
>>>>
>>>> It should work if squid sends Negotiate and NTLM authentication requests
>>>> to
>>>> the client. IE6 will ignore the Negotiate request and reply to NTLM,
>>>> whereas
>>>> IE7 and IE8 will respond to Negotiate. With NTLM you will get a username
>>>> like Netbios-Domain\user in contrast to user_at_Kerberos-Realm.
>>>> squid_kerb_ldap
>>>> can deal with this through the -N option e.g. -N
>>>> Netbios-Domain_at_Kerberos-Realm and if you have two domains use -N
>>>> Netbios-Domain_at_Kerberos-Realm:Netbios-Domain2_at_Kerberos-Realm2.
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
>>>> news:AANLkTinrNhqPuwS0h21XYBrqTuRde7dK9ebHKXG9zkm5_at_mail.gmail.com...
>>>>>
>>>>> Hi
>>>>>
>>>>> I'm searching a way to authenticate IE6-clients with ntlm based on
>>>>> group-membership and all other clients (IE7, IE8) with kerberos (also
>>>>> group-membership-based).
>>>>>
>>>>> I'm able to authenticate with kerberos AND group-membership
>>>>> (squid_kerb_ldap), but the IE6-clients will then prompt for the
>>>>> squid_kerb_ldap-authentication. If I leave the squid_kerb_ldap-helper
>>>>> away, then all users are able to authenticate without checking the
>>>>> group-membership.
>>>>>
>>>>> How can I achieve to have a proper single-sign-on
>>>>> kerberos-authentication (with squid_kerb_ldap) and a
>>>>> fallback-ntlm-authentication for the IE6-browser (also with checking
>>>>> group-membership) without prompting for username/password?
>>>>>
>>>>> Thank you.
>>>>> Regards
>>>>> Tom
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
Received on Fri Jul 09 2010 - 10:25:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 09 2010 - 12:00:04 MDT