Re: [squid-users] Active Directory and user agents - complete ISA replacement

From: George Machitidze <giomac_at_gmail.com>
Date: Thu, 12 Jan 2012 18:23:57 +0400

Hello

Super! Everything works fine including groups for basic, ntlm and negotiate.

Is it possible to have Digest authentication with Windows 2003 AD?

add following for your wiki page:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on

Best regards,
George Machitidze

On Thu, Jan 12, 2012 at 4:29 PM, George Machitidze <giomac_at_gmail.com> wrote:
> Nevermind - my fault
>
> On Redhat winbind is running with root and owner of file is root:root,
> i've changed it to squid.
>
>
> Best regards,
> George Machitidze
>
>
>
> On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze <giomac_at_gmail.com> wrote:
>> Here are first issues:
>>
>> [root_at_proxy ~]# kdestroy
>>
>> <NOW RESET DONE FOR HOST squid-k IN AD>
>>
>> [root_at_proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
>>  -- init_password: Wiping the computer password structure
>>  -- get_dc_host: Attempting to find a Domain Controller to use
>>  -- get_dc_host: Found Domain Controller: TEST-admsdc02
>>  -- get_default_keytab: Obtaining the default keytab name:
>> /etc/squid/HTTP.keytab
>>  -- create_fake_krb5_conf: Created a fake krb5.conf file:
>> /tmp/.msktkrb5.conf-iN2kxe
>>  -- reload: Reloading Kerberos Context
>>  -- finalize_exec: SAM Account Name is: squid-k$
>>  -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
>> local keytab...
>>  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>>  -- try_machine_keytab_princ: Authentication with keytab failed
>>  -- try_machine_keytab_princ: Trying to authenticate for host/proxy
>> from local keytab...
>>  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>>  -- try_machine_keytab_princ: Authentication with keytab failed
>>  -- try_machine_password: Trying to authenticate for squid-k$ with password.
>>  -- try_machine_password: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>>  -- try_machine_password: Authentication with password failed
>>  -- try_user_creds: Checking if default ticket cache has tickets...
>>  -- try_user_creds: Error: krb5_cc_get_principal failed (No
>> credentials cache found)
>>  -- try_user_creds: User ticket cache was not valid.
>> Error: could not find any credentials to authenticate with. Neither keytab,
>>     default machine password, nor calling user's tickets worked. Try
>>     "kinit"ing yourself some tickets with permission to create computer
>>     objects, or pre-creating the computer object in AD and selecting
>>     'reset account'.
>>  -- ~KRB5Context: Destroying Kerberos Context
>>
>> [root_at_proxy ~]# cat /etc/krb5.conf
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  default_realm = TEST.GE
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>  ticket_lifetime = 24h
>>  forwardable = yes
>>  default_keytab_name = /etc/squid/HTTP.keytab
>>  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>  permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>>
>> [realms]
>>  TEST.GE = {
>>  kdc = TEST-admsdc01.test.ge
>>  kdc = TEST-admsdc01.test.ge
>>  admin_server = TEST-admsdc01.test.ge
>>  default_domain = test.ge
>>  }
>>
>> [domain_realm]
>>  test.ge = TEST.GE
>>  .test.ge = TEST.GE
>>
>> [appdefaults]
>>  pam = {
>>   debug = true
>>   ticket_lifetime = 36000
>>   renew_lifetime = 36000
>>   forwardable = true
>>   krb4_convert = false
>>  }
>>
>> Where can I find the reason?
>>
>> Best regards,
>> George Machitidze
>>
>>
>>
>> On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze <giomac_at_gmail.com> wrote:
>>> Hello James
>>>
>>> Great job! Thanks for reply
>>>
>>> I will check and update with tests :)
>>>
>>> Best regards,
>>> George Machitidze
>>>
>>>
>>>
>>> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson <j_at_mesrobertson.com> wrote:
>>>>> When I try to use Opera browser I am getting ugly message after
>>>>> entering credentials:
>>>>>
>>>>> authenticateNegotiateHandleReply: Error validating user via Negotiate.
>>>>> Error returned 'BH received type 1 NTLM token'
>>>>
>>>> Opera  does not support Kerberos as far as I know.  You will still
>>>> need to support NTLM. you will have issues with iTunes and possibly
>>>> various other apps as that need NTLM support.
>>>>
>>>>> Is there any "universal", well tested configuration/manual that will
>>>>> make all clients work?
>>>>
>>>> I just completed a guide based on Debian that supports Kerberos, NTLM
>>>> and basic auth and was planning on updating the Squid Wiki also
>>>> sometime soon.  You should be able to translate that to your RH.
>>>>
>>>> HTH.
>>>>
>>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Received on Thu Jan 12 2012 - 14:24:24 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 15 2012 - 12:00:02 MST