Has anyone seen v3.5.x.x authenication work in an all windows environment?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Has anyone seen v3.5.x.x authenication work in an all windows environment?

Todd Pearson

I have spent the past few days working to get the latest version working in an all windows environment.  I am unable to get kerberos authentication to work.  I am struggling with getting the keytab file correct.  
Wondering if there is anyone who has seen it actually work in an all windows environment.  I have had earlier version (v2.X stable) with NTLM authentication, but unfortunately I do not have the binaries to implement in v3.5.x.x.

I continue to struggle to find the secret forumula for SPN and keytab.  

Thanks,
Todd

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Has anyone seen v3.5.x.x authenication work in an all windows environment?

Eliezer Croitoru
Is this of any help?
https://docs.diladele.com/administrator_guide_5_1/active_directory/index.html

Also specify what version of windows Server and Windows clients you are using.

Thank,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Todd Pearson
Sent: Monday, July 3, 2017 10:44
To: [hidden email]
Subject: [squid-users] Has anyone seen v3.5.x.x authenication work in an all windows environment?


I have spent the past few days working to get the latest version working in an all windows environment.  I am unable to get kerberos authentication to work.  I am struggling with getting the keytab file correct.  
Wondering if there is anyone who has seen it actually work in an all windows environment.  I have had earlier version (v2.X stable) with NTLM authentication, but unfortunately I do not have the binaries to implement in v3.5.x.x.

I continue to struggle to find the secret forumula for SPN and keytab.  

Thanks,
Todd

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Has anyone seen v3.5.x.x authenication work in an all windows environment?

dijxie
In reply to this post by Todd Pearson
W dniu 03.07.2017 o 09:43, Todd Pearson pisze:

I have spent the past few days working to get the latest version working in an all windows environment.  I am unable to get kerberos authentication to work.  I am struggling with getting the keytab file correct.  
Wondering if there is anyone who has seen it actually work in an all windows environment.  I have had earlier version (v2.X stable) with NTLM authentication, but unfortunately I do not have the binaries to implement in v3.5.x.x.

I continue to struggle to find the secret forumula for SPN and keytab.  

Thanks,
Todd


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


Hi,

I have 4 squid serves, 3 of them are 3.5.9 @centos 7.x. Everything is working fine, both pure NTLM and NEGOTIATE helpers are working flawlessly. I've created local group on squid servers like keytab-readers, then:
chown root:keytab-readers /etc/krb5.keytab
chmod 740 /etc/keytab-readers
and added squid to keytab-readers.

Squid clients are windows workstations, mostly 8.1 and 10.

Why do you need to have Squid on Windows server so badly? Less documentation, less support. And nowadays, my guess is  almost every MS security update can brake things down.

My guess is when you're using squid on Windows server, you have to, alternatively:
1. Run squid on NT AUTHORITY/SYSTEM or NT AUTHORITY/NETWORK SERVICE account and put SPN  squid_accessible_name to AD machine account. So, if Your squid DNS name is squidproxy.corpo.local and your server name is srvSquid01.corpo.local, machine account srvSquid01$ has to have HOST/squidproxy SPN also.
2. Run squid on dedicated domain account (user account). Create user like "squid01", give it all nessecary permissions on squid server and then give this user SPN. And there's the problem: what kind of SPN in this configuration... I would say that HTTP/squidproxy, and then in DNS you'll have to have presumably CNAME (not A) pointing squidproxy to srvSquid01.corpo.local. And domain user squid01 will have to read acces to keytab, as well as keytab will have to have apropriate content (it should be a user, not machine keytab).

https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on
-- 
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...