[Samba] [squid-users] Squid with NTLM auth behind netscaler

L.P.H. van Belle belle at bazuin.nl
Tue Dec 29 14:43:17 UTC 2015 

... oops.. sorry about that..  

Well if someone what to know more, you know to find me. ;-) 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 29 december 2015 15:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [squid-users] Squid with NTLM auth behind netscaler
> 
> Hai,
> 
> > i read "Do not use this method if you run winbindd or other
> > samba services as samba will reset the machine password every x days
> > and thereby makes the keytab invalid
> 
> Seems wrong to me.
> 
> If you use samba 4. ( dont know if its the same for samba 3 )
> 
> Make sure you have this in smb.conf
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    winbind refresh tickets = yes
>    winbind offline logon = yes
> 
> refresh tickets refreshed the machine pass in the keytab.
> Offline logon is handy if you dc is down.
> 
> Steps to follow
> 
> Install samba and join the domain.
> Check the SPNs of the hostname, if you missing things, add them.
> Remove /etc/krb5.keytab
> Recreate it again ( now it has al the needed SPN's ) with :
> net ads keytab create -U administrator
> 
> restart samba.
> 
> Now go configure squid.
> 
> 
> Greetz,
> 
> Louis
> 
> > -----Oorspronkelijk bericht-----
> > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> Namens
> > Fabio Bucci
> > Verzonden: dinsdag 29 december 2015 15:30
> > Aan: Amos Jeffries
> > CC: squid-users at lists.squid-cache.org
> > Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
> >
> > Hi Amos,
> > i'm trying to implement kerberos as you suggested me. But following
> > the guide i read "Do not use this method if you run winbindd or other
> > samba services as samba will reset the machine password every x days
> > and thereby makes the keytab invalid !!" and my system guy told me we
> > use winbindd method.
> >
> > How can i implement so?
> > Thanks
> >
> > 2015-12-16 21:12 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:
> > > On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
> > >> i'm planning to migrate to kerberos instead NTLM.....i got a question
> > for
> > >> you Amos: sometimes a client reports issue in navigation and
> searching
> > into
> > >> log file i cannot see "username" and all the request are 407
> > >>
> > >> In these cases is there a way to reset a user session or it's a
> > completely
> > >> client issue?
> > >
> > > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> > > some reason. Some old Firefox, most Safari, and older IE can all get
> > > stuck trying those credentials and ignoring the offers of Basic.
> > >
> > > It might be possible to figure out some LmCompatibility settings
> change
> > > that makes the problem just go away (eg, forcing NTLM of all versions
> to
> > > disabled on the client).
> > >
> > > Other than that Squid does have some workaround responses it can be
> made
> > > to send back that might help the client reach the right conclusion:
> > >
> > > a) list Basic auth first in the config. Any properly working client
> will
> > > re-sort the auth types by security level and do theKerberos anyway.
> But
> > > the broken ones (particularly IE7 and older) will have more chance of
> > > using Basic.
> > >
> > > b) sending 407 response with no auth headers. Such as a deny 407
> status
> > > generated by external ACL deny, or a URL-redirector. These tell the
> > > client that auth failed, but there is no acceptible fallback.
> > >
> > > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> > > the client prematurely attaching the credentials to the connection and
> > > re-using them. That is supposed to have been fixed recently, but I've
> > > not confirmed.
> > >
> > > d) sending 403 status response. To just flat-out block the client once
> > > it enters the looping state. Hoping that later requests will start to
> > > work again.
> > >
> > >
> > > HTH
> > > Amos
> > >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list