[Samba] ADS auth for squid
Steve Allen
steve.allen at member.sage-au.org.au
Thu Jun 25 00:01:21 GMT 2009
Hi,
I've already tried this in a squid list, but no response so maybe my
problem is related to my squid conf.
I'm setting up a squid proxy to auth against our 2003 ADS
I have ntlm working so it authenticates both transparently to the user
and using domain\username login.
My Problem is getting squid to auth with just the username not requiring
the domain\ part.
The docs say I need to have winbind use default domain = yes which I do.
With the option set to yes I get
proxyv4# wbinfo -u | grep test99
test99
without the option I get
proxyv4# wbinfo -u | grep test99
AFCT\test99
What am I missing? I didn't configure anything for kerberos because of
this line in the samba howto
> With both MIT and Heimdal Kerberos, it is unnecessary to configure the
> /etc/krb5.conf, and it may be detrimental.
My system hasn't got a the krb5.conf at all and I wonder if the lack of
said file is causing me to have to enter the AFCT\test99 format?
Cheers
Steve
FreeBSD 6.4-RELEASE-p5 AMD64
Squid Cache: Version 3.0.STABLE15
Samba Version 3.3.4
Windows 2003 ADS in what appears for be native mode.
smb.conf
[GLOBAL]
workgroup = AFCT
realm = afct.org.au
Server String = AFC Proxy
security = ads
encrypt passwords = yes
winbind use default domain = yes
wins server = 10.1.1.5
Relevant lines in squid for ntlm
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
More information about the samba
mailing list