[Samba] Samba 4 with squid3 (--helper-protocol=gss-spnego )

L.P.H. van Belle belle at bazuin.nl
Thu Dec 18 05:39:31 MST 2014

Im know this might not be the place to ask, but im doing it anyway..  ;-) 
Im testing an debian Jessie server with squid3 ( 3.4.8 )
Its running Debian Samba 4.1.13 with winbind. 
Im having troubles, to get the squid auth working. 
So my question is is someone here using kerberos authentication on squid. ( 3.4.x ) 
Or someone who is using the gss-spnego helper protocol. 
Im using this line :  
auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego

wbinfo -a testuser at REALM  works ok. 
wbinfo -a DOMAIN\\testuser  works also ok. 
ssh login with kerberos works also ok. 
I did have the HTTP spn to the hostname of the proxyserver  in the AD. 
I have these SPN's on the squid host. 
samba-tool spn list proxy3\$
User CN=proxy3,CN=Computers,DC=internal,DC=domain,DC=tld has the following servicePrincipalName:
     HTTP/proxy3.internal.domain.tld at REALM 
my keytab contains the spn's as shown above, all in 1 keytab file  ( /etc/krb5.keytab ) 
and for squid i added also the following : 
I added the proxy user to the winbindd_priv group 
i did set the keytab file to proxy:proxy  ( 400 ) 
and i added this in /etc/default/squid3 
export KRB5_KTNAME

Which contains only the HTTP spn. 
So if anyone has any hint or thing i can test please tell me, that would be nice...
google didnt help me, most of the things there are based on squid 3.1 and as of 3.3  
 --helper-protocol=gss-spnego  is also an option which look nicer to me. 
if i can get it to work ...  :-/   

More information about the samba mailing list