[Samba] Samba 4 with squid3 (--helper-protocol=gss-spnego )
L.P.H. van Belle
belle at bazuin.nl
Thu Dec 18 05:39:31 MST 2014
Hai,
Im know this might not be the place to ask, but im doing it anyway.. ;-)
Im testing an debian Jessie server with squid3 ( 3.4.8 )
Its running Debian Samba 4.1.13 with winbind.
Im having troubles, to get the squid auth working.
So my question is is someone here using kerberos authentication on squid. ( 3.4.x )
Or someone who is using the gss-spnego helper protocol.
Im using this line :
auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
wbinfo -a testuser at REALM works ok.
wbinfo -a DOMAIN\\testuser works also ok.
ssh login with kerberos works also ok.
I did have the HTTP spn to the hostname of the proxyserver in the AD.
I have these SPN's on the squid host.
samba-tool spn list proxy3\$
User CN=proxy3,CN=Computers,DC=internal,DC=domain,DC=tld has the following servicePrincipalName:
HOST/PROXY3
HOST/proxy3.internal.domain.tld
HTTP/proxy3.internal.domain.tld at REALM
my keytab contains the spn's as shown above, all in 1 keytab file ( /etc/krb5.keytab )
and for squid i added also the following :
I added the proxy user to the winbindd_priv group
i did set the keytab file to proxy:proxy ( 400 )
and i added this in /etc/default/squid3
KRB5_KTNAME=/etc/squid3/private/proxy3-HTTP.keytab
export KRB5_KTNAME
Which contains only the HTTP spn.
So if anyone has any hint or thing i can test please tell me, that would be nice...
google didnt help me, most of the things there are based on squid 3.1 and as of 3.3
--helper-protocol=gss-spnego is also an option which look nicer to me.
if i can get it to work ... :-/
Greetz,
Louis
More information about the samba
mailing list