[Samba] [squid-users] Squid with NTLM auth behind netscaler
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 29 14:38:47 UTC 2015
Hai,
> i read "Do not use this method if you run winbindd or other
> samba services as samba will reset the machine password every x days
> and thereby makes the keytab invalid
Seems wrong to me.
If you use samba 4. ( dont know if its the same for samba 3 )
Make sure you have this in smb.conf
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind offline logon = yes
refresh tickets refreshed the machine pass in the keytab.
Offline logon is handy if you dc is down.
Steps to follow
Install samba and join the domain.
Check the SPNs of the hostname, if you missing things, add them.
Remove /etc/krb5.keytab
Recreate it again ( now it has al the needed SPN's ) with :
net ads keytab create -U administrator
restart samba.
Now go configure squid.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Fabio Bucci
> Verzonden: dinsdag 29 december 2015 15:30
> Aan: Amos Jeffries
> CC: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
>
> Hi Amos,
> i'm trying to implement kerberos as you suggested me. But following
> the guide i read "Do not use this method if you run winbindd or other
> samba services as samba will reset the machine password every x days
> and thereby makes the keytab invalid !!" and my system guy told me we
> use winbindd method.
>
> How can i implement so?
> Thanks
>
> 2015-12-16 21:12 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:
> > On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
> >> i'm planning to migrate to kerberos instead NTLM.....i got a question
> for
> >> you Amos: sometimes a client reports issue in navigation and searching
> into
> >> log file i cannot see "username" and all the request are 407
> >>
> >> In these cases is there a way to reset a user session or it's a
> completely
> >> client issue?
> >
> > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> > some reason. Some old Firefox, most Safari, and older IE can all get
> > stuck trying those credentials and ignoring the offers of Basic.
> >
> > It might be possible to figure out some LmCompatibility settings change
> > that makes the problem just go away (eg, forcing NTLM of all versions to
> > disabled on the client).
> >
> > Other than that Squid does have some workaround responses it can be made
> > to send back that might help the client reach the right conclusion:
> >
> > a) list Basic auth first in the config. Any properly working client will
> > re-sort the auth types by security level and do theKerberos anyway. But
> > the broken ones (particularly IE7 and older) will have more chance of
> > using Basic.
> >
> > b) sending 407 response with no auth headers. Such as a deny 407 status
> > generated by external ACL deny, or a URL-redirector. These tell the
> > client that auth failed, but there is no acceptible fallback.
> >
> > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> > the client prematurely attaching the credentials to the connection and
> > re-using them. That is supposed to have been fixed recently, but I've
> > not confirmed.
> >
> > d) sending 403 status response. To just flat-out block the client once
> > it enters the looping state. Hoping that later requests will start to
> > work again.
> >
> >
> > HTH
> > Amos
> >
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the samba
mailing list