[Samba] [squid-users] AD user Login + Squid Proxy + Automatic Authentication
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 23 07:14:23 UTC 2019
The most simple way to add SSO.
Install winbind krb5-user, then your smb.conf, update this config :
# Auth-Only setup with winbind. ( no Shares )
log level = 1
workgroup = NTDOM
security = ADS
realm = YOUR-REALM
netbios name = HOSTNAME
preferred master = no
domain master = no
host msdfs = no
dns proxy = yes
interfaces = eth0 lo
bind interfaces only = yes
#Add and Update TLS Key
# Add the root cert and clients certs here, add the rootCA with GPO to the pc's.
tls enabled = yes
tls keyfile = /etc/ssl/private/HOSTNAME.key.pem
tls certfile = /etc/ssl/certs/HOSTNAME.cert.pem
tls cafile = /etc/ssl/certs/ROOT-ca.crt
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config NTDOM : backend = rid
idmap config NTDOM : schema_mode = rfc2307
idmap config NTDOM : range = 10000-3999999
# Samba 4.6+ ( get primary group from AD ) ( Samba AD-Backend )
#idmap config NTDOM : unix_nss_info = yes
# Samba 4.6+ ( get primary group from unix primary group )
#idmap config NTDOM : unix_primary_group = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# We strip the domain (NTDOM\username) to username
winbind use default domain = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups, ! slows down you samba, if to much groups depth
# Not needed on the VPN server.
#winbind expand groups = 2
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For ACL support on member servers with shares, OBLIGATES
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
######## SHARE DEFINITIONS ################
# Next TODO. Join the AD-DC domain.
net ads join
# setup keytab for squid.
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
and use this for auth in squid.
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \
-s HTTP/hostname.fqdn at REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on
If you serve multiple Kerberos realms add a HTTP/fqdn at REALM service principal per realm to
the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.
Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Randi Indrawan
Verzonden: vrijdag 23 augustus 2019 3:28
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] AD user Login + Squid Proxy + Automatic Authentication
So I have setup a squid proxy on a CentOS 7 Server and now the authentication system uses ldap and it works, I can set which groups get access through a proxy
The problem is ... can we setup the proxy read the domain id that is being logged, so the proxy no longer asks for a username and password. All the tutorials I've seen are pop-up messages asking for the username and password. I would like this to happen automatically so when the user logs in they automatically authenticate
DISCLAIMER : The information contained in this communication (including any attachments) is privileged and confidential, and may be legally exempt from disclosure under applicable law. It is intended only for the specific purpose of being used by the individual or entity to whom it is addressed. If you are not the addressee indicated in this message (or are responsible for delivery of the message to such person), you must not disclose, disseminate, distribute, deliver, copy, circulate, rely on or use any of the information contained in this transmission. We apologize if you have received this communication in error; kindly inform the sender accordingly. Please also ensure that this original message and any record of it is permanently deleted from your computer system. We do not give or endorse any opinions, conclusions and other information in this message that do not relate to our official business.
More information about the samba