[Samba] [squid-users] AD user Login + Squid Proxy + Automatic Authentication

L.P.H. van Belle belle at bazuin.nl
Fri Aug 23 07:14:23 UTC 2019

The most simple way to add SSO. 
Install winbind krb5-user, then your smb.conf,  update this config : 
    # Auth-Only setup with winbind. ( no Shares )
    log level = 1
    workgroup = NTDOM
    security = ADS
    realm = YOUR-REALM
    netbios name = HOSTNAME
    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes
    interfaces = eth0 lo
    bind interfaces only = yes
    #Add and Update TLS Key
 # Add the root cert and clients certs here, add the rootCA with GPO to the pc's. 
    tls enabled = yes
    tls keyfile = /etc/ssl/private/HOSTNAME.key.pem
    tls certfile = /etc/ssl/certs/HOSTNAME.cert.pem
    tls cafile = /etc/ssl/certs/ROOT-ca.crt
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999
    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = rid
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999
 # Samba 4.6+ ( get primary group from AD ) ( Samba AD-Backend )
    #idmap config NTDOM : unix_nss_info = yes
 # Samba 4.6+ ( get primary group from unix primary group )
    #idmap config NTDOM : unix_primary_group = yes
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    # renew the kerberos ticket
    winbind refresh tickets = yes
    # We strip the domain (NTDOM\username) to username
    winbind use default domain = yes
    # enable offline logins
    winbind offline logon = yes
    # check depth of nested groups, ! slows down you samba, if to much groups depth
    # Not needed on the VPN server.
    #winbind expand groups = 2
    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping
    # disable usershares creating
    usershare path =
    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    # For ACL support on member servers with shares, OBLIGATES
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
######## SHARE DEFINITIONS ################

# Next TODO.  Join the AD-DC domain. 
kinit Administrator
net ads join 
# setup keytab for squid. 
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
and use this for auth in squid. 
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \
      -s HTTP/hostname.fqdn at REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on

If you serve multiple Kerberos realms add a HTTP/fqdn at REALM service principal per realm to
       the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth.  

Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Randi Indrawan
Verzonden: vrijdag 23 augustus 2019 3:28
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] AD user Login + Squid Proxy + Automatic Authentication

So I have setup a squid proxy on a CentOS 7 Server and now the authentication system uses ldap and it works, I can set which groups get access through a proxy

The problem is ... can we setup the proxy read the domain id that is being logged, so the proxy no longer asks for a username and password. All the tutorials I've seen are pop-up messages asking for the username and password. I would like this to happen automatically so when the user logs in they automatically authenticate

Best Regards

Randi Indrawan

DISCLAIMER : The information contained in this communication (including any attachments) is privileged and confidential, and may be legally exempt from disclosure under applicable law. It is intended only for the specific purpose of being used by the individual or entity to whom it is addressed. If you are not the addressee indicated in this message (or are responsible for delivery of the message to such person), you must not disclose, disseminate, distribute, deliver, copy, circulate, rely on or use any of the information contained in this transmission. We apologize if you have received this communication in error; kindly inform the sender accordingly. Please also ensure that this original message and any record of it is permanently deleted from your computer system. We do not give or endorse any opinions, conclusions and other information in this message that do not relate to our official business. 

More information about the samba mailing list