Hai Eduardo,
In addition to Rowlands reply.
Try this one : auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --domain=MYDOMINIO
Change the : squid-2.5-ntlmssp to gss-spnego
And test, if it works.. Stop reading here and be happy..
Not working.. Then i have these questions and suggestions. ( and maybe more ).
Are use using all debian 8 standaard packages?
You might preper for a change to negotiate auth. ( See:
https://wiki.squid-cache.org/Features/NegotiateAuthentication )
The token first presented by the client is used by helpers to identify which
flavour is being used:
type 1 token - NTLM
type 2 token - Kerberos
You may see warnings or errors mentioning either of these token types with
Negotiate authentication. Particularly common are problems with type 1 when
configured with Kerberos helpers.
The issue is a mismatch between the client and helper capabilities. The
negotiate_wrapper helper is currently the only helper known which can handle
both types at once.
Then I suspect you Win8 uses type 2 tokens and then you need the following.
These settings below work on both my servers, I run 2 proxies atm.
Debian 8, samba 4.6.15, squid, own build 3.5.19 (a rebuild from debian testing,
but with ssl enabled )
Debian 9, samba 4.8.2, squid, own build 3.5.27 (a rebuild from debian testing,
but with ssl enabled )
My settings are these and this works as of Win XP up to win10 1709 ( in
production here ).
#Negotiate auth
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/proxy.internal.domain.tld at KERBEROS.DOMAIN.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate keep_alive on
#Basic auth, over ldaps
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=Company,dc=internal,dc=domain,dc=tld" \
-D special-user-for-ldap-bind-request at internal.domain.tld \
-W
/etc/squid/private/special-file-4-user-for-ldap-bind-request-containing-passwd \
-f sAMAccountName=%s \
-H ldaps://dc2.internal.domain.tld \
-H ldaps://dc1.internal.domain.tld
auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours
acl authenticated proxy_auth REQUIRED
authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour
Samba does not need much, but i would change some things.
The important ones are :
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes # needed to update the kerberos ticket for the
server.
winbind use default domain = yes
winbind offline logon = yes # can be handy if you need to reboot the AD
server.
Squid, I noticed you config is a bit off.. > [libdefaults]
> default_realm = MYDOMINIO.COM
> dns_lookup_kdc = no
> dns_lookup_realm = no
> ticket_lifetime = 24h
> default_keytab_name = /etc/squid3/PROXY.keytab
All i have is:
default_realm = MYKERBEROSREALM.DOMAIN.TLD
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
And in /etc/default/squid
KRB5_KTNAME=/etc/squid/keytab.PROXY-HTTP
export KRB5_KTNAME
#You might need:
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE
Beware, these changes are not small ones, backup backup backup...
Also, im away from computers this weekend, so i'll be able to reply today.
If you fast.
Or Monday.
Good luck!
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Eduardo Miranda Hidalgo via samba
> Verzonden: vrijdag 8 juni 2018 14:19
> Aan: samba
> Onderwerp: [Samba] samba4+squid3+ntlm
>
> Hello:
>
> I have a squid3 with aunteticacion ntlm integrated to samba4
> but in workstations with windows 8.1 constantly asked for the
> username and password and it does not let the user navigate,
> use debian 8 + samba 4.7.7, no idea because that happens in
> client with windows 7 works well.
>
>
> smb.conf
>
> workgroup = MYDOMINIO
> security = ads
> netbios name = srv-proxy
> server string = Servidor Proxy de Dominio
> realm =MYDOMINIO.COM
> password server = srv-pdc.midominio.com
>
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> syslog = 0
> #log level = 1
> log level = 3 passdb:5 auth:10 winbind:5
> log file = /var/log/samba/%m.log
> max log size = 50
>
> squid.conf
>
> ##Autenticacion
> # NTLM
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMINIO
> auth_param ntlm children 20
> auth_param ntlm keep_alive on
> # NTLM basic
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic --domain=MYDOMINIO
> auth_param ntlm children 20
> auth_param basic children 20
> auth_param basic realm Proxy midominio.comu
> auth_param basic credentialsttl 1 hours
> external_acl_type ldap_group children-max=20 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl
> authenticate_ttl 1 hours
> authenticate_ip_ttl 1 hours
>
> krb5.conf
>
> [libdefaults]
> default_realm = MYDOMINIO.COM
> dns_lookup_kdc = no
> dns_lookup_realm = no
> ticket_lifetime = 24h
> default_keytab_name = /etc/squid3/PROXY.keytab
>
> ; for Windows 2003
> ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
>
> [realms]
> MYDOMINIO.COM= {
> kdc = srv-pdc.midominio.com
> admin_server = srv-pdc.midominio.com
> default_domain = midominio.com
> }
>
> [domain_realm]
> . midominio.com = MYDOMINIO.COM
> srv-pdc.midominio.com = MYDOMINIO.COM
>
> regards
> Eduardo
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>