samba - Dec 2015 - [squid-users] Squid with NTLM auth behind netscaler

Hai, 
> i read "Do not use this method if you run winbindd or other
> samba services as samba will reset the machine password every x days
> and thereby makes the keytab invalid
Seems wrong to me. 

If you use samba 4. ( dont know if its the same for samba 3 ) 

Make sure you have this in smb.conf    

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind refresh tickets = yes
   winbind offline logon = yes

refresh tickets refreshed the machine pass in the keytab. 
Offline logon is handy if you dc is down. 

Steps to follow

Install samba and join the domain. 
Check the SPNs of the hostname, if you missing things, add them. 
Remove /etc/krb5.keytab 
Recreate it again ( now it has al the needed SPN's ) with : 
net ads keytab create -U administrator

restart samba. 

Now go configure squid. 


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
Namens
> Fabio Bucci
> Verzonden: dinsdag 29 december 2015 15:30
> Aan: Amos Jeffries
> CC: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler
> 
> Hi Amos,
> i'm trying to implement kerberos as you suggested me. But following
> the guide i read "Do not use this method if you run winbindd or other
> samba services as samba will reset the machine password every x days
> and thereby makes the keytab invalid !!" and my system guy told me we
> use winbindd method.
> 
> How can i implement so?
> Thanks
> 
> 2015-12-16 21:12 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:
> > On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
> >> i'm planning to migrate to kerberos instead NTLM.....i got a
question
> for
> >> you Amos: sometimes a client reports issue in navigation and
searching
> into
> >> log file i cannot see "username" and all the request are
407
> >>
> >> In these cases is there a way to reset a user session or it's
a
> completely
> >> client issue?
> >
> > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> > some reason. Some old Firefox, most Safari, and older IE can all get
> > stuck trying those credentials and ignoring the offers of Basic.
> >
> > It might be possible to figure out some LmCompatibility settings
change
> > that makes the problem just go away (eg, forcing NTLM of all versions
to
> > disabled on the client).
> >
> > Other than that Squid does have some workaround responses it can be
made
> > to send back that might help the client reach the right conclusion:
> >
> > a) list Basic auth first in the config. Any properly working client
will
> > re-sort the auth types by security level and do theKerberos anyway.
But
> > the broken ones (particularly IE7 and older) will have more chance of
> > using Basic.
> >
> > b) sending 407 response with no auth headers. Such as a deny 407
status
> > generated by external ACL deny, or a URL-redirector. These tell the
> > client that auth failed, but there is no acceptible fallback.
> >
> > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> > the client prematurely attaching the credentials to the connection and
> > re-using them. That is supposed to have been fixed recently, but
I've
> > not confirmed.
> >
> > d) sending 403 status response. To just flat-out block the client once
> > it enters the looping state. Hoping that later requests will start to
> > work again.
> >
> >
> > HTH
> > Amos
> >
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users