samba - Aug 2019 - [squid-users] AD user Login + Squid Proxy + Automatic Authentication

The most simple way to add SSO. 
?
Install winbind krb5-user, then?your smb.conf,? update this config : 
[global]
??? # Auth-Only setup with winbind. ( no Shares )
????log level = 1
??? workgroup = NTDOM
??? security = ADS
??? realm = YOUR-REALM
??? netbios name = HOSTNAME
?
??? preferred master = no
??? domain master = no
??? host msdfs = no
??? dns proxy = yes
?
??? interfaces = eth0 lo
??? bind interfaces only = yes
?
??? #Add and Update TLS Key
?# Add the root cert and clients certs here, add the rootCA with GPO to the
pc's.
??? tls enabled = yes
??? tls keyfile = /etc/ssl/private/HOSTNAME.key.pem
??? tls certfile = /etc/ssl/certs/HOSTNAME.cert.pem
??? tls cafile = /etc/ssl/certs/ROOT-ca.crt
?
??? ## map id's outside to domain to tdb files.
??? idmap config *: backend = tdb
??? idmap config *: range = 2000-9999
?
??? ## map ids from the domain and (*) the range may not overlap !
??? idmap config NTDOM : backend = rid
??? idmap config NTDOM : schema_mode = rfc2307
??? idmap config NTDOM : range = 10000-3999999
?
?# Samba 4.6+ ( get primary group from AD ) ( Samba AD-Backend )
??? #idmap config NTDOM : unix_nss_info = yes
?# Samba 4.6+ ( get primary group from unix primary group )
??? #idmap config NTDOM : unix_primary_group = yes
###########
?
??? kerberos method = secrets and keytab
??? dedicated keytab file = /etc/krb5.keytab
?
??? # renew the kerberos ticket
??? winbind refresh tickets = yes
?
??? # We strip the domain (NTDOM\username) to username
??? winbind use default domain = yes
?
??? # enable offline logins
??? winbind offline logon = yes
?
??? # check depth of nested groups, ! slows down you samba, if to much groups
depth
??? # Not needed on the VPN server.
??? #winbind expand groups = 2
?
??? # user Administrator workaround, without it you are unable to set privileges
??? username map = /etc/samba/samba_usermapping
?
??? # disable usershares creating
??? usershare path ?
??? # Disable printing completely
??? load printers = no
??? printing = bsd
??? printcap name = /dev/null
??? disable spoolss = yes
?
??? # For ACL support on member servers with shares, OBLIGATES
??? vfs objects = acl_xattr
??? map acl inherit = Yes
??? store dos attributes = Yes
?
######## SHARE DEFINITIONS ################

?
# Next TODO.? Join the AD-DC domain. 
kinit Administrator
net ads join 
?
# setup keytab for squid. 
?
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
# check keytab file.
klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME
?
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
?
and use this for auth in squid. 
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
??? --kerberos /usr/lib/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP-hostname.keytab \
????? -s HTTP/hostname.fqdn at REALM \
??? --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on

If you serve multiple Kerberos realms add a HTTP/fqdn at REALM service principal
per realm to
?????? the HTTP.keytab file and use the -s GSS_C_NO_NAME option with
negotiate_kerberos_auth. ?
Greetz, 
?
Louis
?
?


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
Randi Indrawan
Verzonden: vrijdag 23 augustus 2019 3:28
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] AD user Login + Squid Proxy + Automatic Authentication




So I have setup a squid proxy on a CentOS 7 Server and now the authentication
system uses ldap and it works, I can set which groups get access through a proxy

The problem is ... can we setup the proxy read the domain id that is being
logged, so the proxy no longer asks for a username and password. All the
tutorials I've seen are pop-up messages asking for the username and
password. I would like this to happen automatically so when the user logs in
they automatically authenticate

Best Regards

Randi Indrawan

DISCLAIMER : The information contained in this communication (including any
attachments) is privileged and confidential, and may be legally exempt from
disclosure under applicable law. It is intended only for the specific purpose of
being used by the individual or entity to whom it is addressed. If you are not
the addressee indicated in this message (or are responsible for delivery of the
message to such person), you must not disclose, disseminate, distribute,
deliver, copy, circulate, rely on or use any of the information contained in
this transmission. We apologize if you have received this communication in
error; kindly inform the sender accordingly. Please also ensure that this
original message and any record of it is permanently deleted from your computer
system. We do not give or endorse any opinions, conclusions and other
information in this message that do not relate to our official business.