L.P.H. van Belle
2019-Aug-23 07:14 UTC
[Samba] [squid-users] AD user Login + Squid Proxy + Automatic Authentication
The most simple way to add SSO. ? Install winbind krb5-user, then?your smb.conf,? update this config : [global] ??? # Auth-Only setup with winbind. ( no Shares ) ????log level = 1 ??? workgroup = NTDOM ??? security = ADS ??? realm = YOUR-REALM ??? netbios name = HOSTNAME ? ??? preferred master = no ??? domain master = no ??? host msdfs = no ??? dns proxy = yes ? ??? interfaces = eth0 lo ??? bind interfaces only = yes ? ??? #Add and Update TLS Key ?# Add the root cert and clients certs here, add the rootCA with GPO to the pc's. ??? tls enabled = yes ??? tls keyfile = /etc/ssl/private/HOSTNAME.key.pem ??? tls certfile = /etc/ssl/certs/HOSTNAME.cert.pem ??? tls cafile = /etc/ssl/certs/ROOT-ca.crt ? ??? ## map id's outside to domain to tdb files. ??? idmap config *: backend = tdb ??? idmap config *: range = 2000-9999 ? ??? ## map ids from the domain and (*) the range may not overlap ! ??? idmap config NTDOM : backend = rid ??? idmap config NTDOM : schema_mode = rfc2307 ??? idmap config NTDOM : range = 10000-3999999 ? ?# Samba 4.6+ ( get primary group from AD ) ( Samba AD-Backend ) ??? #idmap config NTDOM : unix_nss_info = yes ?# Samba 4.6+ ( get primary group from unix primary group ) ??? #idmap config NTDOM : unix_primary_group = yes ########### ? ??? kerberos method = secrets and keytab ??? dedicated keytab file = /etc/krb5.keytab ? ??? # renew the kerberos ticket ??? winbind refresh tickets = yes ? ??? # We strip the domain (NTDOM\username) to username ??? winbind use default domain = yes ? ??? # enable offline logins ??? winbind offline logon = yes ? ??? # check depth of nested groups, ! slows down you samba, if to much groups depth ??? # Not needed on the VPN server. ??? #winbind expand groups = 2 ? ??? # user Administrator workaround, without it you are unable to set privileges ??? username map = /etc/samba/samba_usermapping ? ??? # disable usershares creating ??? usershare path ? ??? # Disable printing completely ??? load printers = no ??? printing = bsd ??? printcap name = /dev/null ??? disable spoolss = yes ? ??? # For ACL support on member servers with shares, OBLIGATES ??? vfs objects = acl_xattr ??? map acl inherit = Yes ??? store dos attributes = Yes ? ######## SHARE DEFINITIONS ################ ? # Next TODO.? Join the AD-DC domain. kinit Administrator net ads join ? # setup keytab for squid. ? export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads keytab ADD HTTP/$(hostname -f) # check keytab file. klist -ke /etc/squid/HTTP-$(hostname -s).keytab unset KRB5_KTNAME ? # set rights. chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab chmod g+r /etc/squid/HTTP-$(hostname -s).keytab ? and use this for auth in squid. ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ ??? --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \ ????? -s HTTP/hostname.fqdn at REALM \ ??? --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM auth_param negotiate children 30 startup=5 idle=5 auth_param negotiate children 10 auth_param negotiate keep_alive on If you serve multiple Kerberos realms add a HTTP/fqdn at REALM service principal per realm to ?????? the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth. ? Greetz, ? Louis ? ? Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Randi Indrawan Verzonden: vrijdag 23 augustus 2019 3:28 Aan: squid-users at lists.squid-cache.org Onderwerp: [squid-users] AD user Login + Squid Proxy + Automatic Authentication So I have setup a squid proxy on a CentOS 7 Server and now the authentication system uses ldap and it works, I can set which groups get access through a proxy The problem is ... can we setup the proxy read the domain id that is being logged, so the proxy no longer asks for a username and password. All the tutorials I've seen are pop-up messages asking for the username and password. I would like this to happen automatically so when the user logs in they automatically authenticate Best Regards Randi Indrawan DISCLAIMER : The information contained in this communication (including any attachments) is privileged and confidential, and may be legally exempt from disclosure under applicable law. It is intended only for the specific purpose of being used by the individual or entity to whom it is addressed. If you are not the addressee indicated in this message (or are responsible for delivery of the message to such person), you must not disclose, disseminate, distribute, deliver, copy, circulate, rely on or use any of the information contained in this transmission. We apologize if you have received this communication in error; kindly inform the sender accordingly. Please also ensure that this original message and any record of it is permanently deleted from your computer system. We do not give or endorse any opinions, conclusions and other information in this message that do not relate to our official business.