Univention Bugzilla – Bug 31967
add gss-spnego (kerberos) support to squid_ldap_ntlm_auth
Last modified: 2017-03-06 17:58:45 CET
We should gss-spnego (kerberos) support to squid_ldap_ntlm_auth than we activate squid negotiate: # auth negotiate auth_param negotiate program /usr/lib/squid3/squid_ldap_ntlm_auth --debug --gss-spnego auth_param negotiate children 10 Linux user with a keberos ticket than can authenticate to the squid server without a password prompt. Windows user with a ticket (samba4) also Windows user without a ticket (samba3) can also authenticate without a password because then windows does ntlm over negotiate.
Added negotiate support to squid_ldap_ntlm_auth. squid_ldap_ntlm_auth is now also a negotiate wrapper for kerberos (with /usr/lib/squid3/squid_kerb_auth as backend) and ntlm over negotiate. In negotiate mode squid_ldap_ntlm_auth starts /usr/lib/squid3/squid_kerb_auth and redirects negotiate krb5 authentications tickets to squid_kerb_auth. negotiate i still not activate by default and negotiate krb5 works only in a samba4 environment (-> Bug #31968) The default auth negotiate tool for squid is now "/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm". To revert the old config "ucr set squid/krb5auth/tool=/usr/lib/squid3/squid_kerb_auth" can be used. Here is my test matrix. Win7 Proxy settings: FQDN for proxy server -> negotiate kerberos IP for proxy server -> negotiate ntlm UCS 3.1-1 with samba4 and squid server with negotiate, ntlm and basic authentication activated. ok - works nu - not used pp - password prompt | ntlm | negotiate krb5 | negotiate ntlm --------------------|------------|------------------|---------------- winxp (domain user) | ok | nu | nu --------------------|------------|------------------|---------------- winxp (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- win7 (domain user) | nu | ok | ok --------------------| -----------|------------------|---------------- win7 (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- UCC | ok (pp) | ok | nu --------------------|------------|------------------|---------------- ipad | ok (pp) | nu | nu --------------------|------------|------------------|---------------- asus tablet | ok (pp) | nu | nu
QA: | ntlm | negotiate krb5 | negotiate ntlm --------------------|------------|------------------|---------------- winxp (domain user) | ok | nu | nu --------------------|------------|------------------|---------------- winxp (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- win7 (domain user) | *OK* | ok | ok --------------------| -----------|------------------|---------------- win7 (local user) | ok (pp) | nu | nu --------------------|------------|------------------|---------------- UCC | ok (pp) | ok | nu --------------------|------------|------------------|---------------- ipad | ok (pp) | nu | nu --------------------|------------|------------------|---------------- asus tablet | ok (pp) | nu | nu - Generally the same results, addition: win7 works with pure ntlm, too - If a local user was used on winxp and win7 which is known in the domain, there is not even a password prompt - ipad: username and password can be entered in the settings dialog, so that one will never be asked for them again --> OK FAIL: ucrv description (2x [de]) [squid/krb5auth/tool] Description[de]=Programm für die Squid negotiate Authentifizierung Description[de]=Squid negotiate authentication tool
> FAIL: ucrv description (2x [de]) > [squid/krb5auth/tool] > Description[de]=Programm für die Squid negotiate Authentifizierung > Description[de]=Squid negotiate authentication tool fixed in 6.0.8-4.198.201307241606, modified yaml file
Bugfix: OK YAML: OK -> Verified One addition to the change in the win7 ntlm-only test: Win7 client, not joined: If a local user has the same credentials as a domain user in which squid runs, this user is not prompted for a password to use squid, the local credentials are passed on. In the same scenario, if the local credentials are not present for an account in the domain, the user is asked for valid credentials.
http://errata.univention.de/ucs/3.1/152.html