Kerberos Squid without authentication?
-
Maybe you are facing the same problem as this guy was, take a look:
Quote:
You should see a request from the client to Active Directory asking for a TGS for HTTP/<fqdn of proxy>. If that does not happen or get refused by AD the client will fall back to NTLM (wrapped into the Negotiate response) which is waht you see on the proxy.I would set a packet capture like that guy did to check, port 88
-
@mcury
Finally got it to authenticate but im still getting the popup
-
Why are you authenticating as administrador@CASA.LOCAL ?
The user should be appearing there and not administrator. Should be user@CASA.LOCALThe user need to be member of the group used in ldapusersearch in Squidguard
-
@mcury
its because im opening the chrome inside of the windows server which im logged on as administradorthis is another user
-
Ok, in this last screenshot, the username is Windows10?
Is this user a member of the group used in ldapusersearch?You are almost there.. soon we will find the problem
-
@mcury
thanks for the reply,
so on the squidguardldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))and the user is located in
CN=windows10,CN=Users,DC=casa,DC=local -
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
You used a
%2cin the wrong place (It means a ',')It should be:
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))It's important to notice that you are not filtering users by group in this case..
I would create a group, like internet, add the members to this group, and then filter like this:ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s)) -
@mcury said in Kerberos Squid without authentication?:
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
Thanks again for the reply, so i changed to
ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))then created group called internet added windows10 and administrador but same issue with popup
CN=internet,CN=Users,DC=casa,DC=localIm thinking its a squid issue but dont know what else to do :(
-
Try port 389 instead of 3268.. Who knows..
-
Thanks for the reply,
so on squid i had to removehttp_access allow denynow i got to squidguard i see this log
(squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),i also had to configure on squidguard
-
So, is it working now ?
if not, I would focus on the ldapusersearch..
-
thanks for the reply,
so correct its navigating with the user now i need to block but i see the log on squidguard12.05.2021 19:45:34 (squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName) -
Try to tick that option in squidguard: Strip NT domain name.
If ticking it doesn't work, undo it.. -
Test this:
1 - Disable Squidguard authentication tab
2 - Enable Squid authentication tab with the following details:Squid Authentication LDAP Settings > LDAP Base Domain:
DC=casa,DC=local -R(-R option will enable the recursive search in domain).
Note: keep the ldapusersearch the same as before, using port 3268
Then try again and post here in case it works.
-
Google Chrome and other browsers from a certain version onwards (I can't say from which one) don't allow "Transparent" authentication without the Pop Up window appearing.
So I don't think you will be able to accomplish what you intended.If I am wrong can you correct me please.
-
@mcury
Thanks for the reply, so got it working, i used the pf2ad script
but on ldap for squidguard how to add a group with a space the group is called domain usersldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))