Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Kerberos Squid without authentication?

    Scheduled Pinned Locked Moved Cache/Proxy
    39 Posts 3 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93 @mcury
      last edited by

      @mcury
      Finally got it to authenticate but im still getting the popup

      525feae3-d657-4d22-b5de-aa1e3611b3fd-image.png

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury @killmasta93
        last edited by mcury

        Why are you authenticating as administrador@CASA.LOCAL ?
        The user should be appearing there and not administrator. Should be user@CASA.LOCAL

        The user need to be member of the group used in ldapusersearch in Squidguard

        dead on arrival, nowhere to be found.

        K 1 Reply Last reply Reply Quote 0
        • K
          killmasta93 @mcury
          last edited by killmasta93

          @mcury
          its because im opening the chrome inside of the windows server which im logged on as administrador

          this is another user

          68db97a0-6e2f-4ab8-b790-b01fded9a4c1-image.png

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @killmasta93
            last edited by

            Ok, in this last screenshot, the username is Windows10?
            Is this user a member of the group used in ldapusersearch?

            You are almost there.. soon we will find the problem

            dead on arrival, nowhere to be found.

            K 1 Reply Last reply Reply Quote 0
            • K
              killmasta93 @mcury
              last edited by

              @mcury
              thanks for the reply,
              so on the squidguard

              ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
              

              and the user is located in

              CN=windows10,CN=Users,DC=casa,DC=local
              

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              M 1 Reply Last reply Reply Quote 0
              • M
                mcury @killmasta93
                last edited by mcury

                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

                You used a %2c in the wrong place (It means a ',')

                It should be:

                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                

                It's important to notice that you are not filtering users by group in this case..
                I would create a group, like internet, add the members to this group, and then filter like this:

                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                

                dead on arrival, nowhere to be found.

                K 1 Reply Last reply Reply Quote 0
                • K
                  killmasta93 @mcury
                  last edited by

                  @mcury said in Kerberos Squid without authentication?:

                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

                  Thanks again for the reply, so i changed to

                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                  

                  then created group called internet added windows10 and administrador but same issue with popup

                  CN=internet,CN=Users,DC=casa,DC=local
                  

                  Im thinking its a squid issue but dont know what else to do :(

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mcury @killmasta93
                    last edited by

                    Try port 389 instead of 3268.. Who knows..

                    dead on arrival, nowhere to be found.

                    K 1 Reply Last reply Reply Quote 0
                    • K
                      killmasta93
                      last edited by killmasta93

                      @mcury

                      Thanks for the reply,
                      so on squid i had to remove

                      http_access allow deny
                      

                      now i got to squidguard i see this log

                      (squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),
                      

                      i also had to configure on squidguard
                      21f45554-d0d5-41a6-9fb8-52ef0216d7ff-image.png

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mcury @killmasta93
                        last edited by

                        So, is it working now ?

                        if not, I would focus on the ldapusersearch..

                        dead on arrival, nowhere to be found.

                        1 Reply Last reply Reply Quote 0
                        • K
                          killmasta93 @mcury
                          last edited by

                          thanks for the reply,
                          so correct its navigating with the user now i need to block but i see the log on squidguard

                          12.05.2021 19:45:34	(squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName)
                          

                          Tutorials:

                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            mcury @killmasta93
                            last edited by mcury

                            Try to tick that option in squidguard: Strip NT domain name.
                            If ticking it doesn't work, undo it..

                            dead on arrival, nowhere to be found.

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              mcury @mcury
                              last edited by

                              Test this:

                              1 - Disable Squidguard authentication tab
                              2 - Enable Squid authentication tab with the following details:

                              Squid Authentication LDAP Settings > LDAP Base Domain:
                              DC=casa,DC=local -R

                              (-R option will enable the recursive search in domain).

                              Note: keep the ldapusersearch the same as before, using port 3268

                              Then try again and post here in case it works.

                              dead on arrival, nowhere to be found.

                              K 1 Reply Last reply Reply Quote 0
                              • K
                                KaP
                                last edited by

                                Google Chrome and other browsers from a certain version onwards (I can't say from which one) don't allow "Transparent" authentication without the Pop Up window appearing.
                                So I don't think you will be able to accomplish what you intended.

                                If I am wrong can you correct me please.

                                1 Reply Last reply Reply Quote 0
                                • K
                                  killmasta93 @mcury
                                  last edited by

                                  @mcury
                                  Thanks for the reply, so got it working, i used the pf2ad script
                                  but on ldap for squidguard how to add a group with a space the group is called domain users

                                  ldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))
                                  

                                  Tutorials:

                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.