Can Kerberos or NTLM be used without installing Samba?

MBwork

I've done some research on Samba's doc pages and various Redhat/CentOS/SUSE docs, and it seems as though to get anything other than Basic authentication (that prompts the user for credentials via a window in the browser) would require Samba to be installed. Am I correct on this?

And if so, is there anything in the works to have official support for this without having to take a monkey wrench to the firewall and do it by hand? My goal is single sign-on in Squid without having to install Samba, or at the very least have an official method to configure it through the web UI.

Thanks in advance for any info.

(I should also add that I'm talking about using pfSense with Squid in a Window Active Directory environment)

sichent

There is a possibility to redirect SSO NTLM handshakes as LDAP binds requests to your DC. Something like https://docs.diladele.com/administrator_guide_5_0/active_directory/ntlm/index.html

The Kerberos is better though and it does not need Samba at all. But this is not pfSense UI integrated. But surely possible. See https://docs.diladele.com/administrator_guide_5_0/active_directory/index.html

MBwork

This is the guide I needed. Thanks.

Most of this is easily adaptable to pfSense/FreeBSD, and since pfSense 2.3 has krb5 preinstalled, there's nothing to manually install at all. I have this working at the moment in a test environment. Much more testing will be required, though.

Has anyone else that's set this up run into any gotchas? (That is, anything non-obvious that caused problems later on). I've already ran into some trouble with mismatched kvno's. The kerberos utilities on pfSense have different command line arguments than what most reference guides show, so that's been a bit of an issue as well.

sichent

If you do not mind please share the diffs here and I will update the docs site. BTW we have a beta testers program that entitles for a free personal license. You need to have a github account though and actively participate in development :(

MBwork

This is just what I have so far. I'm willing to do a more detailed write-up after I've had a chance to explore.

Essentially just follow the Windows config portion of the guide for creating the DNS entry, user and keytab file. The username can be anything. It doesn't have to be named squid. The guide shows RC4-HMAC-NT being used, but both pfSense and Server 2008 support AES256-SHA1, so this should be possible to adjust.

Put both the krb5.keytab and krb5.conf files in /etc. (It seems like it'd be a good idea to change the group owner of the keytab file to squid and then lock it down with 640 permissions, but the Squid helpers crash when doing this. I'm not sure why. The helpers run as the squid user. Maybe somebody else can chime in?)

My kbr5.conf currently looks like this ("yourdc" is your domain controller, and "yourdomain" is your FQDN. This is caps sensitive);

[libdefaults]
    default_realm = YOURDOMAIN.COM
    default_tkt_enctypes = rc4-hmac des3-hmac-sha1
    default_tgs_enctypes = rc4-hmac des3-hmac-sha1
    default_keytab_name = /etc/krb5.keytab

[domain_realm]
    .yourdomain.com = YOURDOMAIN.COM
    yourdomain.com = YOURDOMAIN.COM

[realms]
    YOURDOMAIN.COM = {
        default_domain = yourdomain.com
        kdc = yourdc.yourdomain.com:88
        admin_server = yourdc.yourdomain.com
    }

Then just put the following under the "Custom Options (Before Auth)" section in the Advanced part of the Squid config page (yourhostname is the name you defined in DNS and also when making the keytab file on the DC);

auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -i -d -s HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM -k /etc/krb5.keytab
auth_param negotiate children 10 startup=5 idle=5
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access deny !auth
http_access allow auth
http_access deny all

The -i and -d flags are for debugging. They're probably worth taking out when no longer needed as they are extremely noisy.

For anyone planning to use this, keep in mind that this isn't going to work with Transparent Proxy enabled because this relies on the client being sent a HTTP 407 auth response.

One problem I'm working on is when something doesn't work correctly (either kerberos fails or the client doesn't support it), it will prompt the user for credentials. This credentials window is completely useless. Regardless of what is typed in, it will still fail (and possibly transmit credentials in clear text). This happens on Chrome, IE and Edge. I'm currently reading through the Squid docs for a graceful way to handle this.

*** Also, for any devs reading this - this seems like something that would be fairly painless to implement into the web UI. I can't be the only person that would benefit from this ***