Proxy SSO Plugin

[rmundel]

Hey guys, after spending weeks with our team trying to automatically login AD's users with squid we just gave up.

Is it possible? Anyone has done it? If so, can someone point us in some direction?

If it doesn't work we are considering doing with samba (winbind).

[mimugmail]

Winbind is not included. I heard from a customer about a successful integration but very tricky.

[Fright]

Hi. yes. squid + sso + ad can work
can you share initial data, steps taken and errors? I think then it will be easier for the people to try to help

[radeschi]

Hi! I'm working with Rafael on this.. The errors.. this is the problem, they don't exists, apparently should work with this configuration.

* krb5.conf is ok
* smb.conf is ok
* squid.conf is configured to work with ntlm_auth
* net ads join on domain is ok
* wbinfo to get the users is ok

But the transparent authentication(ntlm_auth) don't work with squid(command line is working fine), just the basic auth.

And here is the interesting thing, I already make this scenario work many times(linux, netbsd, freebsd), and because of this problem with the OPNSense, I built a lab with Linux + Winbind + Squid just like I always did, and this is not working! I have the same result.

I don't know if is a problem with ntlm_auth, or the squid version, or the samba version, I still could't identify. Maybe a try to downgrade the squid/samba version..

[Fright]

Hi!

squid.conf is configured to work with ntlm_auth

hm. sso plugin is for kerberos afaik  ;)
so you need to set ldap, ad account for opnsense host, set SPN etc