[squid-users] Problems with Squid Authentication

Fri Aug 19 10:02:42 UTC 2016

Hai,

Yes, all new things are hard..

I need some extra info because there are lots of things that can be wrong. 

post what you see here : 

/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR ?d ?i 

>> kinit and klist are ok

>> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)

These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP spn. 

And in the krb5.keytab i  have the host SPN and netbios_name($)  

How to test the kerberos auth.. hmm, thats a difficult one for me. 

I know lot but not all..  :-(  .

But what i do iknow, you can test with

/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME 

If that works its probely an SPN or dns problem.

If that isnt working, then do check the time on the ad server and proxy server.

I can only say. 

The proxy servername must exist in dns and must have A and PTR record.  ( add this in the samba AD ) 

The reverse zone is ( maybe ) created, if not, create it yourself and add the ptr records. 

Cat /etc/hosts file may NOT contain any. 

127.0.1.1        yourhostname.. ..  

if its in there, you installed with dhcp ip. 

It should contain 

127.0.0.1              localhost 

IP_OF_SERVER   hostname.domain.tld hostname

The is there if you install with a static ip. 

Time must be in sync with the AD server ( max difference i allow is 1 min. ) 

If needed install ntp on the proxy and point the server  to the ad dc. 

And post what you now have in krb5.conf 

These are the most common pitfalls, i?ll see what i can do to help out. 

Greetz, 

Louis

Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Marcio Demetrio Bacci
Verzonden: vrijdag 19 augustus 2016 3:50
Aan: Squid Users
Onderwerp: [squid-users] Problems with Squid Authentication

My Kerberos Authentication doesn't work. This is very hard!

My Squid3 is join in the Domain

kinit and klist are ok

wbinfo -g and wbinfo -u are ok too.

I have created the squid3 file in /etc/default with the following content: 

KRB5_KTNAME=/etc/squid3/HTTP.keytab

export KRB5_KTNAME

I have two keytab files:

/etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)

I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined Squid server in the Domain (net ads join -U administrator)

How can I debbug the problem?

How can I test kerberos authentication in terminal (command line)?

Below is my squid.conf file:

### Configuracoes Basicas

cache_mgr administrator at empresa.com.br

http_port 3128

#debug_options ALL,111,2 29,9 84,6

cache_mem 512 MB

cache_swap_low 80

cache_swap_high 90

maximum_object_size 512 MB

minimum_object_size 0 KB

maximum_object_size_in_memory 4096 KB

cache_replacement_policy heap LFUDA

memory_replacement_policy heap LFUDA

#Para não bloquear downloads

quick_abort_min -1 KB

#Resolve um problema com conexoes persistentes

detect_broken_pconn on

fqdncache_size 1024

### Parametros de atualizacao da memoria cache

refresh_pattern ^ftp:   1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%    0

refresh_pattern .      0   20%   4320

### Localizacao dos logs

access_log /var/log/squid3/access.log

cache_log /var/log/squid3/cache.log

### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios

cache_dir aufs /var/spool/squid3 600 16 256

auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR

auth_param negotiate children 20

auth_param negotiate keep_alive on

visible_hostname proxy.empresa.com.br

### acls

#acl manager proto cache_object

acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32

acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32

acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra, webmin

acl Safe_ports port 21       # ftp

acl Safe_ports port 70       # gopher

acl Safe_ports port 80       # http

acl Safe_ports port 88       # kerberos

acl Safe_ports port 210       # wais

acl Safe_ports port 280       # http-mgmt

acl Safe_ports port 389       # ldap

acl Safe_ports port 443    # https

acl Safe_ports port 488       # gss-http

acl Safe_ports port 563       # snews

acl Safe_ports port 591       # filemaker

acl Safe_ports port 777       # multiling http

acl Safe_ports port 3001         # imprenssa nacional

acl Safe_ports port 8080    # http

acl Safe_ports port 1025-65535    # unregistered ports

acl purge method PURGE

acl CONNECT method CONNECT

### Regras iniciais do Squid

http_access allow localhost

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

### Exige autenticacao

acl autenticados proxy_auth REQUIRED

http_access allow autenticados

### Rede do Local #####

acl rede_local src MailScanner warning: numerical links are often malicious: 192.168.200.0/22 

### Nega acesso de quem nao esta na rede local

http_access allow rede_local 

#negando o acesso para todos que nao estiverem nas regras anteriores

http_access deny all

### Erros em portugues

error_directory /usr/share/squid3/errors/pt-br

#cache_effective_user proxy

coredump_dir /var/spool/squid3

Regards,

Márcio

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160819/381d99e8/attachment-0001.html>