[squid-users] Authenticacion with Active Directory fails

Yuri Voinov yvoinov at gmail.com
Thu Jul 14 17:59:55 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Man,

did your RTFM?

Kerberos security has perfect manual.


14.07.2016 22:07, Sergio Belkin пишет:
> Hi,
>
> Using squid squid-3.5.19-1.el7.centos.x86_64,
>
> I obtain a kerberos ticket but I get the following when trying to use
the proxy:
>
> 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate:
No Proxy-Auth header and no working alternative. Requesting auth header.
> 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487)
addReplyAuthHeader: headertype:46 authuser:NULL
> 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
> 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate:
No Proxy-Auth header and no working alternative. Requesting auth header.
> 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487)
addReplyAuthHeader: headertype:46 authuser:NULL
> 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending
type:46 header: 'Negotiate'
>
> My squid.conf is as follows:
>
>
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>
> acl localnet src fc00::/7     
> acl localnet src fe80::/10    
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl nobumpSites ssl::server_name "/etc/squid/acls/nobumpSites.txt"
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> acl social_ips src "/etc/squid/acls/social_ips"
> acl social_dom dstdomain "/etc/squid/acls/social_dom"
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
-d -s HTTP/proxy.example.local at EXAMPLE.LOCAL
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> acl kerb_auth proxy_auth REQUIRED
> ssl_bump peek step1 all       
> ssl_bump splice  nobumpSites 
> ssl_bump bump                
> http_access allow kerb_auth
> http_access deny social_ips
> http_access deny social_dom
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> acl connect method CONNECT
> http_access deny connect numeric_IPs all
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> always_direct allow all
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
> visible_hostname proxy.example.local
> http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> url_rewrite_program /usr/sbin/ufdbgclient –l /var/ufdbguard/logs
> url_rewrite_children 64
> access_log daemon:/var/log/squid/access.log combined
>
> And klist output:
>
> klist -k /etc/squid/HTTP.keytab
>
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Principal
> ----
--------------------------------------------------------------------------
>    2 host/proxy.example.local at EXAMPLE.LOCAL
>    2 host/proxy.example.local at EXAMPLE.LOCAL
>    2 host/proxy.example.local at EXAMPLE.LOCAL
>    2 host/proxy.example.local at EXAMPLE.LOCAL
>    2 host/proxy.example.local at EXAMPLE.LOCAL
>    2 host/proxy at EXAMPLE.LOCAL
>    2 host/proxy at EXAMPLE.LOCAL
>    2 host/proxy at EXAMPLE.LOCAL
>    2 host/proxy at EXAMPLE.LOCAL
>    2 host/proxy at EXAMPLE.LOCAL
>    2 KANBAN$@EXAMPLE.LOCAL
>    2 KANBAN$@EXAMPLE.LOCAL
>    2 KANBAN$@EXAMPLE.LOCAL
>    2 KANBAN$@EXAMPLE.LOCAL
>    2 KANBAN$@EXAMPLE.LOCAL
>    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>    2 HTTP/proxy at EXAMPLE.LOCAL
>    2 HTTP/proxy at EXAMPLE.LOCAL
>    2 HTTP/proxy at EXAMPLE.LOCAL
>    2 HTTP/proxy at EXAMPLE.LOCAL
>    2 HTTP/proxy at EXAMPLE.LOCAL
>
> End of output,
>
> Please could you help me? Am I doing something wrong?
>
> Thanks in advance!
>
> --
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXh9MbAAoJENNXIZxhPexGP5IIAIUIDvIpeOhK3XMALAEvHlyB
qhb2JpcxzPy5VOMA9ED3RPuh3AwBkMaLrZHNU7KgeQ0zM5yO8+ZsbO+n53hEfKCJ
Vd/buUaB7DRothajXfz7l6uCCBEl27wdvc4nya59boK86NETD52SS4KHkMDtBhHJ
uDwHI/TiQig/moFrSU5SAM7jy4cJp9MgHGTn+pZLRWcqN2OmS/X7uyctacaOqN8w
qVUWAzIPoYts/u8kbwbGxjelLrpUHOc3dL6K59phGibz3zyHFBS3htwwQHgHZh14
E4PfkaedIRwpyvcgjuS1aY1PNgaFEABGF6m3j3v33t0iwTgN+YX/hiljCxKjFJQ=
=PNON
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160714/560e3f60/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160714/560e3f60/attachment-0001.key>

More information about the squid-users mailing list