[squid-users] Kerberos nad keytab problem

L.P.H. van Belle belle at bazuin.nl
Wed Sep 25 15:40:59 UTC 2019

Hai Rafael, 
Yes, i did that in an older setup, with you site guidance.. 
That works also very good .. 
Once i have time i'll see if i can update the squid wiki. 

Van: Rafael Akchurin [mailto:rafael.akchurin at diladele.com] 
Verzonden: woensdag 25 september 2019 17:27
Aan: L.P.H. van Belle; squid-users at lists.squid-cache.org
Onderwerp: RE: [squid-users] Kerberos nad keytab problem

Hello everyone,


Just my two cents too. Note you can map the *user* to the Kerberos SPN – this lets you have your squid proxy live outside of the AD.

Just setup the dedicated user in the AD, map SPN to it and export the keytab to your squid.


See https://docs.diladele.com/administrator_guide_stable/active_directory/index.html


Downside – the password for that designated user needs to be non expiring or you’d be regenerating keytabs everytime the password changes. Which is not difficult anyway too.


Best regards,

Rafael Akchurin

Diladele B.V.




From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of L.P.H. van Belle
Sent: Wednesday, 25 September 2019 17:02
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Kerberos nad keytab problem


I also had problems with msktutil.. so i suggest you try this, see below.. 

Im using it for few years and it always works (for me offcourse).. 


It should be pretty simple, but the site squid-cache (wiki) is in my opinion a bit outdated. 

And its for Amos to adapt it on the site.


Amos or Alex, please review below, you might want to add it. 

And add your parts to it, like running this without a correct spn. 


Its tested in use and and working since squid 3.1 upto 4.8. 

Tested on debian Wheezy (7) upto Buster (10)


Below assumes the server your setting up, does have an A and PTR record. 

(note, which should be added at the domain join of winbind, as of samba4.x )


This is my howto. 

A Debian based, with Kerberos Auth against an Samba Active Directory
Should be adaptable for any OS, should also work with MS Active Directory. 

But since i dont have any, im not testing it. 



# Install a minimal OS, at install only choose base + ssh server. 

# Setup these variable for a copy/past, might be handy, and then "it just works"  


# Obligated to set.  # ADDOM; 

# This should match the netbios (NT4) domain name in caps, per example from a login: NTDOM\username 



# These should be fine, but if you have multiple ipnumbers and hostnames, you might want to adjust these. 

FQDN="$(hostname -f)"
HOSTN="$(hostname -s)"

# Requirements before you start installing the sofrware like: squid winbind krb5-user


# Login, sudo to root.

# /etc/resolv.conf, set as followed. 
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC


# Verify it: 

grep search /etc/resolv.conf

grep nameserver /etc/resolv.conf


# If ok, then run : 

apt update 

apt install squid winbind krb5-user -y


# Just hit enter on every question, the defaults are fine. (verified in Debian).


# And now verify /etc/krb5.conf
less /etc/krb5.conf



# It should look like this :  
#        default_realm = YOUR.Detected_REALM.TLD 


# The following krb5.conf variables are only for MIT Kerberos.
#       kdc_timesync = 1
#        ccache_type = 4
#        forwardable = true
#        proxiable = true


# ... and more.. 

#  >>  P.s.  i never touch krb5.conf, never needed, it "just works" << 


# Set REALM Variable now, default should be ok. dont touch it. 

REALM="$(grep default_realm /etc/krb5.conf |awk {' print $NF '}) "

# It's used for smb.conf and the auth part of squid. 


# then stop squid and samba and configure it.
systemctl stop squid winbind


# flush the log, so if you start it you start with a clean log.  

> /var/log/squid/cache.log


# Configure smb.conf and join the AD domain,  the minimal setting for smb.conf.
cp /etc/samba/smb.conf{,.original}


echo "# Auth-Only setup with winbind. ( no Shares )


    workgroup = ${ADDOM}
    security = ADS
    realm = ${REALM}
    netbios name = $(echo ${HOSTN^^})


    ## make sure the below number never overlap system ranges, see /etc/adduser.conf 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999


    ## map ids from the domain and (*) the range may not overlap !
    idmap config ${ADDOM} : backend = rid
    idmap config ${ADDOM} : range = 10000-3999999


    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab


    # renew the kerberos ticket
    winbind refresh tickets = yes
" > /etc/samba/smb.conf


# And verify it.
less /etc/samba/smb.conf


# Next step, join the AD domain. 

# Login/auth with kerberos. 
kinit Administrator


# and join the domain.

net ads join -k


# Creating the squid keytab file.


export KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab
net ads keytab ADD HTTP/${FQDN}

#Verify the keytab file : 
klist -ke /etc/squid/squid-HTTP-${HOSTN}.keytab


# destroy you authentication ticket for Administrator. 



# set correct rights. 
chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab
chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab
# Note, you might need to change the "proxy" group name here. 


# and setup you squid auth. 
echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\
    --kerberos /usr/lib/squid/negotiate_kerberos_auth \\
      -k etc/squid/squid-HTTP-${HOSTN}.keytab" \\
      -s HTTP/"${FQDN}"@"${REALM}"  \\
    --ntlm /usr/bin/ntlm_auth \\
      --helper-protocol=gss-spnego --domain="${ADDOM}"


auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on" > /etc/squid/conf.d/auth.conf


systemctl start winbind squid 


# Done 

# And check squid log how it started. 

cat /var/log/squid/cache.log

Now go configure the other parts you need of squid. 

And enjoy..  :-) 










Van: squid-users [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" mailto:squid-users-bounces at lists.squid-cache.org] Namens Tevfik Ceydeliler
Verzonden: woensdag 25 september 2019 13:59
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] Kerberos nad keytab problem

Hi, I try to use kerberos in my squid. Nut I get an error message :



msktutil --auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab  
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 95
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QCbGC5
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: suqidpnb1$
 -- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/localhost from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for suqidpnb1$ with password
 -- create_default_machine_password: Default machine password for suqidpnb1$ is suqidpnb1
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets
 -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
 -- try_user_creds: User ticket cache was not valid
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.



Can't find why this happen:



My AD is 2012R2 function level

I create keytab with this:

msktutil -c -b "OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k /etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes 28


Keytab file permission is:

-rw-r----- 1 root squid 933 Sep 25 13:37 PROXY.keytab


and keytab file (klist -k output):


   3 HTTP/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 HTTP/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 HTTP/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 host/squidtoyopnb1 at TOYO.GRP
   3 host/squidtoyopnb1 at TOYO.GRP
   3 host/squidtoyopnb1 at TOYO.GRP
   3 host/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 host/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 host/squidtoyopnb1.toyo.grp at TOYO.GRP



default_realm = TOYO.GRP
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid/PROXY.keytab

    ; for Windows 2008 with AES
          default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
          default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
          permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

                kdc = dctoyo1.toyo.grp
                kdc = DCTOYO2.toyo.grp
                admin_server =
                default_domain = toyo.grp

     toyo.grp = TOYO.GRP
     .toyo.grp = TOYO.GRP

      kdc = FILE:/var/log/kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log






Tevfik Ceydeliler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190925/59ab4edf/attachment-0001.html>

More information about the squid-users mailing list