<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
<a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Configuring_a_Squid_Server_to_authenticate_from_Kerberos">http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Configuring_a_Squid_Server_to_authenticate_from_Kerberos</a><br>
<br>
14.07.2016 23:59, Yuri Voinov пишет:<br>
<span style="white-space: pre;">><br>
> Man,<br>
><br>
> did your RTFM?<br>
><br>
> Kerberos security has perfect manual.<br>
><br>
><br>
> 14.07.2016 22:07, Sergio Belkin пишет:<br>
> > Hi,<br>
><br>
><br>
><br>
> > Using squid squid-3.5.19-1.el7.centos.x86_64,<br>
><br>
><br>
><br>
> > I obtain a kerberos ticket but I get the following
when<br>
> trying to use the proxy:<br>
><br>
><br>
><br>
> > 2016/07/14 12:57:03.711 kid1| 29,4|
UserRequest.cc(290)<br>
> authenticate: No Proxy-Auth header and no working
alternative.<br>
> Requesting auth header.<br>
><br>
> > 2016/07/14 12:57:03.712 kid1| 29,9|
UserRequest.cc(487)<br>
> addReplyAuthHeader: headertype:46 authuser:NULL<br>
><br>
> > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188)
fixHeader:<br>
> Sending type:46 header: 'Negotiate'<br>
><br>
> > 2016/07/14 12:57:04.159 kid1| 29,4|
UserRequest.cc(290)<br>
> authenticate: No Proxy-Auth header and no working
alternative.<br>
> Requesting auth header.<br>
><br>
> > 2016/07/14 12:57:04.159 kid1| 29,9|
UserRequest.cc(487)<br>
> addReplyAuthHeader: headertype:46 authuser:NULL<br>
><br>
> > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188)
fixHeader:<br>
> Sending type:46 header: 'Negotiate'<br>
><br>
><br>
><br>
> > My squid.conf is as follows:<br>
><br>
><br>
><br>
><br>
><br>
> > acl localnet src 10.0.0.0/8
<a class="moz-txt-link-rfc2396E" href="http://10.0.0.0/8"><http://10.0.0.0/8></a><br>
><br>
> > acl localnet src 172.16.0.0/12
<a class="moz-txt-link-rfc2396E" href="http://172.16.0.0/12"><http://172.16.0.0/12></a><br>
><br>
> > acl localnet src 192.168.0.0/16
<a class="moz-txt-link-rfc2396E" href="http://192.168.0.0/16"><http://192.168.0.0/16></a><br>
><br>
> > acl localnet src fc00::/7 <br>
><br>
> > acl localnet src fe80::/10 <br>
><br>
> > acl SSL_ports port 443<br>
><br>
> > acl Safe_ports port 80<br>
><br>
> > acl Safe_ports port 21<br>
><br>
> > acl Safe_ports port 443<br>
><br>
> > acl Safe_ports port 70<br>
><br>
> > acl Safe_ports port 210<br>
><br>
> > acl Safe_ports port 1025-65535<br>
><br>
> > acl Safe_ports port 280<br>
><br>
> > acl Safe_ports port 488<br>
><br>
> > acl Safe_ports port 591<br>
><br>
> > acl Safe_ports port 777<br>
><br>
> > acl CONNECT method CONNECT<br>
><br>
> > acl step1 at_step SslBump1<br>
><br>
> > acl step2 at_step SslBump2<br>
><br>
> > acl step3 at_step SslBump3<br>
><br>
> > acl nobumpSites ssl::server_name<br>
> "/etc/squid/acls/nobumpSites.txt"<br>
><br>
> > http_access deny !Safe_ports<br>
><br>
> > http_access deny CONNECT !SSL_ports<br>
><br>
> > http_access allow localhost manager<br>
><br>
> > http_access deny manager<br>
><br>
> > acl social_ips src "/etc/squid/acls/social_ips"<br>
><br>
> > acl social_dom dstdomain
"/etc/squid/acls/social_dom"<br>
><br>
> > auth_param negotiate program<br>
> /usr/lib64/squid/negotiate_kerberos_auth -d -s<br>
> <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > auth_param negotiate children 10<br>
><br>
> > auth_param negotiate keep_alive on<br>
><br>
> > acl kerb_auth proxy_auth REQUIRED<br>
><br>
> > ssl_bump peek step1 all <br>
><br>
> > ssl_bump splice nobumpSites <br>
><br>
> > ssl_bump bump <br>
><br>
> > http_access allow kerb_auth<br>
><br>
> > http_access deny social_ips<br>
><br>
> > http_access deny social_dom<br>
><br>
> > acl numeric_IPs urlpath_regex
^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+<br>
><br>
> > acl connect method CONNECT<br>
><br>
> > http_access deny connect numeric_IPs all<br>
><br>
> > http_access allow localnet<br>
><br>
> > http_access allow localhost<br>
><br>
> > http_access deny all<br>
><br>
> > always_direct allow all<br>
><br>
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s<br>
> /var/spool/squid_ssldb -M 4MB<br>
><br>
> > visible_hostname proxy.example.local<br>
><br>
> > http_port 3128 ssl-bump
generate-host-certificates=on<br>
> dynamic_cert_mem_cache_size=6MB
cert=/etc/squid/ssl_cert/myCA.pem<br>
><br>
> > coredump_dir /var/spool/squid<br>
><br>
> > refresh_pattern ^ftp: 1440 20%
10080<br>
><br>
> > refresh_pattern ^gopher: 1440 0%
1440<br>
><br>
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
><br>
> > refresh_pattern . 0 20%
4320<br>
><br>
> > url_rewrite_program /usr/sbin/ufdbgclient –l<br>
> /var/ufdbguard/logs<br>
><br>
> > url_rewrite_children 64<br>
><br>
> > access_log daemon:/var/log/squid/access.log
combined<br>
><br>
><br>
><br>
> > And klist output:<br>
><br>
><br>
><br>
> > klist -k /etc/squid/HTTP.keytab<br>
><br>
><br>
><br>
> > Keytab name: <a class="moz-txt-link-freetext" href="FILE:/etc/squid/HTTP.keytab">FILE:/etc/squid/HTTP.keytab</a><br>
><br>
> > KVNO Principal<br>
><br>
> > ----<br>
>
--------------------------------------------------------------------------<br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.local@EXAMPLE.LOCAL">host/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:host/proxy@EXAMPLE.LOCAL">host/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:KANBAN$@EXAMPLE.LOCAL">KANBAN$@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy.example.local@EXAMPLE.LOCAL">HTTP/proxy.example.local@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>
><br>
> > 2 <a class="moz-txt-link-abbreviated" href="mailto:HTTP/proxy@EXAMPLE.LOCAL">HTTP/proxy@EXAMPLE.LOCAL</a><br>
><br>
><br>
><br>
> > End of output,<br>
><br>
><br>
><br>
> > Please could you help me? Am I doing something
wrong?<br>
><br>
><br>
><br>
> > Thanks in advance!<br>
><br>
><br>
><br>
> > --<br>
><br>
> > --<br>
><br>
> > Sergio Belkin<br>
><br>
> > LPIC-2 Certified - <a class="moz-txt-link-freetext" href="http://www.lpi.org">http://www.lpi.org</a><br>
><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
><br>
> > squid-users mailing list<br>
><br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
><br>
> > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJXh9ghAAoJENNXIZxhPexGzrEH/RVcpHnp49B7r2X3DkAKLKv+
<br>
a3y9g8CUxydE6n7AW1bN/miRLqmbjg9UzuBqM48m8PIJEEU6Itr5NDLsdV1F7I3a
<br>
IgoPZa3U7T3lmHwGcloCdAb7Zzmj4s1t2I+u6KMEufEZFssWSlHcznmRIGHnCpXz
<br>
C9eceL7DGRyXWl1ehEWSZIe3ApDdBtvHxwdNpBvhCPfNfLmHxNUpRRYLOcXPar5b
<br>
5scY/awmYVxYr2SATraMc3XO6URQDagXVCj4JZOH+snkQAB1FetAhU+WoTCXu1Th
<br>
RTdfAX2/p2Xrw9UGECiI2Aastf6ONlv+hMJztKlxPfUhVuX2kZxYwvSPXs7ovQ0=
<br>
=vivP
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>