<div dir="ltr"><div>Hi,</div><div><br></div><div>1) Here is the result of the command-line:</div><div>/usr/lib/squid/negotiate_kerberos_auth -s HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a> –d –i</div><div>mary abc@12345</div><div>negotiate_kerberos_auth.cc(258): pid=1421 :2016/08/19 23:44:33| negotiate_kerberos_auth: DEBUG: Got 'mary abc@12345' from squid (length: 14).</div><div>negotiate_kerberos_auth.cc(295): pid=1421 :2016/08/19 23:44:33| negotiate_kerberos_auth: ERROR: Invalid request [mary abc@12345]</div><div>BH invalid request </div><div> </div><div>2) Bellow are my keytabs:</div><div>Keytab name: FILE:/etc/krb5.keytab</div><div>KVNO Principal</div><div>---- --------------------------------------------------------------------------</div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy@EMPRESA.COM.BR">proxy@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy@EMPRESA.COM.BR">proxy@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy@EMPRESA.COM.BR">proxy@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy@EMPRESA.COM.BR">proxy@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy@EMPRESA.COM.BR">proxy@EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div><br></div><div><br></div><div>Keytab name: FILE:/etc/squid3/HTTP.keytab</div><div>KVNO Principal</div><div>---- --------------------------------------------------------------------------</div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 host/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 host/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 host/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 host/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 host/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 proxy$@<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR">proxy.empresa.com.br@EMPRESA.COM.BR</a></div><div> 1 HTTP/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 HTTP/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 HTTP/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 HTTP/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> 1 HTTP/proxy$<a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div><br></div><div>OBS: I left and joined in the domain again</div><div> </div><div>3) Here is the result:</div><div>/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME</div><div>mary abc@12345</div><div>BH invalid request </div><div><br></div><div><br></div><div><br></div><div>4) DNS Recors are OK.</div><div>The proxy servername exist in dns and have A (proxy IN A 192.168.200.7) and PTR record (7 IN PTR <a href="http://proxy.empresa.com.br">proxy.empresa.com.br</a>.) </div><div><br></div><div><br></div><div>5) cat /etc/hosts </div><div>127.0.0.1 localhost</div><div>192.168.200.7<span class="" style="white-space:pre"> </span> <a href="http://proxy.empresa.com.br">proxy.empresa.com.br</a> proxy</div><div><br></div><div><br></div><div> </div><div>6) Time is sync with the AD server (The time is identical)</div><div><br></div><div><br></div><div>7) My /etc/krb5.conf file:</div><div>[libdefaults]</div><div> default_realm = <a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div> dns_lookup_kdc = yes</div><div> dns_lookup_realm = yes</div><div> default_keytab_name = /etc/krb5.keytab</div><div><br></div><div>[realms]</div><div><span class="" style="white-space:pre"> </span><a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a> = {</div><div><span class="" style="white-space:pre"> </span>kdc = <a href="http://dc1.empresa.com.br:88">dc1.empresa.com.br:88</a></div><div><span class="" style="white-space:pre"> </span>admin_server = <a href="http://dc1.empresa.com.br">dc1.empresa.com.br</a></div><div><span class="" style="white-space:pre"> </span>default_domain = <a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a> </div><div><span class="" style="white-space:pre"> </span>}</div><div><br></div><div><br></div><div>[domain_realm]</div><div><span class="" style="white-space:pre"> </span>.<a href="http://empresa.com.br">empresa.com.br</a> = <a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div><span class="" style="white-space:pre"> </span><a href="http://empresa.com.br">empresa.com.br</a> = <a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a></div><div><br></div><div>[logging]</div><div> kdc = FILE:/var/log/kdc.log</div><div> admin_server = FILE:/var/log/kadmin.log</div><div> default = FILE:/var/log/krb5lib.log</div><div><br></div><div><br></div><div>8) Bellow is my /etc/nsswitch.conf file:</div><div>passwd: compat winbind</div><div>group: compat winbind</div><div>shadow: compat</div><div>gshadow: files</div><div>hosts: files dns<br></div><div>networks: files</div><div>protocols: db files<br></div><div>services: db files</div><div>ethers: db files</div><div>rpc: db files</div><div>netgroup: nis<br></div><div><br></div><div><br></div><div>9) Bellow is my /etc/pam.d/common-session file:</div><div>session<span class="" style="white-space:pre"> </span>[default=1]<span class="" style="white-space:pre"> </span>pam_permit.so</div><div>session<span class="" style="white-space:pre"> </span>requisite<span class="" style="white-space:pre"> </span>pam_deny.so</div><div>session<span class="" style="white-space:pre"> </span>required<span class="" style="white-space:pre"> </span>pam_permit.so</div><div>session<span class="" style="white-space:pre"> </span>required<span class="" style="white-space:pre"> </span>pam_unix.so </div><div>session optional<span class="" style="white-space:pre"> </span>pam_winbind.so</div><div><br></div><div><br></div><div>10) Following my /etc/samba/smb.conf file:</div><div>[global]</div><div> netbios name = proxy </div><div> workgroup = EMPRESA</div><div> security = ads </div><div> realm = <a href="http://EMPRESA.COM.BR">EMPRESA.COM.BR</a> </div><div> encrypt passwords = yes</div><div> dedicated keytab file = /etc/krb5.keytab</div><div> kerberos method = secrets and keytab</div><div> password server = <a href="http://dc1.empresa.com.br">dc1.empresa.com.br</a></div><div> preferred master = no</div><div> idmap config *:backend = tdb</div><div> idmap config *:range = 1000-3000</div><div> idmap config EMPRESA:backend = ad</div><div> idmap config EMPRESA:schema_mode = rfc2307</div><div> idmap config EMPRESA:range = 10000-9999999</div><div> winbind nss info = rfc2307</div><div> winbind trusted domains only = no</div><div> winbind use default domain = yes</div><div> winbind enum users = yes</div><div> winbind enum groups = yes</div><div> winbind offline logon = yes</div><div> winbind refresh tickets = yes</div><div> vfs objects = acl_xattr</div><div> map acl inherit = Yes</div><div> store dos attributes = Yes</div><div> username map = /etc/samba/user.map </div><div><br></div><div><br></div><div>11) Other Informations:</div><div>>> Samba4 and Winbind services are enable</div><div>>> In my DC there is a Squid account (call "proxy")</div><div>>> wbinfo -g, wbinfo -u, wbinfo -t, getent passwd are OK</div><div>>> kinit <user> is OK</div><div>>> klist -l is OK</div><div><br></div><div>Do you have any other idea?</div><div><br></div><div>Regards,</div><div><br></div><div>Márcio</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-08-19 7:02 GMT-03:00 L.P.H. van Belle <span dir="ltr"><<a href="mailto:belle@bazuin.nl" target="_blank">belle@bazuin.nl</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="NL" link="blue" vlink="blue">
<div>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Hai,<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Yes, all new things are hard..<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">I need some extra info because there are
lots of things that can be wrong. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">post what you see here : <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">/usr/lib/squid/negotiate_<wbr>kerberos_auth -s HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR" target="_blank">proxy.empresa.com.br@<wbr>EMPRESA.COM.BR</a>
–d –i <u></u><u></u></span></font></p><span class="">
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">>> kinit and klist are ok<u></u><u></u></span></font></p>
</span><p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">>> /etc/krb5.keytab and
/etc/squid3/HTTP.keytab (both are identical)<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">These are normaly not identical. In the
HTTPkeytab i have ONLY the HTTP spn. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">And in the krb5.keytab i have the host
SPN and netbios_name($) <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">How to test the kerberos auth.. hmm, thats
a difficult one for me. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">I know lot but not all.. :-( .<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">But what i do iknow, you can test with<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">/usr/lib/squid/negotiate_<wbr>kerberos_auth -s
GSS_C_NO_NAME <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">If that works its probely an SPN or dns
problem.<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">If that isnt working, then do check the
time on the ad server and proxy server.<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">I can only say. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">The proxy servername must exist in dns and
must have A and PTR record. ( add this in the samba AD ) <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">The reverse zone is ( maybe ) created, if
not, create it yourself and add the ptr records. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Cat /etc/hosts file may NOT contain any. <u></u><u></u></span></font></p>
<p class="MsoNormal" style="margin-left:52.5pt"><u></u><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><span>127.0.1.1<font size="1" face="Times New Roman"><span style="font:7.0pt "Times New Roman"">
</span></font></span></span></font><u></u><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">yourhostname..
.. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">if its in there, you installed with dhcp
ip. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">It should contain <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">127.0.0.1 localhost <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">IP_OF_SERVER hostname.domain.tld
hostname<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">The is there if you install with a static
ip. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Time must be in sync with the AD server (
max difference i allow is 1 min. ) <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">If needed install ntp on the proxy and
point the server to the ad dc. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">And post what you now have in krb5.conf <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">These are the most common pitfalls, i’ll
see what i can do to help out. <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Greetz, <u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Louis<u></u><u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div class="MsoNormal" align="center" style="text-align:center"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">
<hr size="2" width="100%" align="center">
</span></font></div>
<p class="MsoNormal"><b><font size="2" face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma;font-weight:bold">Van:</span></font></b><font size="2" face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma"> squid-users
[mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@<wbr>lists.squid-cache.org</a>] <b><span style="font-weight:bold">Namens </span></b>Marcio Demetrio Bacci<br>
<b><span style="font-weight:bold">Verzonden:</span></b> vrijdag 19 augustus
2016 3:50<br>
<b><span style="font-weight:bold">Aan:</span></b> Squid Users<br>
<b><span style="font-weight:bold">Onderwerp:</span></b> [squid-users] Problems
with Squid Authentication</span></font><u></u><u></u></p>
</div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
<div><div><div class="h5">
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">My Kerberos Authentication doesn't work. This is very hard!<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">My Squid3 is join in the Domain<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">kinit and klist are ok<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">wbinfo -g and wbinfo -u are ok too.<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">I have created the squid3 file in /etc/default with the following
content: <u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">KRB5_KTNAME=/etc/squid3/HTTP.<wbr>keytab<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">export KRB5_KTNAME<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">I have two keytab files:<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">/etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages
because my Squid server is Debian 8. But I didn't use msktutil tool. I have
only joined Squid server in the Domain (net ads join -U administrator)<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">How can I debbug the problem?<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">How can I test kerberos authentication in terminal (command line)?<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">Below is my squid.conf file:<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Configuracoes Basicas<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_mgr <a href="mailto:administrator@empresa.com.br" target="_blank">administrator@empresa.com.br</a><u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_port 3128<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">#debug_options ALL,111,2 29,9 84,6<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_mem 512 MB<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_swap_low 80<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_swap_high 90<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">maximum_object_size 512 MB<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">minimum_object_size 0 KB<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">maximum_object_size_in_memory 4096 KB<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_replacement_policy heap LFUDA<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">memory_replacement_policy heap LFUDA<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">#Para não bloquear downloads<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">quick_abort_min -1 KB<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">#Resolve um problema com conexoes persistentes<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">detect_broken_pconn on<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">fqdncache_size 1024<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Parametros de atualizacao da memoria cache<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">refresh_pattern ^ftp: 1440 20% 10080<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">refresh_pattern ^gopher: 1440 0% 1440<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">refresh_pattern . 0 20% 4320<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Localizacao dos logs<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">access_log /var/log/squid3/access.log<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_log /var/log/squid3/cache.log<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### define a localizacao do cache de disco, tamanho, qtd de diretorios
pai e subdiretorios<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">cache_dir aufs /var/spool/squid3 600 16 256<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">auth_param negotiate program /usr/lib/squid3/negotiate_<wbr>kerberos_auth -s
HTTP/<a href="mailto:proxy.empresa.com.br@EMPRESA.COM.BR" target="_blank">proxy.empresa.com.br@<wbr>EMPRESA.COM.BR</a><u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">auth_param negotiate children 20<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">auth_param negotiate keep_alive on<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">visible_hostname <a href="http://proxy.empresa.com.br" target="_blank">proxy.empresa.com.br</a><u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### acls<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">#acl manager proto cache_object<u></u><u></u></span></font></p>
</div>
</div></div><div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl localhost src <a href="http://192.168.200.7/32" target="_blank"><font color="red"><b> MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.200.7" </b></font> <b><font color="red"><span style="color:red;font-weight:bold">MailScanner warning: numerical links are
often malicious:</span></font></b> 192.168.200.7/32</a><u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl to_localhost dst <a href="http://192.168.200.7/32" target="_blank"><font color="red"><b> MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.200.7" </b></font> <b><font color="red"><span style="color:red;font-weight:bold">MailScanner warning:
numerical links are often malicious:</span></font></b> 192.168.200.7/32</a><u></u><u></u></span></font></p>
</div><div><div class="h5">
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra,
webmin<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 21 # ftp<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 70 # gopher<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 80 # http<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 88 # kerberos<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 210 # wais<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 280 # http-mgmt<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 389 # ldap<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 443 # https<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 488 # gss-http<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 563 # snews<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 591 # filemaker<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 777 # multiling http<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 3001 # imprenssa
nacional<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 8080 # http<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl Safe_ports port 1025-65535 # unregistered ports<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl purge method PURGE<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl CONNECT method CONNECT<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Regras iniciais do Squid<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access allow localhost<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access allow purge localhost<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access deny purge<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access deny !Safe_ports<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access deny CONNECT !SSL_ports<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Exige autenticacao<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl autenticados proxy_auth REQUIRED<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access allow autenticados<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Rede do Local #####<u></u><u></u></span></font></p>
</div>
</div></div><div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">acl rede_local src <a href="http://192.168.200.0/22" target="_blank"><font color="red"><b> MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.200.0" </b></font> <b><font color="red"><span style="color:red;font-weight:bold">MailScanner warning:
numerical links are often malicious:</span></font></b> 192.168.200.0/22</a> <u></u><u></u></span></font></p>
</div><span class="">
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Nega acesso de quem nao esta na rede local<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access allow rede_local <u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">#negando o acesso para todos que nao estiverem nas regras anteriores<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">http_access deny all<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">### Erros em portugues<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">error_directory /usr/share/squid3/errors/pt-br<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">#cache_effective_user proxy<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">coredump_dir /var/spool/squid3<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">Regards,<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">Márcio<u></u><u></u></span></font></p>
</div>
</span></div>
</div>
</div>
</div>
<br>______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br></blockquote></div><br></div>