<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001"><!--[if !mso]>
<STYLE>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</STYLE>
<![endif]-->
<STYLE><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=en-NL vLink=#954f72 link=#0563c1>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial>Hai Rafael, </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial>Yes, i did that in an older setup, with you site guidance..
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial>That works also very good .. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial>Once i have time i'll see if i can update the squid wiki.
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial>Greetz, </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial>Louis</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141153515-25092019><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> Rafael Akchurin
[mailto:rafael.akchurin@diladele.com] <BR><B>Verzonden:</B> woensdag 25
september 2019 17:27<BR><B>Aan:</B> L.P.H. van Belle;
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> RE: [squid-users]
Kerberos nad keytab problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=WordSection1>
<P class=MsoNormal><SPAN lang=EN-US style="mso-fareast-language: EN-US">Hello
everyone,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US style="mso-fareast-language: EN-US">Just
my two cents too. Note you can map the *<B>user</B>* to the Kerberos SPN –
this lets you have your squid proxy live outside of the
AD.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US style="mso-fareast-language: EN-US">Just
setup the dedicated user in the AD, map SPN to it and export the keytab to
your squid.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US style="mso-fareast-language: EN-US">See <A
href="https://docs.diladele.com/administrator_guide_stable/active_directory/index.html">https://docs.diladele.com/administrator_guide_stable/active_directory/index.html</A><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US">Downside – the password for that
designated user needs to be non expiring or you’d be regenerating keytabs
everytime the password changes. Which is not difficult anyway
too.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US style="mso-fareast-language: EN-US">Best
regards,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US style="mso-fareast-language: EN-US">Rafael
Akchurin<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US">Diladele B.V.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN lang=EN-US
style="mso-fareast-language: EN-US"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-TOP: #e1e1e1 1pt solid; BORDER-RIGHT: medium none; BORDER-BOTTOM: medium none; PADDING-BOTTOM: 0cm; PADDING-TOP: 3pt; PADDING-LEFT: 0cm; BORDER-LEFT: medium none; PADDING-RIGHT: 0cm">
<P class=MsoNormal><B><SPAN lang=EN-US>From:</SPAN></B><SPAN lang=EN-US>
squid-users <squid-users-bounces@lists.squid-cache.org> <B>On Behalf Of
</B>L.P.H. van Belle<BR><B>Sent:</B> Wednesday, 25 September 2019
17:02<BR><B>To:</B> squid-users@lists.squid-cache.org<BR><B>Subject:</B> Re:
[squid-users] Kerberos nad keytab problem<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>I also
had problems with msktutil.. so i suggest you try this, see below..
</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Im using
it for few years and it always works (for me offcourse)..
</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>It should
be pretty simple, but the site squid-cache (wiki) is in my opinion a bit
outdated. </SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>And its
for Amos to adapt it on the site.</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Amos or
Alex, please review below, you might want to add it. </SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>And add
your parts to it, like running this without a correct spn.
</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Its
tested in use and and working since squid 3.1 upto 4.8.
</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Tested
on debian Wheezy (7) upto Buster (10)</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Below
assumes the server your setting up, does have an A and PTR record.
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>(note,
which should be added at the domain join of winbind, as of samba4.x
)</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>This is
my howto. </SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>A Debian
based, with Kerberos Auth against an Samba Active Directory<BR>Should be
adaptable for any OS, should also work with MS Active Directory.
</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>But
since i dont have any, im not testing it. </SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>#
Install a minimal OS, at install only choose base + ssh server.
</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Setup
these variable for a copy/past, might be handy, and then "it just works"
</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>#
Obligated to set. # ADDOM; </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># This
should match the netbios (NT4) domain name in caps, per example from a login:
NTDOM\username </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>ADDOM="NTDOM"
</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># These
should be fine, but if you have multiple ipnumbers and hostnames, you might
want to adjust these. </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>FQDN="$(hostname
-f)"<BR>HOSTN="$(hostname -s)"<BR><BR># Requirements before you start
installing the sofrware like: squid winbind
krb5-user</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Login,
sudo to root.</SPAN><o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># /etc/resolv.conf,
set as followed. <BR>#search must.match.your.primarydnsdomain.tld<BR>#
nameserver ip_of_AD_DC</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Verify
it: </SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>grep
search /etc/resolv.conf</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>grep
nameserver /etc/resolv.conf<o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># If ok,
then run : </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>apt
update </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>apt
install squid winbind krb5-user -y</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Just
hit enter on every question, the defaults are fine. (verified in
Debian).</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># And
now verify /etc/krb5.conf<BR>less /etc/krb5.conf</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># It
should look like this :
<BR>#[libdefaults]<BR>#
default_realm = YOUR.Detected_REALM.TLD </SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>#</SPAN><o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># The
following krb5.conf variables are only for MIT
Kerberos.<BR># kdc_timesync =
1<BR># ccache_type =
4<BR># forwardable =
true<BR># proxiable =
true</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># ...
and more.. </SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'><BR>#
>> P.s. i never touch krb5.conf, never needed, it "just
works" << </SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Set
REALM Variable now, default should be ok. dont touch it.
<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>REALM="$(grep
default_realm /etc/krb5.conf |awk {' print $NF '})
"<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># It's
used for smb.conf and the auth part of squid. <o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># then
stop squid and samba and configure it.<BR>systemctl stop squid
winbind</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># flush
the log, so if you start it you start with a clean log.
</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>> /var/log/squid/cache.log</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Configure
smb.conf and join the AD domain, the minimal setting for smb.conf.<BR>cp
/etc/samba/smb.conf{,.original}</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>echo "#
Auth-Only setup with winbind. ( no Shares )</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>
workgroup = ${ADDOM}<BR> security =
ADS<BR> realm = ${REALM}<BR> netbios name
= $(echo ${HOSTN^^})</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>
## make sure the below number never overlap system ranges, see
/etc/adduser.conf <BR> ## map id's outside to domain to tdb
files.<BR> idmap config *: backend =
tdb<BR> idmap config *: range =
2000-9999</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>
## map ids from the domain and (*) the range may not overlap
!<BR> idmap config ${ADDOM} : backend =
rid<BR> idmap config ${ADDOM} : range =
10000-3999999</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>
kerberos method = secrets and keytab<BR> dedicated keytab
file = /etc/krb5.keytab</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>
# renew the kerberos ticket<BR> winbind refresh tickets =
yes<BR>" > /etc/samba/smb.conf</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># And
verify it.<BR>less /etc/samba/smb.conf</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Next
step, join the AD domain. </SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>#
Login/auth with kerberos. <BR>kinit Administrator</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># and
join the domain.</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>net ads
join -k</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>#
Creating the squid keytab file.</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>export
KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab<BR>net ads keytab ADD
HTTP/${FQDN}</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'><BR>#Verify
the keytab file : <BR>klist -ke
/etc/squid/squid-HTTP-${HOSTN}.keytab</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>#
destroy you authentication ticket for Administrator.
</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>kdestroy
</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># set
correct rights. <BR>chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab<BR>chown
root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab<BR># Note, you might need to
change the "proxy" group name here. </SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># and
setup you squid auth. <BR>echo "auth_param negotiate program
/usr/lib/squid/negotiate_wrapper_auth \\<BR> --kerberos
/usr/lib/squid/negotiate_kerberos_auth \\<BR> -k
etc/squid/squid-HTTP-${HOSTN}.keytab" \\<BR> -s
HTTP/"${FQDN}"@"${REALM}" \\<BR> --ntlm
/usr/bin/ntlm_auth \\<BR>
--helper-protocol=gss-spnego --domain="${ADDOM}"</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>auth_param
negotiate children 30 startup=5 idle=5<BR>auth_param negotiate children
10<BR>auth_param negotiate keep_alive on" >
/etc/squid/conf.d/auth.conf</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>systemctl
start winbind squid </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># Done
</SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'># And
check squid log how it started. </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>cat
/var/log/squid/cache.log<o:p></o:p></SPAN></P></DIV>
<DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Now go
configure the other parts you need of squid.
<o:p></o:p></SPAN></P></DIV></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>And
enjoy.. :-) </SPAN><o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Greetz,
</SPAN><o:p></o:p></P>
<DIV>
<P class=MsoNormal> <o:p></o:p></P></DIV>
<P class=MsoNormal><SPAN
style='FONT-SIZE: 10pt; FONT-FAMILY: "Arial",sans-serif; COLOR: blue'>Louis</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<BLOCKQUOTE
style="BORDER-TOP: medium none; BORDER-RIGHT: medium none; BORDER-BOTTOM: medium none; PADDING-BOTTOM: 0cm; PADDING-TOP: 0cm; PADDING-LEFT: 4pt; BORDER-LEFT: blue 1.5pt solid; MARGIN: 5pt 0cm 5pt 3.75pt; PADDING-RIGHT: 0cm">
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN lang=NL>
<HR align=center SIZE=2 width="100%">
</SPAN></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN lang=NL
style='FONT-SIZE: 10pt; FONT-FAMILY: "Tahoma",sans-serif'>Van:</SPAN></B><SPAN
lang=NL style='FONT-SIZE: 10pt; FONT-FAMILY: "Tahoma",sans-serif'>
squid-users [<A
href="mailto:squid-users-bounces@lists.squid-cache.org"><font color="red"><b> MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" </b></font> <FONT color=red><B>
MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van
"lists.squid-cache.org"
</B></FONT>mailto:squid-users-bounces@lists.squid-cache.org</A>] <B>Namens
</B>Tevfik Ceydeliler<BR><B>Verzonden:</B> woensdag 25 september 2019
13:59<BR><B>Aan:</B> <A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><B>Onderwerp:</B>
[squid-users] Kerberos nad keytab problem</SPAN><SPAN
lang=NL><o:p></o:p></SPAN></P>
<DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>Hi, I try to use
kerberos in my squid. Nut I get an error message
:<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>############################33<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>msktutil
--auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp
-k /etc/squid/PROXY.keytab <BR> -- init_password: Wiping the
computer password structure<BR> -- generate_new_password: Generating a
new, random password for the computer account<BR> --
generate_new_password: Characters read from /dev/urandom =
95<BR> -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-QCbGC5<BR> -- destroy_g_context: Destroying
Kerberos Context<BR> -- initialize_g_context: Creating Kerberos
Context<BR> -- finalize_exec: SAM Account Name is:
suqidpnb1$<BR> -- try_machine_keytab_princ: Trying to authenticate for
suqidpnb1$ from local keytab<BR> -- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Key table entry not found)<BR> --
try_machine_keytab_princ: Authentication with keytab failed<BR> --
try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local
keytab<BR> -- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Key table entry not found)<BR> --
try_machine_keytab_princ: Authentication with keytab failed<BR> --
try_machine_keytab_princ: Trying to authenticate for host/localhost from
local keytab<BR> -- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Key table entry not found)<BR> --
try_machine_keytab_princ: Authentication with keytab failed<BR> --
try_machine_password: Trying to authenticate for suqidpnb1$ with
password<BR> -- create_default_machine_password: Default machine
password for suqidpnb1$ is suqidpnb1<BR> -- try_machine_password:
Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)<BR> -- try_machine_password: Authentication with password
failed<BR> -- try_user_creds: Checking if default ticket cache has
tickets<BR> -- try_user_creds: Error: krb5_cc_get_principal failed (No
credentials cache found)<BR> -- try_user_creds: User ticket cache was
not valid<BR>Error: could not find any credentials to authenticate with.
Neither keytab,<BR>default machine password, nor calling user's tickets
worked. Try<BR>"kinit"ing yourself some tickets with permission to create
computer<BR>objects, or pre-creating the computer object in AD and
selecting<BR>'reset account'.<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>#############################33<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>Can't find why
this happen:<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>My AD is 2012R2
function level<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>I create keytab
with this:<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>msktutil -c -b
"OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k
/etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn
HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes
28<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>Keytab file
permission is:<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>-rw-r----- 1 root
squid 933 Sep 25 13:37 PROXY.keytab<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>and keytab file
(klist -k output):<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'> 3 <A
href="mailto:SQUIDPNB1$@TOYO.GRP">SQUIDPNB1$@TOYO.GRP</A><BR> 3
<A href="mailto:SQUIDPNB1$@TOYO.GRP">SQUIDPNB1$@TOYO.GRP</A><BR>
3 <A
href="mailto:SQUIDPNB1$@TOYO.GRP">SQUIDPNB1$@TOYO.GRP</A><BR> 3
<A
href="mailto:HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP">HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP</A><BR>
3 <A
href="mailto:HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP">HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP</A><BR>
3 <A
href="mailto:HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP">HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP</A><BR>
3 <A
href="mailto:host/squidtoyopnb1@TOYO.GRP">host/squidtoyopnb1@TOYO.GRP</A><BR>
3 <A
href="mailto:host/squidtoyopnb1@TOYO.GRP">host/squidtoyopnb1@TOYO.GRP</A><BR>
3 <A
href="mailto:host/squidtoyopnb1@TOYO.GRP">host/squidtoyopnb1@TOYO.GRP</A><BR>
3 <A
href="mailto:host/squidtoyopnb1.toyo.grp@TOYO.GRP">host/squidtoyopnb1.toyo.grp@TOYO.GRP</A><BR>
3 <A
href="mailto:host/squidtoyopnb1.toyo.grp@TOYO.GRP">host/squidtoyopnb1.toyo.grp@TOYO.GRP</A><BR>
3 <A
href="mailto:host/squidtoyopnb1.toyo.grp@TOYO.GRP">host/squidtoyopnb1.toyo.grp@TOYO.GRP</A><o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>krb5.conf:<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'>[libdefaults]<BR>default_realm
= TOYO.GRP<BR> dns_lookup_kdc = no<BR>
dns_lookup_realm = no<BR>
ticket_lifetime = 24h<BR> default_keytab_name =
/etc/squid/PROXY.keytab<BR><BR> ; for Windows 2008 with
AES<BR> default_tgs_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<BR>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5<BR>
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5<BR><BR> [realms]<BR>TOYO.GRP = {<BR>
kdc = dctoyo1.toyo.grp<BR>
kdc =
DCTOYO2.toyo.grp<BR>
admin_server = 10.65.12.254<BR>
default_domain = toyo.grp<BR>
}<BR><BR> [domain_realm]<BR> toyo.grp
= TOYO.GRP<BR> .toyo.grp = TOYO.GRP<BR><BR>
[logging]<BR> kdc = FILE:/var/log/kdc.log<BR>
admin_server = FILE:/var/log/kadmin.log<BR>
default = FILE:/var/log/krb5lib.log<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style='FONT-FAMILY: "Verdana",sans-serif; COLOR: #000066'><o:p> </o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><o:p> </o:p></P></DIV>
<P class=MsoNormal>-- <o:p></o:p></P>
<DIV>
<P class=MsoNormal>Tevfik
Ceydeliler<o:p></o:p></P></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>