[squid-users] Questions about Kerberos authentication on squid3
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 17 13:56:07 UTC 2016
Hi Marcio,
Have a look here a good guide.
https://dev.tranquil.it/wiki/SAMBA_-_Configuration_Squid_Kerberos
Most important, make sure your DNS setup is correct and the proxy server has an A and PTR (RR) record.
Can be done without but that can result in problems.
You must create the krb5.keytab file when using Samba 4 as DC? If positive, how to create it?
On the proxy itself as member server.
Make sure you then have also those 2.
# enable offline logins
winbind offline logon = yes
# renew the kerberos ticket
winbind refresh tickets = yes
net ads join -U administrator
net ads keytab add HTTP -U administrator
or with samba tool on the DC. which i did since i use 2 proxys and 1 user for SPNs
samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password
samba-tool user setexpiry squid-proxy –noexpiry
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1.internal.domain.tld at REALM squid-proxy
and export it.
samba-tool domain exportkeytab --principal=HTTP/proxy1. internal.domain.tld proxy1.keytab
and put the proxy1.keytab file in place on the proxy server, see link above.
Kerberos authentication (squid_kerb_auth) works for both Windows and Linux?
Yes
In this type of authentication the user will not need to enter your username / password when you open the browser?
Correct, but you also need to setup your webbrowser for it.
On the workstations I install ntp or ntpdate package?
No, but the make sure time is in sync with the DC’s.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160817/64ae1e16/attachment.html>
More information about the squid-users
mailing list