[squid-users] Questions about Kerberos authentication on squid3

L.P.H. van Belle belle at bazuin.nl
Wed Aug 17 13:56:07 UTC 2016


Hi Marcio, 

 

Have a look here a good guide. 

https://dev.tranquil.it/wiki/SAMBA_-_Configuration_Squid_Kerberos 

 

Most important, make sure your DNS setup is correct and the proxy server has an A and PTR (RR) record. 

Can be done without but that can result in problems. 

 

 

You must create the krb5.keytab file when using Samba 4 as DC? If positive, how to create it?

On the proxy itself as member server.  

 

Make sure you then have also those 2. 

    # enable offline logins

    winbind offline logon = yes

    # renew the kerberos ticket

    winbind refresh tickets = yes

 

net ads join -U administrator

net ads keytab add HTTP -U administrator

 


or  with samba tool on the DC. which i did since i use 2 proxys and 1 user for SPNs 

 

samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password

samba-tool user setexpiry squid-proxy –noexpiry 

samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy

samba-tool spn add HTTP/proxy1.internal.domain.tld at REALM squid-proxy

 

and export it. 

samba-tool domain exportkeytab --principal=HTTP/proxy1. internal.domain.tld proxy1.keytab

and put the proxy1.keytab file in place on the proxy server, see link above. 

 

 


Kerberos authentication (squid_kerb_auth) works for both Windows and Linux?

Yes


 


In this type of authentication the user will not need to enter your username / password when you open the browser?

Correct, but you also need to setup your webbrowser for it. 


 


On the workstations I install ntp or ntpdate package?

No, but the make sure time is in sync with the DC’s. 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160817/64ae1e16/attachment.html>


More information about the squid-users mailing list