[squid-users] Kerberos Autenthication doesn't work

L.P.H. van Belle belle at bazuin.nl
Thu Aug 18 15:26:44 UTC 2016


Ok, samba isnt yet in jessie backports.. so you now use the 4.2.10 version. 

 

Look here, these work good. 

I build them and i use them in my office for some time now.  

I?ll try the next version samba ( 4.4.5-3 ) in debian stretch to get in BPO. 

That one has the file overwrite fixed. (just read the readme.txt it explains all) 

 

Here you find a signed by me samba 4.4.5 ( amd64 and i386 packages for jessie )

http://downloads.van-belle.nl/samba4/ 

Again, please do read the readme.txt  

 

 

This part. 

STOP SERVICES

/etc/init.d/winbind stop

/etc/init.d/samba stop

update-rc.d winbind remove

update-rc.d samba remove

 

Dont remove winbind/samba inits. you need that to refresh the keytabs.

only winbind for keytab refresh is sufficient. 

 

 

KRB5_KTNAME=/etc/squid3/HTTP.keytab

export KRB5_KTNAME

KRB5RCACHETYPE=none

export KRB5RCACHETYPE

Add that in /etc/default/squid3  and try not to change default init.d debian files. 

The /etc/default/squid3 is included in the init script. 

 

 

Enable the kerberos auth line in you squid conf.

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR

 

check both you keytabs, since Im not sure about your keytab files. 

Check where the HTTP SPN is defined. 

klist -k /etc/krb5.keytab 

klist -k /etc/squid3/HTTP.keytab

 

Try with these settings. 

1) /etc/krb5.conf

[libdefaults]

   default_realm = EMPRESA.COM.BR

   dns_lookup_kdc = yes

   dns_lookup_realm = no

 

then if that works, change it back to your needs. 

 

 

You can check if you get users out of winbind

wbinfo ?u 

if that works, set these lines to no, not needed for squid. 

  winbind enum users = yes

  winbind enum groups = yes

 

Try with these changes first. 

 

And last you did configure samba AD DC with ssl support? If not. 

Enable the old behavior. 

More info about that here : 

https://www.samba.org/samba/history/samba-4.4.2.html 

 

 

Greetz, 

 

Louis

 

 

 


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Marcio Demetrio Bacci
Verzonden: donderdag 18 augustus 2016 16:09
Aan: Squid Users
Onderwerp: [squid-users] Kerberos Autenthication doesn't work


 

I have problems with Kerberos Autenthication in Squid3 on Debian 8 and Samba4 DC


My Squid version is: 3.4.8


 


My Kerberos Autenthication doesn't work.


 


PROCEDURES PERFORMED


 


INSTALL OF SAMBA4 AND WINBIND OF DEBIAN BACKPORTS


apt-get -t jessie-backports install samba samba-doc winbind


 


KERBEROS TEST: kinit administrator at EMPRESA.COM.BR


klist -l


Principal Name                   Cache name


--------------                   ----------


administrator at EMPRESA.COM.BR     FILE:/tmp/krb5cc_0


 


JOIN IN THE DOMAIN: net ads join -U administrator 


net ads testjoin: JOIN OK


 


kdestroy


KERBEROS TEST:kinit administrator at EMPRESA.COM.BR


klist -l


Principal Name                   Cache name


--------------                   ----------


administrator at EMPRESA.COM.BR     FILE:/tmp/krb5cc_0


 


STOP SERVICES


/etc/init.d/winbind stop


/etc/init.d/samba stop


update-rc.d winbind remove


update-rc.d samba remove


 


export KRB5_KTNAME=FILE:/etc/squid3/HTTP.keytab


 


INSTALL OF SQUID3: apt-get install squid3


 


export KRB5_KTNAME=FILE:/etc/squid3/HTTP.keytab


net ads keytab CREATE


net ads keytab ADD HTTP


unset KRB5_KTNAME


 


chgrp proxy /etc/squid3/HTTP.keytab 


chmod g+r /etc/squid3/HTTP.keytab 


 


/etc/init.d/squid3 restart


 


KRB5_KTNAME=/etc/squid3/HTTP.keytab


export KRB5_KTNAME


KRB5RCACHETYPE=none


export KRB5RCACHETYPE


 


/etc/init.d/squid3 restart


 


 


Below are my configuration files:


 


1) /etc/krb5.conf


[libdefaults]


   default_realm = EMPRESA.COM.BR


   dns_lookup_kdc = no


       dns_lookup_realm = no


       default_keytab_name = /etc/krb5.keytab


 


[realms]


   EMPRESA.COM.BR = {


   kdc = dc1.EMPRESA.COM.BR:88


   admin_server = dc1.EMPRESA.COM.BR


   default_domain = EMPRESA.COM.BR 


   }


 


 


[domain_realm]


   .EMPRESA.COM.BR = EMPRESA.COM.BR


   EMPRESA.COM.BR = EMPRESA.COM.BR


 


[logging]


  kdc = FILE:/var/log/kdc.log


  admin_server = FILE:/var/log/kadmin.log


  default = FILE:/var/log/krb5lib.log


 


2/etc/samba/smb.conf


[global]


  netbios name = proxy 


  workgroup = EMPRESA


  security = ads 


  realm = EMPRESA.COM.BR 


  encrypt passwords = yes


  dedicated keytab file = /etc/krb5.keytab


  kerberos method = secrets and keytab


# password server = dc1.empresa.com.br


  preferred master = no


  idmap config *:backend = tdb


  idmap config *:range = 1000-3000


  idmap config EMPRESA:backend = ad


  idmap config EMPRESA:schema_mode = rfc2307


  idmap config EMPRESA:range = 10000-9999999


 


  winbind nss info = rfc2307


  winbind trusted domains only = no


  winbind use default domain = yes


  winbind enum users = yes


  winbind enum groups = yes


  winbind offline logon = yes


  winbind refresh tickets = yes


 


  vfs objects = acl_xattr


  map acl inherit = Yes


  store dos attributes = Yes


  username map = /etc/samba/user.map 


 


 


3) /etc/squid3/squid.conf


 


### Configuracoes Basicas


http_port 3128


 


#debug_options ALL,111,2 29,9 84,6


 


cache_mem 512 MB


cache_swap_low 80


cache_swap_high 90


 


maximum_object_size 512 MB


minimum_object_size 0 KB


 


maximum_object_size_in_memory 4096 KB


 


cache_replacement_policy heap LFUDA


memory_replacement_policy heap LFUDA


 


#Para não bloquear downloads


quick_abort_min -1 KB


 


 


#Resolve um problema com conexoes persistentes


detect_broken_pconn on


 


fqdncache_size 1024


 


### Parametros de atualizacao da memoria cache


refresh_pattern ^ftp:   1440   20%   10080


refresh_pattern ^gopher:   1440   0%   1440


refresh_pattern -i (/cgi-bin/|\?) 0 0%    0


refresh_pattern .      0   20%   4320


 


### Localizacao dos logs


access_log /var/log/squid3/access.log


cache_log /var/log/squid3/cache.log


 


 


### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios


cache_dir aufs /var/spool/squid3 600 16 256


 


#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth


auth_param negotiate children 10


auth_param negotiate keep_alive on


 


visible_hostname proxy.empresa.com.br


 


### acls


#acl manager proto cache_object


acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32


acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32


acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra, webmin


acl Safe_ports port 21       # ftp


acl Safe_ports port 70       # gopher


acl Safe_ports port 80       # http


acl Safe_ports port 88       # kerberos


acl Safe_ports port 210       # wais


acl Safe_ports port 280       # http-mgmt


acl Safe_ports port 389       # ldap


acl Safe_ports port 443       # https


acl Safe_ports port 488       # gss-http


acl Safe_ports port 563       # snews


acl Safe_ports port 591       # filemaker


acl Safe_ports port 777       # multiling http


acl Safe_ports port 3001            # imprenssa nacional


acl Safe_ports port 8080       # http


acl Safe_ports port 1025-65535    # unregistered ports


 


acl purge method PURGE


acl CONNECT method CONNECT


 


### Regras iniciais do Squid


http_access allow localhost


http_access allow purge localhost


http_access deny purge


http_access deny !Safe_ports


http_access deny CONNECT !SSL_ports


 


### Exige autenticacao


acl autenticados proxy_auth REQUIRED


http_access deny !autenticados


 


# acl ligada a autenticacao


acl grupo_admins proxy_auth "/etc/squid3/acls/usr-admins"


 


acl grupo_liberado proxy_auth "/etc/squid3/acls/usr-liberados"


 


#libera o grupo de administradores


http_access allow grupo_admins


 


### Bloqueia extensoes de arquivos


acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"


 


### Liberar alguns sites


acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"


 


### Bloqueia sites por URL


acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"


 


#bloqueios basicos


http_access allow sites_liberados


http_access deny extensoes_bloqueadas


http_access deny sites_bloqueados 


 


# Libera acesso ao grupo de chefes e professores


http_access allow grupo_liberado


 


# Incorpora as regras do SquidGuard


redirect_program /usr/bin/squidGuard


redirect_children 20


redirector_bypass on


 


#libera o grupo de usuarios comuns apos passar por todos os bloqueios


http_access allow autenticados


 


### Rede do CMB #####


acl lannet src MailScanner warning: numerical links are often malicious: 192.168.200.0/22 


 


 


### Nega acesso de quem nao esta na rede local 


http_access allow lannet 


 


#negando o acesso para todos que nao estiverem nas regras anteriores


http_access deny all


 


### Erros em portugues


error_directory /usr/share/squid3/errors/pt-br


 


#cache_effective_user proxy


coredump_dir /var/spool/squid3


 


 


Regards,


 


Márcio Bacci




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160818/b80baccd/attachment-0001.html>


More information about the squid-users mailing list