[squid-users] Kerberos Autenthication doesn't work
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 18 15:26:44 UTC 2016
Ok, samba isnt yet in jessie backports.. so you now use the 4.2.10 version.
Look here, these work good.
I build them and i use them in my office for some time now.
I?ll try the next version samba ( 4.4.5-3 ) in debian stretch to get in BPO.
That one has the file overwrite fixed. (just read the readme.txt it explains all)
Here you find a signed by me samba 4.4.5 ( amd64 and i386 packages for jessie )
http://downloads.van-belle.nl/samba4/
Again, please do read the readme.txt
This part.
STOP SERVICES
/etc/init.d/winbind stop
/etc/init.d/samba stop
update-rc.d winbind remove
update-rc.d samba remove
Dont remove winbind/samba inits. you need that to refresh the keytabs.
only winbind for keytab refresh is sufficient.
KRB5_KTNAME=/etc/squid3/HTTP.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
Add that in /etc/default/squid3 and try not to change default init.d debian files.
The /etc/default/squid3 is included in the init script.
Enable the kerberos auth line in you squid conf.
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
check both you keytabs, since Im not sure about your keytab files.
Check where the HTTP SPN is defined.
klist -k /etc/krb5.keytab
klist -k /etc/squid3/HTTP.keytab
Try with these settings.
1) /etc/krb5.conf
[libdefaults]
default_realm = EMPRESA.COM.BR
dns_lookup_kdc = yes
dns_lookup_realm = no
then if that works, change it back to your needs.
You can check if you get users out of winbind
wbinfo ?u
if that works, set these lines to no, not needed for squid.
winbind enum users = yes
winbind enum groups = yes
Try with these changes first.
And last you did configure samba AD DC with ssl support? If not.
Enable the old behavior.
More info about that here :
https://www.samba.org/samba/history/samba-4.4.2.html
Greetz,
Louis
Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Marcio Demetrio Bacci
Verzonden: donderdag 18 augustus 2016 16:09
Aan: Squid Users
Onderwerp: [squid-users] Kerberos Autenthication doesn't work
I have problems with Kerberos Autenthication in Squid3 on Debian 8 and Samba4 DC
My Squid version is: 3.4.8
My Kerberos Autenthication doesn't work.
PROCEDURES PERFORMED
INSTALL OF SAMBA4 AND WINBIND OF DEBIAN BACKPORTS
apt-get -t jessie-backports install samba samba-doc winbind
KERBEROS TEST: kinit administrator at EMPRESA.COM.BR
klist -l
Principal Name Cache name
-------------- ----------
administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
JOIN IN THE DOMAIN: net ads join -U administrator
net ads testjoin: JOIN OK
kdestroy
KERBEROS TEST:kinit administrator at EMPRESA.COM.BR
klist -l
Principal Name Cache name
-------------- ----------
administrator at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
STOP SERVICES
/etc/init.d/winbind stop
/etc/init.d/samba stop
update-rc.d winbind remove
update-rc.d samba remove
export KRB5_KTNAME=FILE:/etc/squid3/HTTP.keytab
INSTALL OF SQUID3: apt-get install squid3
export KRB5_KTNAME=FILE:/etc/squid3/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME
chgrp proxy /etc/squid3/HTTP.keytab
chmod g+r /etc/squid3/HTTP.keytab
/etc/init.d/squid3 restart
KRB5_KTNAME=/etc/squid3/HTTP.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
/etc/init.d/squid3 restart
Below are my configuration files:
1) /etc/krb5.conf
[libdefaults]
default_realm = EMPRESA.COM.BR
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
[realms]
EMPRESA.COM.BR = {
kdc = dc1.EMPRESA.COM.BR:88
admin_server = dc1.EMPRESA.COM.BR
default_domain = EMPRESA.COM.BR
}
[domain_realm]
.EMPRESA.COM.BR = EMPRESA.COM.BR
EMPRESA.COM.BR = EMPRESA.COM.BR
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
2/etc/samba/smb.conf
[global]
netbios name = proxy
workgroup = EMPRESA
security = ads
realm = EMPRESA.COM.BR
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# password server = dc1.empresa.com.br
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
3) /etc/squid3/squid.conf
### Configuracoes Basicas
http_port 3128
#debug_options ALL,111,2 29,9 84,6
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
#Para não bloquear downloads
quick_abort_min -1 KB
#Resolve um problema com conexoes persistentes
detect_broken_pconn on
fqdncache_size 1024
### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
### Localizacao dos logs
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256
#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
visible_hostname proxy.empresa.com.br
### acls
#acl manager proto cache_object
acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32
acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32
acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra, webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 88 # kerberos
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 389 # ldap
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # snews
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl Safe_ports port 8080 # http
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
### Regras iniciais do Squid
http_access allow localhost
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
### Exige autenticacao
acl autenticados proxy_auth REQUIRED
http_access deny !autenticados
# acl ligada a autenticacao
acl grupo_admins proxy_auth "/etc/squid3/acls/usr-admins"
acl grupo_liberado proxy_auth "/etc/squid3/acls/usr-liberados"
#libera o grupo de administradores
http_access allow grupo_admins
### Bloqueia extensoes de arquivos
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
### Liberar alguns sites
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
#bloqueios basicos
http_access allow sites_liberados
http_access deny extensoes_bloqueadas
http_access deny sites_bloqueados
# Libera acesso ao grupo de chefes e professores
http_access allow grupo_liberado
# Incorpora as regras do SquidGuard
redirect_program /usr/bin/squidGuard
redirect_children 20
redirector_bypass on
#libera o grupo de usuarios comuns apos passar por todos os bloqueios
http_access allow autenticados
### Rede do CMB #####
acl lannet src MailScanner warning: numerical links are often malicious: 192.168.200.0/22
### Nega acesso de quem nao esta na rede local
http_access allow lannet
#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all
### Erros em portugues
error_directory /usr/share/squid3/errors/pt-br
#cache_effective_user proxy
coredump_dir /var/spool/squid3
Regards,
Márcio Bacci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160818/b80baccd/attachment-0001.html>
More information about the squid-users
mailing list