[squid-users] Problems with Squid Authentication
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 19 10:02:42 UTC 2016
Hai,
Yes, all new things are hard..
I need some extra info because there are lots of things that can be wrong.
post what you see here :
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR ?d ?i
>> kinit and klist are ok
>> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)
These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP spn.
And in the krb5.keytab i have the host SPN and netbios_name($)
How to test the kerberos auth.. hmm, thats a difficult one for me.
I know lot but not all.. :-( .
But what i do iknow, you can test with
/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
If that works its probely an SPN or dns problem.
If that isnt working, then do check the time on the ad server and proxy server.
I can only say.
The proxy servername must exist in dns and must have A and PTR record. ( add this in the samba AD )
The reverse zone is ( maybe ) created, if not, create it yourself and add the ptr records.
Cat /etc/hosts file may NOT contain any.
127.0.1.1 yourhostname.. ..
if its in there, you installed with dhcp ip.
It should contain
127.0.0.1 localhost
IP_OF_SERVER hostname.domain.tld hostname
The is there if you install with a static ip.
Time must be in sync with the AD server ( max difference i allow is 1 min. )
If needed install ntp on the proxy and point the server to the ad dc.
And post what you now have in krb5.conf
These are the most common pitfalls, i?ll see what i can do to help out.
Greetz,
Louis
Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Marcio Demetrio Bacci
Verzonden: vrijdag 19 augustus 2016 3:50
Aan: Squid Users
Onderwerp: [squid-users] Problems with Squid Authentication
My Kerberos Authentication doesn't work. This is very hard!
My Squid3 is join in the Domain
kinit and klist are ok
wbinfo -g and wbinfo -u are ok too.
I have created the squid3 file in /etc/default with the following content:
KRB5_KTNAME=/etc/squid3/HTTP.keytab
export KRB5_KTNAME
I have two keytab files:
/etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)
I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined Squid server in the Domain (net ads join -U administrator)
How can I debbug the problem?
How can I test kerberos authentication in terminal (command line)?
Below is my squid.conf file:
### Configuracoes Basicas
cache_mgr administrator at empresa.com.br
http_port 3128
#debug_options ALL,111,2 29,9 84,6
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
#Para não bloquear downloads
quick_abort_min -1 KB
#Resolve um problema com conexoes persistentes
detect_broken_pconn on
fqdncache_size 1024
### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
### Localizacao dos logs
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
auth_param negotiate children 20
auth_param negotiate keep_alive on
visible_hostname proxy.empresa.com.br
### acls
#acl manager proto cache_object
acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32
acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32
acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra, webmin
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 88 # kerberos
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 389 # ldap
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # snews
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl Safe_ports port 8080 # http
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
### Regras iniciais do Squid
http_access allow localhost
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
### Exige autenticacao
acl autenticados proxy_auth REQUIRED
http_access allow autenticados
### Rede do Local #####
acl rede_local src MailScanner warning: numerical links are often malicious: 192.168.200.0/22
### Nega acesso de quem nao esta na rede local
http_access allow rede_local
#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all
### Erros em portugues
error_directory /usr/share/squid3/errors/pt-br
#cache_effective_user proxy
coredump_dir /var/spool/squid3
Regards,
Márcio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160819/381d99e8/attachment-0001.html>
More information about the squid-users
mailing list