[squid-users] Problems with Squid Authentication

L.P.H. van Belle belle at bazuin.nl
Fri Aug 19 10:02:42 UTC 2016


Hai,

 

Yes, all new things are hard..

I need some extra info because there are lots of things that can be wrong. 

 

post what you see here : 

/usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR ?d ?i 

 

 

>> kinit and klist are ok

>> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)

These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP spn. 

And in the krb5.keytab i  have the host SPN and netbios_name($)  

 

How to test the kerberos auth.. hmm, thats a difficult one for me. 

I know lot but not all..  :-(  .

 

But what i do iknow, you can test with

/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME 

If that works its probely an SPN or dns problem.

If that isnt working, then do check the time on the ad server and proxy server.

 

I can only say. 

The proxy servername must exist in dns and must have A and PTR record.  ( add this in the samba AD ) 

The reverse zone is ( maybe ) created, if not, create it yourself and add the ptr records. 

 

Cat /etc/hosts file may NOT contain any. 

127.0.1.1        yourhostname.. ..  

if its in there, you installed with dhcp ip. 

 

It should contain 

127.0.0.1              localhost 

IP_OF_SERVER   hostname.domain.tld hostname

The is there if you install with a static ip. 

 

Time must be in sync with the AD server ( max difference i allow is 1 min. ) 

If needed install ntp on the proxy and point the server  to the ad dc. 

 

And post what you now have in krb5.conf 

 

These are the most common pitfalls, i?ll see what i can do to help out. 

 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Marcio Demetrio Bacci
Verzonden: vrijdag 19 augustus 2016 3:50
Aan: Squid Users
Onderwerp: [squid-users] Problems with Squid Authentication


 

My Kerberos Authentication doesn't work. This is very hard!


 


My Squid3 is join in the Domain


kinit and klist are ok


wbinfo -g and wbinfo -u are ok too.


 


I have created the squid3 file in /etc/default with the following content: 


KRB5_KTNAME=/etc/squid3/HTTP.keytab


export KRB5_KTNAME


 


I have two keytab files:


/etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)


 


I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined Squid server in the Domain (net ads join -U administrator)


 


How can I debbug the problem?


How can I test kerberos authentication in terminal (command line)?


 


Below is my squid.conf file:


 


### Configuracoes Basicas


 


cache_mgr administrator at empresa.com.br


 


http_port 3128


 


#debug_options ALL,111,2 29,9 84,6


 


cache_mem 512 MB


cache_swap_low 80


cache_swap_high 90


 


maximum_object_size 512 MB


minimum_object_size 0 KB


 


maximum_object_size_in_memory 4096 KB


 


cache_replacement_policy heap LFUDA


memory_replacement_policy heap LFUDA


 


#Para não bloquear downloads


quick_abort_min -1 KB


 


 


#Resolve um problema com conexoes persistentes


detect_broken_pconn on


 


fqdncache_size 1024


 


### Parametros de atualizacao da memoria cache


refresh_pattern ^ftp:   1440   20%   10080


refresh_pattern ^gopher:   1440   0%   1440


refresh_pattern -i (/cgi-bin/|\?) 0 0%    0


refresh_pattern .      0   20%   4320


 


### Localizacao dos logs


access_log /var/log/squid3/access.log


cache_log /var/log/squid3/cache.log


 


 


### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios


cache_dir aufs /var/spool/squid3 600 16 256


 


auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br at EMPRESA.COM.BR


auth_param negotiate children 20


auth_param negotiate keep_alive on


 


visible_hostname proxy.empresa.com.br


 


### acls


#acl manager proto cache_object


acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32


acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32


acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra, webmin


acl Safe_ports port 21       # ftp


acl Safe_ports port 70       # gopher


acl Safe_ports port 80       # http


acl Safe_ports port 88       # kerberos


acl Safe_ports port 210       # wais


acl Safe_ports port 280       # http-mgmt


acl Safe_ports port 389       # ldap


acl Safe_ports port 443    # https


acl Safe_ports port 488       # gss-http


acl Safe_ports port 563       # snews


acl Safe_ports port 591       # filemaker


acl Safe_ports port 777       # multiling http


acl Safe_ports port 3001         # imprenssa nacional


acl Safe_ports port 8080    # http


acl Safe_ports port 1025-65535    # unregistered ports


 


acl purge method PURGE


acl CONNECT method CONNECT


 


 


### Regras iniciais do Squid


http_access allow localhost


http_access allow purge localhost


http_access deny purge


http_access deny !Safe_ports


http_access deny CONNECT !SSL_ports


 


### Exige autenticacao


acl autenticados proxy_auth REQUIRED


http_access allow autenticados


 


 


 


### Rede do Local #####


acl rede_local src MailScanner warning: numerical links are often malicious: 192.168.200.0/22 


 


 


### Nega acesso de quem nao esta na rede local


http_access allow rede_local 


 


#negando o acesso para todos que nao estiverem nas regras anteriores


http_access deny all


 


### Erros em portugues


error_directory /usr/share/squid3/errors/pt-br


 


#cache_effective_user proxy


coredump_dir /var/spool/squid3


 


 


Regards,


 


Márcio




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160819/381d99e8/attachment-0001.html>


More information about the squid-users mailing list