[squid-users] Authenticacion with Active Directory fails

Yuri Voinov yvoinov at gmail.com
Thu Jul 14 18:21:21 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Configuring_a_Squid_Server_to_authenticate_from_Kerberos

14.07.2016 23:59, Yuri Voinov пишет:
>
> Man,
>
> did your RTFM?
>
> Kerberos security has perfect manual.
>
>
> 14.07.2016 22:07, Sergio Belkin пишет:
> > Hi,
>
>
>
>       > Using squid squid-3.5.19-1.el7.centos.x86_64,
>
>
>
>       > I obtain a kerberos ticket but I get the following when
>       trying to use the proxy:
>
>
>
>       > 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290)
>       authenticate: No Proxy-Auth header and no working alternative.
>       Requesting auth header.
>
>       > 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487)
>       addReplyAuthHeader: headertype:46 authuser:NULL
>
>       > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader:
>       Sending type:46 header: 'Negotiate'
>
>       > 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290)
>       authenticate: No Proxy-Auth header and no working alternative.
>       Requesting auth header.
>
>       > 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487)
>       addReplyAuthHeader: headertype:46 authuser:NULL
>
>       > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader:
>       Sending type:46 header: 'Negotiate'
>
>
>
>       > My squid.conf is as follows:
>
>
>
>
>
>       > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>
>
>       > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>
>
>       > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>
>
>       > acl localnet src fc00::/7     
>
>       > acl localnet src fe80::/10    
>
>       > acl SSL_ports port 443
>
>       > acl Safe_ports port 80
>
>       > acl Safe_ports port 21
>
>       > acl Safe_ports port 443
>
>       > acl Safe_ports port 70
>
>       > acl Safe_ports port 210
>
>       > acl Safe_ports port 1025-65535
>
>       > acl Safe_ports port 280
>
>       > acl Safe_ports port 488
>
>       > acl Safe_ports port 591
>
>       > acl Safe_ports port 777
>
>       > acl CONNECT method CONNECT
>
>       > acl step1 at_step SslBump1
>
>       > acl step2 at_step SslBump2
>
>       > acl step3 at_step SslBump3
>
>       > acl nobumpSites ssl::server_name
>       "/etc/squid/acls/nobumpSites.txt"
>
>       > http_access deny !Safe_ports
>
>       > http_access deny CONNECT !SSL_ports
>
>       > http_access allow localhost manager
>
>       > http_access deny manager
>
>       > acl social_ips src "/etc/squid/acls/social_ips"
>
>       > acl social_dom dstdomain "/etc/squid/acls/social_dom"
>
>       > auth_param negotiate program
>       /usr/lib64/squid/negotiate_kerberos_auth -d -s
>       HTTP/proxy.example.local at EXAMPLE.LOCAL
>
>       > auth_param negotiate children 10
>
>       > auth_param negotiate keep_alive on
>
>       > acl kerb_auth proxy_auth REQUIRED
>
>       > ssl_bump peek step1 all       
>
>       > ssl_bump splice  nobumpSites 
>
>       > ssl_bump bump                
>
>       > http_access allow kerb_auth
>
>       > http_access deny social_ips
>
>       > http_access deny social_dom
>
>       > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
>       > acl connect method CONNECT
>
>       > http_access deny connect numeric_IPs all
>
>       > http_access allow localnet
>
>       > http_access allow localhost
>
>       > http_access deny all
>
>       > always_direct allow all
>
>       > sslcrtd_program /usr/lib64/squid/ssl_crtd -s
>       /var/spool/squid_ssldb -M 4MB
>
>       > visible_hostname proxy.example.local
>
>       > http_port 3128 ssl-bump generate-host-certificates=on
>       dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem
>
>       > coredump_dir /var/spool/squid
>
>       > refresh_pattern ^ftp:           1440    20%     10080
>
>       > refresh_pattern ^gopher:        1440    0%      1440
>
>       > refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>
>       > refresh_pattern .               0       20%     4320
>
>       > url_rewrite_program /usr/sbin/ufdbgclient –l
>       /var/ufdbguard/logs
>
>       > url_rewrite_children 64
>
>       > access_log daemon:/var/log/squid/access.log combined
>
>
>
>       > And klist output:
>
>
>
>       > klist -k /etc/squid/HTTP.keytab
>
>
>
>       > Keytab name: FILE:/etc/squid/HTTP.keytab
>
>       > KVNO Principal
>
>       > ----
> --------------------------------------------------------------------------
>
>       >    2 host/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 host/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 host/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 host/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 host/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 host/proxy at EXAMPLE.LOCAL
>
>       >    2 host/proxy at EXAMPLE.LOCAL
>
>       >    2 host/proxy at EXAMPLE.LOCAL
>
>       >    2 host/proxy at EXAMPLE.LOCAL
>
>       >    2 host/proxy at EXAMPLE.LOCAL
>
>       >    2 KANBAN$@EXAMPLE.LOCAL
>
>       >    2 KANBAN$@EXAMPLE.LOCAL
>
>       >    2 KANBAN$@EXAMPLE.LOCAL
>
>       >    2 KANBAN$@EXAMPLE.LOCAL
>
>       >    2 KANBAN$@EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy.example.local at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy at EXAMPLE.LOCAL
>
>       >    2 HTTP/proxy at EXAMPLE.LOCAL
>
>
>
>       > End of output,
>
>
>
>       > Please could you help me? Am I doing something wrong?
>
>
>
>       > Thanks in advance!
>
>
>
>       > --
>
>       > --
>
>       > Sergio Belkin
>
>       > LPIC-2 Certified - http://www.lpi.org
>
>
>
>
>
>       > _______________________________________________
>
>       > squid-users mailing list
>
>       > squid-users at lists.squid-cache.org
>
>       > http://lists.squid-cache.org/listinfo/squid-users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXh9ghAAoJENNXIZxhPexGzrEH/RVcpHnp49B7r2X3DkAKLKv+
a3y9g8CUxydE6n7AW1bN/miRLqmbjg9UzuBqM48m8PIJEEU6Itr5NDLsdV1F7I3a
IgoPZa3U7T3lmHwGcloCdAb7Zzmj4s1t2I+u6KMEufEZFssWSlHcznmRIGHnCpXz
C9eceL7DGRyXWl1ehEWSZIe3ApDdBtvHxwdNpBvhCPfNfLmHxNUpRRYLOcXPar5b
5scY/awmYVxYr2SATraMc3XO6URQDagXVCj4JZOH+snkQAB1FetAhU+WoTCXu1Th
RTdfAX2/p2Xrw9UGECiI2Aastf6ONlv+hMJztKlxPfUhVuX2kZxYwvSPXs7ovQ0=
=vivP
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160715/8f6dceee/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160715/8f6dceee/attachment.key>

More information about the squid-users mailing list