[squid-users] Kerberos authentication for squid

Tevfik Ceydeliler tevfik.ceydeliler at astron.yasar.com.tr
Fri Nov 11 06:50:06 UTC 2016


Hi,

I try to configure squid by using AD authentication via Kerberos.

And I have a keytab by using msktutil  (PROXY.keytab)

I can run kinit, klist, wbinfo (-g, -u, -t) commands without any error.

here is my authparam configuration:

########################################################

### negotiate kerberos and ntlm authentication
#auth_param negotiate program 
/usr/local/squid/libexec/negotiate_wrapper_auth --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
--domain=DOMAIN --kerberos /usr/local/squid/libexec/$
auth_param negotiate program 
/usr/local/squid/libexec/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 250
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100
auth_param ntlm keep_alive on

### provide basic authentication via ldap for clients not authenticated 
via kerberos/ntlm
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -R -b 
"dc=domain,dc=grp" -D otpcheck at domain.grp -W 
/usr/local/squid/etc/ldappass.txt -f sAMAccountName=%s -h ldapsrv
auth_param basic children 100
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

### ldap authorisation
#external_acl_type nt_group %LOGIN 
/usr/local/squid/libexec/ext_ldap_group_acl -d -R -K -b 
"dc=domain,dc=grp" -D otpcheck at domain.grp -W 
/usr/local/squid/etc/ldappass.txt -f "(&(objectclass=person)(sAMAccount$
external_acl_type nt_group ttl=1800 negative_ttl=900 children-max=150 
children-startup=10 %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl 
-R -K -b "dc=domain,dc=grp" -D otpcheck at domain.grp -W /usr/local/s$

#external_acl_type nt_group %LOGIN 
/usr/local/squid/libexec/ext_wbinfo_group_acl -d

authenticate_cache_garbage_interval 10 seconds
# Credentials past their TTL are removed rom memory
authenticate_ttl 0 seconds
########################################################

And here is  PROXY.keytab content:

########################################################

    4 SQUIDPNBDC1$@DOMAIN.GRP
    4 SQUIDPNBDC1$@DOMAIN.GRP
    4 SQUIDPNBDC1$@DOMAIN.GRP
    4 HTTP/SQUIDDC1.DOMAIN.grp at DOMAIN.GRP
    4 HTTP/SQUIDDC1.DOMAIN.grp at DOMAIN.GRP
    4 HTTP/SQUIDDC1.DOMAIN.grp at DOMAIN.GRP
    7 HTTP/proxy.DOMAIN.net at DOMAIN.GRP
    7 HTTP/proxy.DOMAIN.net at DOMAIN.GRP
    7 HTTP/proxy.DOMAIN.net at DOMAIN.GRP
    8 host/squiddc1.DOMAIN.grp at DOMAIN.GRP
    8 host/squiddc1.DOMAIN.grp at DOMAIN.GRP
    8 host/squiddc1.DOMAIN.grp at DOMAIN.GRP

#######################################################

Here is the problem,

When I set my browser proxy configuration as "squiddc1.DOMAIN.grp " and 
then start to browse, I cant see "username at domain.grp"  log entry in 
access.log.

I think, It means that kerberos not work.

Have you any idea about that?

regards


Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.
The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.



More information about the squid-users mailing list