[squid-users] SSO (kerberos)
erdosain9
erdosain9 at gmail.com
Tue Sep 20 16:50:56 UTC 2016
Ok,
Well i have this settings
-----------------------------------------------------------------------------------------------------------------------------
*cat /etc/sysconfig/squid
*# Kerberos autenticacion
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME
# # default squid options
SQUID_OPTS=""
#
# # Time to wait for Squid to shut down when asked. Should not be necessary
# # most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
#
# # default squid conf file
SQUID_CONF="/etc/squid/squid.conf"
# ~ "
-----------------------------------------------------------------------------------------------------------------------------
*/etc/krb5.conf
*
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
EXAMPLE.LAN = {
kdc = ads-1.example.lan
kdc = ads-2.example.lan
admin_server = ads-1.example.lan
default_domain = example.lan
}
[domain_realm]
.example.lan = EXAMPLE.LAN
example.lan = EXAMPLE.LAN
---------------------------------------------------------------------------------------------------------------------------------
*/etc/samba/smb.conf
*[global]
local master = no
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.LAN
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
---------------------------------------------------------------------------------
*SQUID.CONF
*
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -d -s
HTTP/squid.example.lan at EXAMPLE.LANauth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow all auth
--------------------------------------------------------------------------------------
*cat /var/log/squid/cache.log
*2016/09/20 13:50:00| Set Current Directory to /var/spool/squid
2016/09/20 13:50:00| Set Current Directory to /var/spool/squid
2016/09/20 13:50:32 kid1| Set Current Directory to /var/spool/squid
2016/09/20 13:50:32 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2016/09/20 13:50:32 kid1| Service Name: squid
2016/09/20 13:50:32 kid1| Process ID 2014
2016/09/20 13:50:32 kid1| Process Roles: worker
2016/09/20 13:50:32 kid1| With 16384 file descriptors available
2016/09/20 13:50:32 kid1| Initializing IP Cache...
2016/09/20 13:50:32 kid1| DNS Socket created at [::], FD 9
2016/09/20 13:50:32 kid1| DNS Socket created at 0.0.0.0, FD 10
2016/09/20 13:50:32 kid1| Adding nameserver 192.168.1.1 from squid.conf
2016/09/20 13:50:32 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/09/20 13:50:32 kid1| helperOpenServers: Starting 0/20
'negotiate_kerberos_auth' processes
2016/09/20 13:50:32 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2016/09/20 13:50:32 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2016/09/20 13:50:32 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2016/09/20 13:50:32 kid1| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2016/09/20 13:50:32 kid1| Store logging disabled
2016/09/20 13:50:32 kid1| Swap maxSize 1024000 + 262144 KB, estimated 98934
objects
2016/09/20 13:50:32 kid1| Target number of buckets: 4946
2016/09/20 13:50:32 kid1| Using 8192 Store buckets
2016/09/20 13:50:32 kid1| Max Mem size: 262144 KB
2016/09/20 13:50:32 kid1| Max Swap size: 1024000 KB
2016/09/20 13:50:32 kid1| Rebuilding storage in /var/spool/squid (clean log)
2016/09/20 13:50:32 kid1| Using Least Load store dir selection
2016/09/20 13:50:32 kid1| Set Current Directory to /var/spool/squid
2016/09/20 13:50:32 kid1| Finished loading MIME types and icons.
2016/09/20 13:50:32 kid1| HTCP Disabled.
2016/09/20 13:50:32 kid1| Squid plugin modules loaded: 0
2016/09/20 13:50:32 kid1| Adaptation support is off.
2016/09/20 13:50:32 kid1| Accepting SSL bumped HTTP Socket connections at
local=192.168.1.109:3128 remote=[::] FD 18 flags=9
2016/09/20 13:50:32 kid1| Store rebuilding is 9.41% complete
2016/09/20 13:50:32 kid1| Done reading /var/spool/squid swaplog (42515
entries)
2016/09/20 13:50:32 kid1| Finished rebuilding storage from disk.
2016/09/20 13:50:32 kid1| 42515 Entries scanned
2016/09/20 13:50:32 kid1| 0 Invalid entries.
2016/09/20 13:50:32 kid1| 0 With invalid flags.
2016/09/20 13:50:32 kid1| 42515 Objects loaded.
2016/09/20 13:50:32 kid1| 0 Objects expired.
2016/09/20 13:50:32 kid1| 0 Objects cancelled.
2016/09/20 13:50:32 kid1| 0 Duplicate URLs purged.
2016/09/20 13:50:32 kid1| 0 Swapfile clashes avoided.
2016/09/20 13:50:32 kid1| Took 0.08 seconds (529577.36 objects/sec).
2016/09/20 13:50:32 kid1| Beginning Validation Procedure
2016/09/20 13:50:32 kid1| Completed Validation Procedure
2016/09/20 13:50:32 kid1| Validated 42514 Entries
2016/09/20 13:50:32 kid1| store_swap_size = 921596.00 KB
2016/09/20 13:50:33 kid1| storeLateRelease: released 0 objects
2016/09/20 13:50:47 kid1| Starting new negotiateauthenticator helpers...
2016/09/20 13:50:47 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
negotiate_kerberos_auth.cc(487): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/PROXY.keytab
negotiate_kerberos_auth.cc(570): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_2018
negotiate_kerberos_auth.cc(610): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(663): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length:
40).
negotiate_kerberos_auth.cc(673): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/09/20 13:50:47 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}
-----------------------------------------------------------------------------------------------------------------------------------------
*access.log*
1474390313.371 0 192.168.1.121 TCP_DENIED/407 4334 CONNECT
incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html
1474390313.374 0 192.168.1.121 TCP_DENIED/407 4334 CONNECT
incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html
1474390449.644 0 192.168.1.121 TCP_DENIED/407 4167 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1474390449.651 0 192.168.1.121 TCP_DENIED/407 4270 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1474390464.320 0 192.168.1.121 TCP_DENIED/407 4175 CONNECT
www.facebook.com:443 - HIER_NONE/- text/html
1474390464.326 0 192.168.1.121 TCP_DENIED/407 4278 CONNECT
www.facebook.com:443 - HIER_NONE/- text/html
So...... what can i do??
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSO-kerberos-tp4679470p4679618.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list