[squid-users] SSO (kerberos)

Tue Sep 20 16:50:56 UTC 2016

Ok,
Well i have this settings

-----------------------------------------------------------------------------------------------------------------------------
*cat /etc/sysconfig/squid
*# Kerberos autenticacion
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME
# # default squid options
SQUID_OPTS=""
#
# # Time to wait for Squid to shut down when asked. Should not be necessary
# # most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
#
# # default squid conf file
SQUID_CONF="/etc/squid/squid.conf"
# ~                                       "

-----------------------------------------------------------------------------------------------------------------------------
*/etc/krb5.conf 
*
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = EXAMPLE.LAN
    dns_lookup_kdc = no 
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5


[realms]
    EXAMPLE.LAN = {
        kdc = ads-1.example.lan
	kdc = ads-2.example.lan
        admin_server = ads-1.example.lan
	default_domain = example.lan
    }

[domain_realm]
    .example.lan = EXAMPLE.LAN
    example.lan = EXAMPLE.LAN

---------------------------------------------------------------------------------------------------------------------------------

*/etc/samba/smb.conf 
*[global]
 
local master = no
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.LAN

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
     
---------------------------------------------------------------------------------

*SQUID.CONF
*
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -d -s
HTTP/squid.example.lan at EXAMPLE.LANauth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED
http_access allow all auth


--------------------------------------------------------------------------------------

*cat /var/log/squid/cache.log
*2016/09/20 13:50:00| Set Current Directory to /var/spool/squid
2016/09/20 13:50:00| Set Current Directory to /var/spool/squid
2016/09/20 13:50:32 kid1| Set Current Directory to /var/spool/squid
2016/09/20 13:50:32 kid1| Starting Squid Cache version 3.5.20 for
x86_64-redhat-linux-gnu...
2016/09/20 13:50:32 kid1| Service Name: squid
2016/09/20 13:50:32 kid1| Process ID 2014
2016/09/20 13:50:32 kid1| Process Roles: worker
2016/09/20 13:50:32 kid1| With 16384 file descriptors available
2016/09/20 13:50:32 kid1| Initializing IP Cache...
2016/09/20 13:50:32 kid1| DNS Socket created at [::], FD 9
2016/09/20 13:50:32 kid1| DNS Socket created at 0.0.0.0, FD 10
2016/09/20 13:50:32 kid1| Adding nameserver 192.168.1.1 from squid.conf
2016/09/20 13:50:32 kid1| helperOpenServers: Starting 1/8 'ssl_crtd'
processes
2016/09/20 13:50:32 kid1| helperOpenServers: Starting 0/20
'negotiate_kerberos_auth' processes
2016/09/20 13:50:32 kid1| helperStatefulOpenServers: No
'negotiate_kerberos_auth' processes needed.
2016/09/20 13:50:32 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2016/09/20 13:50:32 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2016/09/20 13:50:32 kid1| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2016/09/20 13:50:32 kid1| Store logging disabled
2016/09/20 13:50:32 kid1| Swap maxSize 1024000 + 262144 KB, estimated 98934
objects
2016/09/20 13:50:32 kid1| Target number of buckets: 4946
2016/09/20 13:50:32 kid1| Using 8192 Store buckets
2016/09/20 13:50:32 kid1| Max Mem  size: 262144 KB
2016/09/20 13:50:32 kid1| Max Swap size: 1024000 KB
2016/09/20 13:50:32 kid1| Rebuilding storage in /var/spool/squid (clean log)
2016/09/20 13:50:32 kid1| Using Least Load store dir selection
2016/09/20 13:50:32 kid1| Set Current Directory to /var/spool/squid
2016/09/20 13:50:32 kid1| Finished loading MIME types and icons.
2016/09/20 13:50:32 kid1| HTCP Disabled.
2016/09/20 13:50:32 kid1| Squid plugin modules loaded: 0
2016/09/20 13:50:32 kid1| Adaptation support is off.
2016/09/20 13:50:32 kid1| Accepting SSL bumped HTTP Socket connections at
local=192.168.1.109:3128 remote=[::] FD 18 flags=9
2016/09/20 13:50:32 kid1| Store rebuilding is 9.41% complete
2016/09/20 13:50:32 kid1| Done reading /var/spool/squid swaplog (42515
entries)
2016/09/20 13:50:32 kid1| Finished rebuilding storage from disk.
2016/09/20 13:50:32 kid1|     42515 Entries scanned
2016/09/20 13:50:32 kid1|         0 Invalid entries.
2016/09/20 13:50:32 kid1|         0 With invalid flags.
2016/09/20 13:50:32 kid1|     42515 Objects loaded.
2016/09/20 13:50:32 kid1|         0 Objects expired.
2016/09/20 13:50:32 kid1|         0 Objects cancelled.
2016/09/20 13:50:32 kid1|         0 Duplicate URLs purged.
2016/09/20 13:50:32 kid1|         0 Swapfile clashes avoided.
2016/09/20 13:50:32 kid1|   Took 0.08 seconds (529577.36 objects/sec).
2016/09/20 13:50:32 kid1| Beginning Validation Procedure
2016/09/20 13:50:32 kid1|   Completed Validation Procedure
2016/09/20 13:50:32 kid1|   Validated 42514 Entries
2016/09/20 13:50:32 kid1|   store_swap_size = 921596.00 KB
2016/09/20 13:50:33 kid1| storeLateRelease: released 0 objects
2016/09/20 13:50:47 kid1| Starting new negotiateauthenticator helpers...
2016/09/20 13:50:47 kid1| helperOpenServers: Starting 1/20
'negotiate_kerberos_auth' processes
negotiate_kerberos_auth.cc(487): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/PROXY.keytab
negotiate_kerberos_auth.cc(570): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_2018
negotiate_kerberos_auth.cc(610): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(663): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length:
40).
negotiate_kerberos_auth.cc(673): pid=2018 :2016/09/20 13:50:47|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/09/20 13:50:47 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: received type 1 NTLM token; }}

-----------------------------------------------------------------------------------------------------------------------------------------

*access.log*
1474390313.371      0 192.168.1.121 TCP_DENIED/407 4334 CONNECT
incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html
1474390313.374      0 192.168.1.121 TCP_DENIED/407 4334 CONNECT
incoming.telemetry.mozilla.org:443 - HIER_NONE/- text/html
1474390449.644      0 192.168.1.121 TCP_DENIED/407 4167 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1474390449.651      0 192.168.1.121 TCP_DENIED/407 4270 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1474390464.320      0 192.168.1.121 TCP_DENIED/407 4175 CONNECT
www.facebook.com:443 - HIER_NONE/- text/html
1474390464.326      0 192.168.1.121 TCP_DENIED/407 4278 CONNECT
www.facebook.com:443 - HIER_NONE/- text/html


So...... what can i do??


--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSO-kerberos-tp4679470p4679618.html
Sent from the Squid - Users mailing list archive at Nabble.com.