[squid-users] please, can someone help me with the negotiate kerberos?

L.P.H. van Belle belle at bazuin.nl
Mon Feb 17 09:18:58 UTC 2020 

Ps., forgot to say, 

After installing winbind and setting up smb.conf

Join the domain offcourse. 
net ads join -U Adminsitrator

or, 
kinit Administrator
net ads join -k yes

In debian, there is not need to change any files except the smb.conf as shown. 
All other defaults, should work out of the box. 


> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> L.P.H. van Belle
> Verzonden: maandag 17 februari 2020 10:00
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with 
> the negotiate kerberos?
> 
> Hai, 
> 
> This is the most stable way to run with kerberos, or at least for me. 
> * below works for me since with samba 3.x-4.11.x and squid 
> 3.2 upto 4.10
> 
> Im running this on Debian Buster now.  ( samba 4.11.6 + squid 4.10 ) 
> ( all packaged in own repo.) 
> 
> 1) Setup samba and join the domain. this asumes an auth only setup. 
> Install winbind : and setup smb.conf
> 
> #Example auth only smb.conf 
> [global]
>     workgroup = NTDOM_IN_CAPS
>     security = ads
>     realm = YOUR.REALM.TLD_IN_CAPS
> 
>     netbios name = HOSTNAME_IN_CAPS
>     preferred master = no
>     domain master = no
>     host msdfs = no
> 
>     interfaces = 192.168.0.1 127.0.0.1
>     bind interfaces only = yes
>     dns proxy = yes
> 
>     #Add and Update TLS Key
> 	# Consider useing Certificates for samba also, you can 
> re-use them in squid.
>     tls enabled = yes
>     tls keyfile = /etc/ssl/local/proxy1.key.pem
>     tls certfile = /etc/ssl/local/proxy1.cert.pem
>     tls cafile = /etc/ssl/certs/ca.pem
> 
>     ## map id's outside to domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
> 
>     ## map ids from the domain  the range may not overlap !
> 	# BACKEND RID, assuming no windows use expect proxy/auth.
>     idmap config NTDOM : backend = rid
>     idmap config NTDOM : range = 10000-3999999
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     # renew the kerberos ticket ! MUSE USE THIS
>     winbind refresh tickets = yes
> 
>     # Optional use. 
>     winbind use default domain = yes
> 
>     # enable offline logins
>     winbind offline logon = yes
> 	
>     # Added for freeradius support, if needed.
>     #ntlm auth = mschapv2-and-ntlmv2-only
> 
>     # disable usershares creating, when set empty no error 
> log messages.
>     usershare path =
> 
>     # Disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> # 
> 
> And start winbind
> 
> Now create the squid keytab file. 
> KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP 
> -U Administrator
> chown proxy:proxy /root/squid.keytab
> chmod 640 /root/squid.keytab
> 
> And your done, move the keytab to where you need it. 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: squid-users 
> > [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> > Rafael Silva Daniel
> > Verzonden: zondag 16 februari 2020 20:16
> > Aan: squid-users at lists.squid-cache.org
> > Onderwerp: Re: [squid-users] please, can someone help me with 
> > the negotiate kerberos?
> > 
> > Hey guys! im still testing it, but i think i found my 
> > mistake, so i will let
> > it here for future reference
> > 
> > i compared the way i arranged things in my test enviroment 
> between the
> > production enviroment, e noticed some differences in the 
> > keytab, i still
> > dont know if its obligatory, im still testing it, but when i 
> > deleted the
> > keytab, the account for the keytab in ad, the account for the 
> > machine in the
> > active directory, and created another one, i used a different 
> > name for HTTP/
> > 
> > like, the way i did that dont worked:
> > 
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> > /etc/squid/HTTP.keytab --computer-name squid2 --upn 
> > HTTP/squid2.domain.local
> > --server dc01.domain.local --verbose --enctypes 28
> > 
> > the way i did that worked:
> > 
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> > /etc/squid/HTTP.keytab --computer-name squid2 --upn
> > HTTP/squidproxy.domain.local --server dc01.domain.local 
> > --verbose --enctypes
> > 28
> > 
> > 
> > 
> > --
> > Sent from: 
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> > -f1019091.html
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list