[squid-users] please, can someone help me with the negotiate kerberos?
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 17 10:22:59 UTC 2020
Hai Rafeal,
Yes, i agree, this is the other most simple way, but i suggest, you remove/change on this page:
https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
The generated Kerberos configuration file will usually look like:
[libdefaults]
default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1
default_tkt_enctypes = rc4-hmac des3-hmac-sha1
These are really outdated. ;-)
To ( just the default )
[libdefaults]
default_realm = EXAMPLE.LAN
dns_lookup_kdc = true
dns_lookup_realm = false
Keytabs and samba, read:
https://wiki.samba.org/index.php/Generating_Keytabs
https://wiki.samba.org/index.php/Keytab_Extraction
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> Rafael Akchurin
> Verzonden: maandag 17 februari 2020 11:06
> Aan: Rafael Silva Daniel; squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with
> the negotiate kerberos?
>
> Hello Rafael,
>
> There is an easier option *without* joining the Squid machine
> to the domain,
> See tutorial at
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory/index.html (it also applies to vanilla Squid without
> our UI - just you would need to do more manual steps).
>
> Raf
>
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org>
> On Behalf Of Rafael Silva Daniel
> Sent: Saturday, 15 February 2020 21:08
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] please, can someone help me with the
> negotiate kerberos?
>
> Helo! i think i did almost everything right, firstly i made
> it in a test enviroment with debian stretch running squid 3.5
> and a windows server 2008 based domain controller, and it worked!
>
> but when i tried to deploy it in the production enviroment
> running debian stretch, squid 3.5 and windows server 2012 as
> the domain controller the authentication never works, the
> file /var/log/squid/cache.log shows this:
>
> 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication
> validating user.
> Result: {result=BH, notes={message: gss_acquire_cred()
> failed: Unspecified GSS failure. Minor code may provide more
> information. No principal in keytab matches desired name; }}
> negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND
> NUMBERS)' from squid
> (length: 2439).
> negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND
> NUMBERS)' (decoded
> length: 1826).
>
> Obs1:I replaced a big string with letters and numbers by
> "(LETTERS AND NUMBERS)"
> Obs2: i posted more of the file in this link
> https://pastebin.com/Z2fe98dB
>
> well, the results of running: kinit -kt /etc/squid/HTTP.keytab
> HTTP/squid2.domain.local at DOMAIN.LOCAL:
> root at SERVER:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/squid2.domain.local at DOMAIN.LOCAL
>
> Valid starting Expires Service principal
> 02/15/2020 10:55:32 02/15/2020 20:55:32
> krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> renew until 02/16/2020 09:55:32
>
>
>
> The results of running:klist -kte /etc/squid/HTTP.keytab
>
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
> 1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
> 1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (arcfour-hmac)
> 1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
> 1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
> 3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
> 3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (arcfour-hmac)
> 3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
> 3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
> 3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>
> And the results of running: root at SERVER:~#
> /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
> Token: (Alonglinewithnumbersandletters)
>
> the configs of the /etc/krb5.conf:
>
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_kdc = no
> dns_lookup_realm = no
> ticket_lifetime = 24h
> default_keytab_name = /etc/squid/HTTP.keytab
>
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
> [realms]
> DOMAIN.LOCAL = {
> kdc = dc01.domain.local
> admin_server = dc01.domain.local
> default_domain = domain.local
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
> and the /etc/squid/squid.conf:
>
> http_port 3128
> dns_nameservers 200.198.5.4 200.198.5.5
> visible_hostname PROXY
> cache_dir ufs /var/spool/squid 100 16 256 coredump_dir
> /var/spool/squid
>
> url_rewrite_program /usr/bin/squidGuard
>
> #auth parameter NEGOTIATE
> auth_param negotiate program
> /usr/lib/squid/negotiate_kerberos_auth -d -s
> HTTP/squid.domain.local -k /etc/squid/HTTP.keytab auth_param
> negotiate children 30 auth_param negotiate keep_alive on
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Safe_ports port 90 # metodo
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports acl
> CONNECT method CONNECT acl auth proxy_auth REQUIRED
>
> http_access deny !Safe_ports
> http_access deny CONNECT !Safe_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny !auth
> http_access allow auth
>
>
>
> In the domain controller i created in the two zones the
> proper dns records, the host with squid can have his ip
> resolved to its right hostname, and its hostname resolved to
> its right ip, in the clients i setted the proxy as
> server.domain.local, and in the squid access.log the requests
> came but are all denied and a prompt for user and password
> are showed to the user
>
> Obs: the only data edited while posting was that i replaced
> our domain by domain.local, the name of the host by SERVER,
> and long strings of data in the cache log and negotiate
> kerberos test out, all the rest is what is really running in
> the files.
>
> please someone help me, i tried to read everything i could
> find but i am not finding how to understand what i am doing
> wrong, thanks in advance, D:
>
>
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list