Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid+ad+kerberos

    Cache/Proxy
    1
    3
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rarog
      last edited by

      Hello! pfsense 2.4.2_1
      I adjust the SQUID to work with AD. I registered SQUID in the DNS, created user, set up krb5.conf, checked - got a ticket. Created the principal, keytab, copied the keytab into / usr / local / etc / squid /. In the settings, SQUID: Custom Options (Before Auth), added rules:

      auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidproxy.keytab
      auth_param negotiate children 1000
      auth_param negotiate keep_alive on
      acl auth proxy_auth REQUIRED
      http_access deny !auth
      http_access allow auth

      krb5.conf:
      [libdefaults]
      default_realm = EXAMPLE.LOCAL
      dns_lookup_realm = true
      dns_lookup_kdc = true

      [realms]
      EXAMPLE.LOCAL = {
      kdc = kdc.example.local
      }

      [domain_realm]
      .example.local = EXAMPLE.LOCAL
      example.local = EXAMPLE.LOCAL

      [logging]
      kdc = FILE:/var/log/kdc.log
      Default = FILE:/var/log/krb5lib.log

      When I try to go to the site, I suggest a login, password - authorization does not work. In windows 7 the address of the SQUID is registered as FQDN 3128

      access.log:
      negotiate_kerberos_auth: ERROR: gss_accept_sec_context () failed: Unspecified GSS failure. Minor code may provide more information. Request ticket server HTTP/proxy.example.local@EXAMPLE.LOCAL not found in keytab (ticket kvno 3)

      What's wrong in keytab? I need Kerberos authorization, because on NTLM the log gets clogged with TCP_DENIED / 407 messages and the site loses its connection.

      wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
      Note that when using NTLM authentication, you will see two "TCP_DENIED / 407" entries in access.log for every request. This is due to the challenge-response process of NTLM.

      1 Reply Last reply Reply Quote 0
      • R
        Rarog
        last edited by

        Perhaps, not fully created keytab. The size is 382 bytes. Can someone tell me why this happens?

        ktpass -out C:\squidproxy.keytab -princ HTTP/proxy.example.local@EXAMPLE.local -mapUser squid@EXAMPLE.LOCAL -crypto AES256-SHA1 -pass 'password' -ptype KRB5_NT_PRINCIPAL

        1 Reply Last reply Reply Quote 0
        • R
          Rarog
          last edited by

          Fixed keytab, got Kerberos. But cpu load is very high. Where i must paste “KRB5RCACHETYPE=none export KRB5RCACHETYPE” in /usr/local/pkg/squid.inc, to disable cache ?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.