Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Kerberos Squid without authentication?

    Scheduled Pinned Locked Moved Cache/Proxy
    39 Posts 3 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcury @killmasta93
      last edited by

      @killmasta93 said in Kerberos Squid without authentication?:

      [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _kerberos._udp.casa.local.
      _kerberos._udp.casa.local has SRV record 100 100 88 apolo.casa.local.
      _kerberos._udp.casa.local has SRV record 0 100 88 apolo.casa.local.

      I would remove the following lines from krb5.conf to test:
      You will need to generate a new keytab after that, then replace the keytab in pfsense, and logout and login again with the client to test.

      Following lines to remove will use the default enctypes.
      default_tgs_enctypes = aes128-cts-hmac-sha1-96
      default_tkt_enctypes = aes128-cts-hmac-sha1-96
      permitted_enctypes = aes128-cts-hmac-sha1-96

      dead on arrival, nowhere to be found.

      K 1 Reply Last reply Reply Quote 0
      • K
        killmasta93 @mcury
        last edited by

        @mcury
        Thanks for the reply, so did the following deleted the following lines and recreated the keytab but same issue

        1e13ead3-f8da-481e-bc43-4c9b1dc26d83-image.png

        993a40a7-81b3-4982-a5d0-3b8cf8bee96b-image.png

        7b88e87e-2a79-45b4-bbd4-3962f014576d-image.png

        Tutorials:

        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

        M 1 Reply Last reply Reply Quote 0
        • M
          mcury @killmasta93
          last edited by

          auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidkeytab.keytab
          auth_param negotiate children 1000
          auth_param negotiate keep_alive on
          acl auth proxy_auth REQUIRED
          http_access deny auth
          http_access allow auth

          name is squidkeytab.keytab and not squidproxy.keytabb ?

          dead on arrival, nowhere to be found.

          K 1 Reply Last reply Reply Quote 0
          • K
            killmasta93 @mcury
            last edited by

            @mcury
            Thanks for the reply, just realized that it was an error but after changing same issue

            c94d8927-3857-4fc6-85b0-4ef09f37aabd-image.png

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            M 1 Reply Last reply Reply Quote 0
            • M
              mcury @killmasta93
              last edited by

              df438830-1f39-49e6-a13d-748436058fb2-image.png
              This is the ticket that should appear in klist..

              Everything seems to be OK with your configuration, at least between pfsense and AD.

              Show squid logs again after changing the keytab.
              Can you test with another client?

              dead on arrival, nowhere to be found.

              K 1 Reply Last reply Reply Quote 0
              • K
                killmasta93 @mcury
                last edited by

                @mcury
                Thanks again for the reply, so im trying another machine which is in the domain but same issue

                aed2b95d-d81f-417c-b591-85de356c47f9-image.png

                32bd5b2a-74ea-4215-ab8b-4c65081e31db-image.png

                Tutorials:

                https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                M 1 Reply Last reply Reply Quote 0
                • M
                  mcury @killmasta93
                  last edited by

                  Did you create the user and enabled it in AD ?

                  8cbf2dcb-d511-4859-a23d-79155901eca4-image.png

                  dead on arrival, nowhere to be found.

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    killmasta93 @mcury
                    last edited by

                    @mcury
                    Thanks for the reply, correct already did that
                    on the Service principal name

                    f9688ac1-9018-4ebd-8b50-23e2c29f4c76-image.png

                    Tutorials:

                    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mcury @killmasta93
                      last edited by mcury

                      Maybe you are facing the same problem as this guy was, take a look:

                      http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html

                      Quote:
                      You should see a request from the client to Active Directory asking for a TGS for HTTP/<fqdn of proxy>. If that does not happen or get refused by AD the client will fall back to NTLM (wrapped into the Negotiate response) which is waht you see on the proxy.

                      I would set a packet capture like that guy did to check, port 88

                      dead on arrival, nowhere to be found.

                      K 1 Reply Last reply Reply Quote 0
                      • K
                        killmasta93 @mcury
                        last edited by

                        @mcury
                        Finally got it to authenticate but im still getting the popup

                        525feae3-d657-4d22-b5de-aa1e3611b3fd-image.png

                        Tutorials:

                        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          mcury @killmasta93
                          last edited by mcury

                          Why are you authenticating as administrador@CASA.LOCAL ?
                          The user should be appearing there and not administrator. Should be user@CASA.LOCAL

                          The user need to be member of the group used in ldapusersearch in Squidguard

                          dead on arrival, nowhere to be found.

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            killmasta93 @mcury
                            last edited by killmasta93

                            @mcury
                            its because im opening the chrome inside of the windows server which im logged on as administrador

                            this is another user

                            68db97a0-6e2f-4ab8-b790-b01fded9a4c1-image.png

                            Tutorials:

                            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              mcury @killmasta93
                              last edited by

                              Ok, in this last screenshot, the username is Windows10?
                              Is this user a member of the group used in ldapusersearch?

                              You are almost there.. soon we will find the problem

                              dead on arrival, nowhere to be found.

                              K 1 Reply Last reply Reply Quote 0
                              • K
                                killmasta93 @mcury
                                last edited by

                                @mcury
                                thanks for the reply,
                                so on the squidguard

                                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                

                                and the user is located in

                                CN=windows10,CN=Users,DC=casa,DC=local
                                

                                Tutorials:

                                https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                M 1 Reply Last reply Reply Quote 0
                                • M
                                  mcury @killmasta93
                                  last edited by mcury

                                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

                                  You used a %2c in the wrong place (It means a ',')

                                  It should be:

                                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                  

                                  It's important to notice that you are not filtering users by group in this case..
                                  I would create a group, like internet, add the members to this group, and then filter like this:

                                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                  

                                  dead on arrival, nowhere to be found.

                                  K 1 Reply Last reply Reply Quote 0
                                  • K
                                    killmasta93 @mcury
                                    last edited by

                                    @mcury said in Kerberos Squid without authentication?:

                                    ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

                                    Thanks again for the reply, so i changed to

                                    ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                    

                                    then created group called internet added windows10 and administrador but same issue with popup

                                    CN=internet,CN=Users,DC=casa,DC=local
                                    

                                    Im thinking its a squid issue but dont know what else to do :(

                                    Tutorials:

                                    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                    M 1 Reply Last reply Reply Quote 0
                                    • M
                                      mcury @killmasta93
                                      last edited by

                                      Try port 389 instead of 3268.. Who knows..

                                      dead on arrival, nowhere to be found.

                                      K 1 Reply Last reply Reply Quote 0
                                      • K
                                        killmasta93
                                        last edited by killmasta93

                                        @mcury

                                        Thanks for the reply,
                                        so on squid i had to remove

                                        http_access allow deny
                                        

                                        now i got to squidguard i see this log

                                        (squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),
                                        

                                        i also had to configure on squidguard
                                        21f45554-d0d5-41a6-9fb8-52ef0216d7ff-image.png

                                        Tutorials:

                                        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                        M 1 Reply Last reply Reply Quote 0
                                        • M
                                          mcury @killmasta93
                                          last edited by

                                          So, is it working now ?

                                          if not, I would focus on the ldapusersearch..

                                          dead on arrival, nowhere to be found.

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            killmasta93 @mcury
                                            last edited by

                                            thanks for the reply,
                                            so correct its navigating with the user now i need to block but i see the log on squidguard

                                            12.05.2021 19:45:34	(squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName)
                                            

                                            Tutorials:

                                            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.