Squid+ad+kerberos



  • Hello! pfsense 2.4.2_1
    I adjust the SQUID to work with AD. I registered SQUID in the DNS, created user, set up krb5.conf, checked - got a ticket. Created the principal, keytab, copied the keytab into / usr / local / etc / squid /. In the settings, SQUID: Custom Options (Before Auth), added rules:

    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidproxy.keytab
    auth_param negotiate children 1000
    auth_param negotiate keep_alive on
    acl auth proxy_auth REQUIRED
    http_access deny !auth
    http_access allow auth

    krb5.conf:
    [libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true

    [realms]
    EXAMPLE.LOCAL = {
    kdc = kdc.example.local
    }

    [domain_realm]
    .example.local = EXAMPLE.LOCAL
    example.local = EXAMPLE.LOCAL

    [logging]
    kdc = FILE:/var/log/kdc.log
    Default = FILE:/var/log/krb5lib.log

    When I try to go to the site, I suggest a login, password - authorization does not work. In windows 7 the address of the SQUID is registered as FQDN 3128

    access.log:
    negotiate_kerberos_auth: ERROR: gss_accept_sec_context () failed: Unspecified GSS failure. Minor code may provide more information. Request ticket server HTTP/proxy.example.local@EXAMPLE.LOCAL not found in keytab (ticket kvno 3)

    What's wrong in keytab? I need Kerberos authorization, because on NTLM the log gets clogged with TCP_DENIED / 407 messages and the site loses its connection.

    wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
    Note that when using NTLM authentication, you will see two "TCP_DENIED / 407" entries in access.log for every request. This is due to the challenge-response process of NTLM.



  • Perhaps, not fully created keytab. The size is 382 bytes. Can someone tell me why this happens?

    ktpass -out C:\squidproxy.keytab -princ HTTP/proxy.example.local@EXAMPLE.local -mapUser squid@EXAMPLE.LOCAL -crypto AES256-SHA1 -pass 'password' -ptype KRB5_NT_PRINCIPAL



  • Fixed keytab, got Kerberos. But cpu load is very high. Where i must paste “KRB5RCACHETYPE=none export KRB5RCACHETYPE” in /usr/local/pkg/squid.inc, to disable cache ?