4. Squid with AD groups + Kerberos authentication in pfsense?

Squid with AD groups + Kerberos authentication in pfsense?

  • M

    I followed steps found on the link:
    https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

    And the kerberos authentication without AD group membership restriction works very well, but I don't want all the users to have internet access. I want only for users in Internet_access AD group to have access. So I made modification, but it doesn't work. Here are the detials:

    PFSense version 2.4.2

    Installed packages: squid

    Kerberos config file (/etc/krb5.conf):

    [libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = yes
rdns = no
default_keytab_name = /path/to/squid.keytab
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96
clock_skew = 300

[realms]
DOMAIN.LOCAL = {
        kdc = server.domain.local
        admin_server = server.domain.local
        default_domain = DOMAIN.LOCAL
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[logging]
kdc = FILE:/var/log/kdc.log
Default = FILE:/var/log/krb5lib.log

    Squid config file modification (Custom Options (Before Auth) in PFSense squid Web interface configuration):

    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/proxyserver.domain.local
auth_param negotiate children 1000
auth_param negotiate keep_alive on

external_acl_type kerberos_group ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -g Internet_access -D DOMAIN.LOCAL

acl auth proxy_auth REQUIRED
acl GroupProxy external kerberos_group

http_access deny !auth
http_access allow GroupProxy auth
http_access deny all

    I think that the problem may be in ext_kerberos_ldap_group_acl commmand that always returns "ERR Invalid request. No Username" when run in CLI, no matter what args it has. I have researched domumentation but no real help from there. Also I cannot find the squid init script in PFsense, so I can set variables KRB5_KTNAME and KRB5_CONFIG.

    I whould be very thankful if there is some explaination how to make this configuration succeed.

    0
  • F

    Hello Milan,
    here is a tip for you.

    use samba44. It has all kerberos support tools, including the keytab generation and it's quite simple to use it.
    Also, you will need squidguard to make your AD group search.
    You will need to add the Kerberos auth config lines in the advanced configuration for squid. (squid page. All the way down the page)
    Also, The correct authentication sequence should be:  Kerberos, NTLMv2 and then (optional) Basic Auth. Unless you really want to use Kerberos ONLY.

    hope that helps you.

    Fabricio.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy