Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid with AD groups + Kerberos authentication in pfsense?

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      milan778
      last edited by

      I followed steps found on the link:
      https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

      And the kerberos authentication without AD group membership restriction works very well, but I don't want all the users to have internet access. I want only for users in Internet_access AD group to have access. So I made modification, but it doesn't work. Here are the detials:

      PFSense version 2.4.2

      Installed packages: squid

      Kerberos config file (/etc/krb5.conf):

      [libdefaults]
      default_realm = DOMAIN.LOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = true
      kdc_timesync = 1
      ccache_type = 4
      forwardable = yes
      rdns = no
      default_keytab_name = /path/to/squid.keytab
      default_tgs_enctypes = aes128-cts-hmac-sha1-96
      default_tkt_enctypes = aes128-cts-hmac-sha1-96
      permitted_enctypes = aes128-cts-hmac-sha1-96
      clock_skew = 300
      
      [realms]
      DOMAIN.LOCAL = {
              kdc = server.domain.local
              admin_server = server.domain.local
              default_domain = DOMAIN.LOCAL
      }
      
      [domain_realm]
      .domain.local = DOMAIN.LOCAL
      domain.local = DOMAIN.LOCAL
      
      [logging]
      kdc = FILE:/var/log/kdc.log
      Default = FILE:/var/log/krb5lib.log
      
      

      Squid config file modification (Custom Options (Before Auth) in PFSense squid Web interface configuration):

      auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/proxyserver.domain.local
      auth_param negotiate children 1000
      auth_param negotiate keep_alive on
      
      external_acl_type kerberos_group ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -g Internet_access -D DOMAIN.LOCAL
      
      acl auth proxy_auth REQUIRED
      acl GroupProxy external kerberos_group
      
      http_access deny !auth
      http_access allow GroupProxy auth
      http_access deny all
      
      

      I think that the problem may be in ext_kerberos_ldap_group_acl commmand that always returns "ERR Invalid request. No Username" when run in CLI, no matter what args it has. I have researched domumentation but no real help from there. Also I cannot find the squid init script in PFsense, so I can set variables KRB5_KTNAME and KRB5_CONFIG.

      I whould be very thankful if there is some explaination how to make this configuration succeed.

      1 Reply Last reply Reply Quote 0
      • fabricioguzzyF
        fabricioguzzy
        last edited by

        Hello Milan,
        here is a tip for you.

        use samba44. It has all kerberos support tools, including the keytab generation and it's quite simple to use it.
        Also, you will need squidguard to make your AD group search.
        You will need to add the Kerberos auth config lines in the advanced configuration for squid. (squid page. All the way down the page)
        Also, The correct authentication sequence should be:  Kerberos, NTLMv2 and then (optional) Basic Auth. Unless you really want to use Kerberos ONLY.

        hope that helps you.

        Fabricio.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.