Squid with AD groups + Kerberos authentication in pfsense?



  • I followed steps found on the link:
    https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

    And the kerberos authentication without AD group membership restriction works very well, but I don't want all the users to have internet access. I want only for users in Internet_access AD group to have access. So I made modification, but it doesn't work. Here are the detials:

    PFSense version 2.4.2

    Installed packages: squid

    Kerberos config file (/etc/krb5.conf):

    [libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
    kdc_timesync = 1
    ccache_type = 4
    forwardable = yes
    rdns = no
    default_keytab_name = /path/to/squid.keytab
    default_tgs_enctypes = aes128-cts-hmac-sha1-96
    default_tkt_enctypes = aes128-cts-hmac-sha1-96
    permitted_enctypes = aes128-cts-hmac-sha1-96
    clock_skew = 300
    
    [realms]
    DOMAIN.LOCAL = {
            kdc = server.domain.local
            admin_server = server.domain.local
            default_domain = DOMAIN.LOCAL
    }
    
    [domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL
    
    [logging]
    kdc = FILE:/var/log/kdc.log
    Default = FILE:/var/log/krb5lib.log
    
    

    Squid config file modification (Custom Options (Before Auth) in PFSense squid Web interface configuration):

    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/proxyserver.domain.local
    auth_param negotiate children 1000
    auth_param negotiate keep_alive on
    
    external_acl_type kerberos_group ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -g Internet_access -D DOMAIN.LOCAL
    
    acl auth proxy_auth REQUIRED
    acl GroupProxy external kerberos_group
    
    http_access deny !auth
    http_access allow GroupProxy auth
    http_access deny all
    
    

    I think that the problem may be in ext_kerberos_ldap_group_acl commmand that always returns "ERR Invalid request. No Username" when run in CLI, no matter what args it has. I have researched domumentation but no real help from there. Also I cannot find the squid init script in PFsense, so I can set variables KRB5_KTNAME and KRB5_CONFIG.

    I whould be very thankful if there is some explaination how to make this configuration succeed.



  • Hello Milan,
    here is a tip for you.

    use samba44. It has all kerberos support tools, including the keytab generation and it's quite simple to use it.
    Also, you will need squidguard to make your AD group search.
    You will need to add the Kerberos auth config lines in the advanced configuration for squid. (squid page. All the way down the page)
    Also, The correct authentication sequence should be:  Kerberos, NTLMv2 and then (optional) Basic Auth. Unless you really want to use Kerberos ONLY.

    hope that helps you.

    Fabricio.