Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid with AD groups + Kerberos authentication in pfsense?

    Cache/Proxy
    2
    2
    4.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      milan778
      last edited by

      I followed steps found on the link:
      https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

      And the kerberos authentication without AD group membership restriction works very well, but I don't want all the users to have internet access. I want only for users in Internet_access AD group to have access. So I made modification, but it doesn't work. Here are the detials:

      PFSense version 2.4.2

      Installed packages: squid

      Kerberos config file (/etc/krb5.conf):

      [libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = yes
rdns = no
default_keytab_name = /path/to/squid.keytab
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96
clock_skew = 300

[realms]
DOMAIN.LOCAL = {
        kdc = server.domain.local
        admin_server = server.domain.local
        default_domain = DOMAIN.LOCAL
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[logging]
kdc = FILE:/var/log/kdc.log
Default = FILE:/var/log/krb5lib.log

      Squid config file modification (Custom Options (Before Auth) in PFSense squid Web interface configuration):

      auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/proxyserver.domain.local
auth_param negotiate children 1000
auth_param negotiate keep_alive on

external_acl_type kerberos_group ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -g Internet_access -D DOMAIN.LOCAL

acl auth proxy_auth REQUIRED
acl GroupProxy external kerberos_group

http_access deny !auth
http_access allow GroupProxy auth
http_access deny all

      I think that the problem may be in ext_kerberos_ldap_group_acl commmand that always returns "ERR Invalid request. No Username" when run in CLI, no matter what args it has. I have researched domumentation but no real help from there. Also I cannot find the squid init script in PFsense, so I can set variables KRB5_KTNAME and KRB5_CONFIG.

      I whould be very thankful if there is some explaination how to make this configuration succeed.

      1 Reply Last reply Reply Quote 0
      • fabricioguzzyF
        fabricioguzzy
        last edited by

        Hello Milan,
        here is a tip for you.

        use samba44. It has all kerberos support tools, including the keytab generation and it's quite simple to use it.
        Also, you will need squidguard to make your AD group search.
        You will need to add the Kerberos auth config lines in the advanced configuration for squid. (squid page. All the way down the page)
        Also, The correct authentication sequence should be:  Kerberos, NTLMv2 and then (optional) Basic Auth. Unless you really want to use Kerberos ONLY.

        hope that helps you.

        Fabricio.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.