• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

cannot implement squid + pfsense + active directory

Scheduled Pinned Locked Moved Cache/Proxy
7 Posts 3 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    HelpUser
    last edited by HelpUser Nov 28, 2018, 1:37 PM Nov 28, 2018, 1:22 PM

    Did everything according to this article site
    Squid does not start

    2018/11/28 16:07:18| /usr/local/etc/squid/squid.conf:90 unrecognized: '/usr/local/etc/squid/squid.keytab'
    

    what could be wrong, did exactly as the article all tests passed, no errors but when connecting temnemenee keymap, a proxy just doesn't start.
    2.4.4-RELEASE (amd64) Thu Sep 20 09:03:12 EDT 2018
    FreeBSD 11.2-RELEASE-p3

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Nov 29, 2018, 3:36 AM

      It looks like you put /usr/local/etc/squid/squid.keytab on a separate line in the conf file.

      That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
      auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
      All one line.

      Steve

      H 1 Reply Last reply Nov 29, 2018, 8:47 AM Reply Quote 0
      • H
        HelpUser @stephenw10
        last edited by Nov 29, 2018, 8:47 AM

        @stephenw10 said in cannot implement squid + pfsense + active directory:

        It looks like you put /usr/local/etc/squid/squid.keytab on a separate line in the conf file.

        That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
        auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
        All one line.

        Steve

        ahhh, I'm crying tearfully. I broke my whole head and it turns out that's it. Thank you it worked!
        I will be glad if you still help! Not passes authorization on, that the strange over time.

        /root: date
        Thu Nov 29 11:36:27 MSK 2018
        

        But in the squid on the tab "Real Time" in table "Squid Cache Table"

        01.01.1970 03:00:00	negotiate_kerberos_auth: WARNING: received type 1 NTLM token
        01.01.1970 03:00:00	negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' (decoded length: 40).
        01.01.1970 03:00:00	negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' from squid (length: 59).
        01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_8623
        01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Setting keytab to /home/squid.keytab
        01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
        29.11.2018 11:43:07	Starting new negotiateauthenticator helpers...
        29.11.2018 11:42:54	pinger: Initialising ICMP pinger ...
        29.11.2018 11:42:53	Service Name: squid
        29.11.2018 11:42:53	Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.2...
        
        

        But in the squid on the tab "Real Time" in table "Squid Access Table"

        date	                         IP	   stats	           address	                user   pool
        29.11.2018 11:43:47	10.200.1.110	TCP_DENIED/407	http://ts.eset.com/query/chsquery.php	-	-
        29.11.2018 11:43:47	10.200.1.110	TCP_DENIED/407	http://ts.eset.com/query/chsquery.php	-	-
        29.11.2018 11:43:07	10.200.1.115	TCP_DENIED/407	go.microsoft.com:443	-
        

        Where he gets this date is "01.01.1970 03:00:00" is unknown, perhaps because of this, and does not pass authorization.

        V 1 Reply Last reply Dec 5, 2018, 7:42 AM Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Nov 30, 2018, 12:05 AM

          Hmm, interesting.

          I have never tried that configuration nor do I have the infrastructure to test it. I just saw the error initially.

          1.1.1970 is 0 seconds in epoch time so it looks like it's not getting a time stamp for that. Hard to say why that would be, I'm not sure I can help much with that. ☹

          Steve

          1 Reply Last reply Reply Quote 0
          • V
            vallum @HelpUser
            last edited by Dec 5, 2018, 7:42 AM

            @helpuser Send me all steps you used to generate keytab.
            custom squid options you have added in squid.conf.
            DNS resolution output for your Domain.

            Manu

            H 1 Reply Last reply Dec 5, 2018, 9:11 AM Reply Quote 0
            • H
              HelpUser @vallum
              last edited by HelpUser Dec 5, 2018, 9:14 AM Dec 5, 2018, 9:11 AM

              0_1544001570670_Desktop.zip

              [2.4.4-RELEASE][admin@pf.mydomain.ru]/root: nslookup
              > ya.ru
              Server:         10.200.1.7
              Address:        10.200.1.7#53
              
              Non-authoritative answer:
              Name:   ya.ru
              Address: 87.250.250.242
              Name:   ya.ru
              Address: 2a02:6b8::2:242
              > mydomain.ru
              Server:         10.200.1.7
              Address:        10.200.1.7#53
              
              Name:   mydomain.ru
              Address: 10.200.1.8
              Name:   mydomain.ru
              Address: 10.200.1.7
              Name:   mydomain.ru
              Address: 192.168.1.7
              > pf
              Server:         10.200.1.7
              Address:        10.200.1.7#53
              
              Name:   pf.mydomain.ru
              Address: 10.200.1.1
              > kdc1
              Server:         10.200.1.7
              Address:        10.200.1.7#53
              
              Name:   kdc1.mydomain.ru
              Address: 10.200.1.8
              >
              

              resolv.conf

              nameserver 10.200.1.7
              nameserver 10.200.1.8
              search mydomain.ru
              

              all actions are identical to the article. The only difference is in passwords, domain name, server names. But I will not upload this to you, it is secret information, personal data.

              V 1 Reply Last reply Dec 10, 2018, 10:05 AM Reply Quote 0
              • V
                vallum @HelpUser
                last edited by Dec 10, 2018, 10:05 AM

                @helpuser
                copy your keytab file as: /etc/krb5.keytab
                chown :proxy /etc/krb5.keytab
                chmod 0750 /etc/krb5.keytab

                squid.conf :
                auth_param negotiate program /libexec/squid/negotiate_wrapper_auth --ntlm /libexec/squid/ntlm_auth mydomain.ru --helper-protocol=squid-2.5-ntlmssp --kerberos /libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME

                Refer below link : https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

                Manu

                1 Reply Last reply Reply Quote 0
                1 out of 7
                • First post
                  1/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received