cannot implement squid + pfsense + active directory



  • Did everything according to this article site
    Squid does not start

    2018/11/28 16:07:18| /usr/local/etc/squid/squid.conf:90 unrecognized: '/usr/local/etc/squid/squid.keytab'
    

    what could be wrong, did exactly as the article all tests passed, no errors but when connecting temnemenee keymap, a proxy just doesn't start.
    2.4.4-RELEASE (amd64) Thu Sep 20 09:03:12 EDT 2018
    FreeBSD 11.2-RELEASE-p3


  • Netgate Administrator

    It looks like you put /usr/local/etc/squid/squid.keytab on a separate line in the conf file.

    That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
    All one line.

    Steve



  • @stephenw10 said in cannot implement squid + pfsense + active directory:

    It looks like you put /usr/local/etc/squid/squid.keytab on a separate line in the conf file.

    That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
    All one line.

    Steve

    ahhh, I'm crying tearfully. I broke my whole head and it turns out that's it. Thank you it worked!
    I will be glad if you still help! Not passes authorization on, that the strange over time.

    /root: date
    Thu Nov 29 11:36:27 MSK 2018
    

    But in the squid on the tab "Real Time" in table "Squid Cache Table"

    01.01.1970 03:00:00	negotiate_kerberos_auth: WARNING: received type 1 NTLM token
    01.01.1970 03:00:00	negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' (decoded length: 40).
    01.01.1970 03:00:00	negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' from squid (length: 59).
    01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_8623
    01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Setting keytab to /home/squid.keytab
    01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
    29.11.2018 11:43:07	Starting new negotiateauthenticator helpers...
    29.11.2018 11:42:54	pinger: Initialising ICMP pinger ...
    29.11.2018 11:42:53	Service Name: squid
    29.11.2018 11:42:53	Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.2...
    
    

    But in the squid on the tab "Real Time" in table "Squid Access Table"

    date	                         IP	   stats	           address	                user   pool
    29.11.2018 11:43:47	10.200.1.110	TCP_DENIED/407	http://ts.eset.com/query/chsquery.php	-	-
    29.11.2018 11:43:47	10.200.1.110	TCP_DENIED/407	http://ts.eset.com/query/chsquery.php	-	-
    29.11.2018 11:43:07	10.200.1.115	TCP_DENIED/407	go.microsoft.com:443	-
    

    Where he gets this date is "01.01.1970 03:00:00" is unknown, perhaps because of this, and does not pass authorization.


  • Netgate Administrator

    Hmm, interesting.

    I have never tried that configuration nor do I have the infrastructure to test it. I just saw the error initially.

    1.1.1970 is 0 seconds in epoch time so it looks like it's not getting a time stamp for that. Hard to say why that would be, I'm not sure I can help much with that. ☹

    Steve



  • @helpuser Send me all steps you used to generate keytab.
    custom squid options you have added in squid.conf.
    DNS resolution output for your Domain.



  • 0_1544001570670_Desktop.zip

    [2.4.4-RELEASE][admin@pf.mydomain.ru]/root: nslookup
    > ya.ru
    Server:         10.200.1.7
    Address:        10.200.1.7#53
    
    Non-authoritative answer:
    Name:   ya.ru
    Address: 87.250.250.242
    Name:   ya.ru
    Address: 2a02:6b8::2:242
    > mydomain.ru
    Server:         10.200.1.7
    Address:        10.200.1.7#53
    
    Name:   mydomain.ru
    Address: 10.200.1.8
    Name:   mydomain.ru
    Address: 10.200.1.7
    Name:   mydomain.ru
    Address: 192.168.1.7
    > pf
    Server:         10.200.1.7
    Address:        10.200.1.7#53
    
    Name:   pf.mydomain.ru
    Address: 10.200.1.1
    > kdc1
    Server:         10.200.1.7
    Address:        10.200.1.7#53
    
    Name:   kdc1.mydomain.ru
    Address: 10.200.1.8
    >
    

    resolv.conf

    nameserver 10.200.1.7
    nameserver 10.200.1.8
    search mydomain.ru
    

    all actions are identical to the article. The only difference is in passwords, domain name, server names. But I will not upload this to you, it is secret information, personal data.



  • @helpuser
    copy your keytab file as: /etc/krb5.keytab
    chown :proxy /etc/krb5.keytab
    chmod 0750 /etc/krb5.keytab

    squid.conf :
    auth_param negotiate program /libexec/squid/negotiate_wrapper_auth --ntlm /libexec/squid/ntlm_auth mydomain.ru --helper-protocol=squid-2.5-ntlmssp --kerberos /libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME

    Refer below link : https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory