cannot implement squid + pfsense + active directory

HelpUser · Nov 28, 2018, 1:37 PM

Did everything according to this article site
Squid does not start

2018/11/28 16:07:18| /usr/local/etc/squid/squid.conf:90 unrecognized: '/usr/local/etc/squid/squid.keytab'

what could be wrong, did exactly as the article all tests passed, no errors but when connecting temnemenee keymap, a proxy just doesn't start.
2.4.4-RELEASE (amd64) Thu Sep 20 09:03:12 EDT 2018
FreeBSD 11.2-RELEASE-p3

stephenw10 · Nov 29, 2018, 3:36 AM

It looks like you put /usr/local/etc/squid/squid.keytab on a separate line in the conf file.

That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
All one line.

Steve

HelpUser · Dec 5, 2018, 7:42 AM

@stephenw10 said in cannot implement squid + pfsense + active directory:

It looks like you put /usr/local/etc/squid/squid.keytab on a separate line in the conf file.

That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
All one line.

Steve

ahhh, I'm crying tearfully. I broke my whole head and it turns out that's it. Thank you it worked!
I will be glad if you still help! Not passes authorization on, that the strange over time.

/root: date
Thu Nov 29 11:36:27 MSK 2018

But in the squid on the tab "Real Time" in table "Squid Cache Table"

01.01.1970 03:00:00	negotiate_kerberos_auth: WARNING: received type 1 NTLM token
01.01.1970 03:00:00	negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' (decoded length: 40).
01.01.1970 03:00:00	negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' from squid (length: 59).
01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_8623
01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Setting keytab to /home/squid.keytab
01.01.1970 03:00:00	negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
29.11.2018 11:43:07	Starting new negotiateauthenticator helpers...
29.11.2018 11:42:54	pinger: Initialising ICMP pinger ...
29.11.2018 11:42:53	Service Name: squid
29.11.2018 11:42:53	Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.2...

But in the squid on the tab "Real Time" in table "Squid Access Table"

date	                         IP	   stats	           address	                user   pool
29.11.2018 11:43:47	10.200.1.110	TCP_DENIED/407	http://ts.eset.com/query/chsquery.php	-	-
29.11.2018 11:43:47	10.200.1.110	TCP_DENIED/407	http://ts.eset.com/query/chsquery.php	-	-
29.11.2018 11:43:07	10.200.1.115	TCP_DENIED/407	go.microsoft.com:443	-

Where he gets this date is "01.01.1970 03:00:00" is unknown, perhaps because of this, and does not pass authorization.

stephenw10 · Nov 30, 2018, 12:05 AM

Hmm, interesting.

I have never tried that configuration nor do I have the infrastructure to test it. I just saw the error initially.

1.1.1970 is 0 seconds in epoch time so it looks like it's not getting a time stamp for that. Hard to say why that would be, I'm not sure I can help much with that.

Steve

vallum · Dec 5, 2018, 7:42 AM

@helpuser Send me all steps you used to generate keytab.
custom squid options you have added in squid.conf.
DNS resolution output for your Domain.

HelpUser · Dec 5, 2018, 9:14 AM

0_1544001570670_Desktop.zip

[2.4.4-RELEASE][admin@pf.mydomain.ru]/root: nslookup
> ya.ru
Server:         10.200.1.7
Address:        10.200.1.7#53

Non-authoritative answer:
Name:   ya.ru
Address: 87.250.250.242
Name:   ya.ru
Address: 2a02:6b8::2:242
> mydomain.ru
Server:         10.200.1.7
Address:        10.200.1.7#53

Name:   mydomain.ru
Address: 10.200.1.8
Name:   mydomain.ru
Address: 10.200.1.7
Name:   mydomain.ru
Address: 192.168.1.7
> pf
Server:         10.200.1.7
Address:        10.200.1.7#53

Name:   pf.mydomain.ru
Address: 10.200.1.1
> kdc1
Server:         10.200.1.7
Address:        10.200.1.7#53

Name:   kdc1.mydomain.ru
Address: 10.200.1.8
>

resolv.conf

nameserver 10.200.1.7
nameserver 10.200.1.8
search mydomain.ru

all actions are identical to the article. The only difference is in passwords, domain name, server names. But I will not upload this to you, it is secret information, personal data.

vallum · Dec 10, 2018, 10:05 AM

@helpuser
copy your keytab file as: /etc/krb5.keytab
chown :proxy /etc/krb5.keytab
chmod 0750 /etc/krb5.keytab

squid.conf :
auth_param negotiate program /libexec/squid/negotiate_wrapper_auth --ntlm /libexec/squid/ntlm_auth mydomain.ru --helper-protocol=squid-2.5-ntlmssp --kerberos /libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME

Refer below link : https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory