cannot implement squid + pfsense + active directory
-
Did everything according to this article site
Squid does not start2018/11/28 16:07:18| /usr/local/etc/squid/squid.conf:90 unrecognized: '/usr/local/etc/squid/squid.keytab'what could be wrong, did exactly as the article all tests passed, no errors but when connecting temnemenee keymap, a proxy just doesn't start.
2.4.4-RELEASE (amd64) Thu Sep 20 09:03:12 EDT 2018
FreeBSD 11.2-RELEASE-p3 -
It looks like you put
/usr/local/etc/squid/squid.keytabon a separate line in the conf file.That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
All one line.Steve
-
@stephenw10 said in cannot implement squid + pfsense + active directory:
It looks like you put
/usr/local/etc/squid/squid.keytabon a separate line in the conf file.That's actually part of the first directive just line wrapped in the box I believe. The first directive should be:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squid.keytab
All one line.Steve
ahhh, I'm crying tearfully. I broke my whole head and it turns out that's it. Thank you it worked!
I will be glad if you still help! Not passes authorization on, that the strange over time./root: date Thu Nov 29 11:36:27 MSK 2018But in the squid on the tab "Real Time" in table "Squid Cache Table"
01.01.1970 03:00:00 negotiate_kerberos_auth: WARNING: received type 1 NTLM token 01.01.1970 03:00:00 negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' (decoded length: 40). 01.01.1970 03:00:00 negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==' from squid (length: 59). 01.01.1970 03:00:00 negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_8623 01.01.1970 03:00:00 negotiate_kerberos_auth: INFO: Setting keytab to /home/squid.keytab 01.01.1970 03:00:00 negotiate_kerberos_auth: INFO: Starting version 3.0.4sq 29.11.2018 11:43:07 Starting new negotiateauthenticator helpers... 29.11.2018 11:42:54 pinger: Initialising ICMP pinger ... 29.11.2018 11:42:53 Service Name: squid 29.11.2018 11:42:53 Starting Squid Cache version 3.5.27 for amd64-portbld-freebsd11.2...But in the squid on the tab "Real Time" in table "Squid Access Table"
date IP stats address user pool 29.11.2018 11:43:47 10.200.1.110 TCP_DENIED/407 http://ts.eset.com/query/chsquery.php - - 29.11.2018 11:43:47 10.200.1.110 TCP_DENIED/407 http://ts.eset.com/query/chsquery.php - - 29.11.2018 11:43:07 10.200.1.115 TCP_DENIED/407 go.microsoft.com:443 -Where he gets this date is "01.01.1970 03:00:00" is unknown, perhaps because of this, and does not pass authorization.
-
Hmm, interesting.
I have never tried that configuration nor do I have the infrastructure to test it. I just saw the error initially.
1.1.1970 is 0 seconds in epoch time so it looks like it's not getting a time stamp for that. Hard to say why that would be, I'm not sure I can help much with that.
Steve
-
@helpuser Send me all steps you used to generate keytab.
custom squid options you have added in squid.conf.
DNS resolution output for your Domain. -
[2.4.4-RELEASE][admin@pf.mydomain.ru]/root: nslookup > ya.ru Server: 10.200.1.7 Address: 10.200.1.7#53 Non-authoritative answer: Name: ya.ru Address: 87.250.250.242 Name: ya.ru Address: 2a02:6b8::2:242 > mydomain.ru Server: 10.200.1.7 Address: 10.200.1.7#53 Name: mydomain.ru Address: 10.200.1.8 Name: mydomain.ru Address: 10.200.1.7 Name: mydomain.ru Address: 192.168.1.7 > pf Server: 10.200.1.7 Address: 10.200.1.7#53 Name: pf.mydomain.ru Address: 10.200.1.1 > kdc1 Server: 10.200.1.7 Address: 10.200.1.7#53 Name: kdc1.mydomain.ru Address: 10.200.1.8 >resolv.conf
nameserver 10.200.1.7 nameserver 10.200.1.8 search mydomain.ruall actions are identical to the article. The only difference is in passwords, domain name, server names. But I will not upload this to you, it is secret information, personal data.
-
@helpuser
copy your keytab file as: /etc/krb5.keytab
chown :proxy /etc/krb5.keytab
chmod 0750 /etc/krb5.keytabsquid.conf :
auth_param negotiate program /libexec/squid/negotiate_wrapper_auth --ntlm /libexec/squid/ntlm_auth mydomain.ru --helper-protocol=squid-2.5-ntlmssp --kerberos /libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAMERefer below link : https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
