Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Kerberos Squid without authentication?

    Cache/Proxy
    3
    39
    914
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93 last edited by

      Hi
      I was wondering if someone could shed some light or someone else has accomplished
      so i created inside of /etc/krb5.conf

      [libdefaults]
      default_realm = CASA.LOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = true
      default_tgs_enctypes = aes128-cts-hmac-sha1-96
      default_tkt_enctypes = aes128-cts-hmac-sha1-96
      permitted_enctypes = aes128-cts-hmac-sha1-96
      
      [realms]
      CASA.LOCAL = {
      kdc = apolo.casa.local
      }
      
      [domain_realm]
      .olympus.casa.local = CASA.LOCAL
      olympus.casa.local = CASA.LOCAL
      
      [logging]
      kdc = FILE:/var/log/kdc.log
      Default = FILE:/var/log/krb5lib.log
      

      after that i validated to check if its working by running kinit and authenticating as a valid user in the Active Directory domain and it worked

      then created a user called squid to create an SPN

      C:\Windows\system32>ktpass -out C:\squidproxy.keytab -princ HTTP/apolo.casa.loca
      l@CASA.LOCAL -mapUser squid@CASA.LOCAL -crypto AES128-SHA1 -pass thepassword -ptype
       KRB5_NT_PRINCIPAL
      

      then copy the key and placed it in pfsense then after that went to squid proxy on the Custom Options (Before Auth)

      auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidkeytab.keytab
      auth_param negotiate children 1000
      auth_param negotiate keep_alive on
      acl auth proxy_auth REQUIRED
      http_access deny auth
      http_access allow auth
      

      but for some reason im still getting the popup im trying on a windows server as the administrator of the domain

      any ideas?

      Thank you

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury @killmasta93 last edited by mcury

        Path to PAC file should be the the fqdn, don't use IP.

        Once you boot and login into Windows, type klist into the CMD to check if the proxy is listed.

        Check if this tutorial can help you: https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

        SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

        K 1 Reply Last reply Reply Quote 0
        • K
          killmasta93 @mcury last edited by killmasta93

          @mcury
          Thanks for the reply, i thought i was using the fqdn i didnt see any IP

          as for the tutorial correct im using that tutorial but doesn't seem to work

          when i ran klist on the windows server which is in the domain running as administrator
          i get this

          The ID. current login is 0: 0xb410d
          
          Cached vouchers: (0)
          

          so i re ran it and got this

          Vales almacenados en caché: (2)
          
          #0>     Cliente: administrador @ CASA.LOCAL
                  Servidor: krbtgt/CASA.LOCAL @ CASA.LOCAL
                  Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                  Marcas de vale 0x40e00000 -> forwardable renewable initial pre_authent
                  Hora de inicio: 5/7/2021 19:15:41 (local)
                  Hora de finalización:   5/8/2021 5:15:41 (local)
                  Hora de renovación: 5/14/2021 19:15:41 (local)
                  Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                  Marcas de caché: 0x1 -> PRIMARY
                  KDC llamado: apolo.casa.local
          
          #1>     Cliente: administrador @ CASA.LOCAL
                  Servidor: LDAP/apolo.casa.local/casa.local @ CASA.LOCAL
                  Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                  Marcas de vale 0x40ac0000 -> forwardable renewable pre_authent ok_as_del
          egate 0x80000
                  Hora de inicio: 5/7/2021 19:15:41 (local)
                  Hora de finalización:   5/8/2021 5:15:41 (local)
                  Hora de renovación: 5/14/2021 19:15:41 (local)
                  Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                  Marcas de caché: 0
                  KDC llamado: apolo.casa.local
          
          C:\Users\administrador.CASA>
          

          my question how does it know which users to navigate?

          Thank you

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @killmasta93 last edited by mcury

            In squidguard, group acl, you should add something like this:

            ldapusersearch ldap://adserver.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=AD_GROUP_TO_FILTER%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
            

            Then, members of this group (AD_GROUP_TO_FILTER), would be filtered by the policy configured in squidguard.

            The problem I'm seeing in your klist, is that Windows is not generating the Kerberos ticket for the HTTP access.. Strange that is also not generating a ticket for file sharing (CIFS).

            Try to configure Internet Explorer to access the proxy using the FQDN, reboot, and type klist again.
            Internet Explorer will trigger the kerberos to generate a ticket in Windows (Tested in Windows 10). After that all browsers (if you set them up to use Windows configuration, will use the ticket automatically).

            SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

            K 1 Reply Last reply Reply Quote 0
            • K
              killmasta93 @mcury last edited by

              @mcury
              thanks for the reply
              so using squidguard would be the way to block users to the use internet?
              but let see if i can get first squid working without the popup.

              once i open the navigation i get this ticket

              #0>     Cliente: administrador @ CASA.LOCAL
                      Servidor: krbtgt/CASA.LOCAL @ CASA.LOCAL
                      Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                      Marcas de vale 0x40e00000 -> forwardable renewable initial pre_authent
                      Hora de inicio: 5/7/2021 19:15:41 (local)
                      Hora de finalización:   5/8/2021 5:15:41 (local)
                      Hora de renovación: 5/14/2021 19:15:41 (local)
                      Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                      Marcas de caché: 0x1 -> PRIMARY
                      KDC llamado: apolo.casa.local
              
              #1>     Cliente: administrador @ CASA.LOCAL
                      Servidor: LDAP/apolo.casa.local/casa.local @ CASA.LOCAL
                      Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                      Marcas de vale 0x40ac0000 -> forwardable renewable pre_authent ok_as_del
              egate 0x80000
                      Hora de inicio: 5/7/2021 19:15:41 (local)
                      Hora de finalización:   5/8/2021 5:15:41 (local)
                      Hora de renovación: 5/14/2021 19:15:41 (local)
                      Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                      Marcas de caché: 0
                      KDC llamado: apolo.casa.local
              

              not sure if that counts?

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              M 1 Reply Last reply Reply Quote 0
              • M
                mcury @killmasta93 last edited by mcury

                You can leave the authentication tab in Squid disabled, and use the ldapusersearch mentioned above in Squidguard.
                The popup will disappear if you do it correctly.

                I never tried to block using only Squid , so unfortunately I can't help you..

                SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                K 1 Reply Last reply Reply Quote 0
                • K
                  killmasta93 @mcury last edited by killmasta93

                  @mcury
                  Thanks for the reply, so i used the ldapusersearch

                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                  

                  8fafaf1d-0f94-4479-9e00-922244df6db8-image.png
                  and this is the location of the users

                  CN=Users,DC=casa,DC=local
                  

                  but im still getting the popup

                  i checked the squid logs so i think im missing something on squid

                  93213b96-d216-40cb-9285-31df50eea5f5-image.png

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mcury @killmasta93 last edited by mcury

                    @killmasta93 Is the ticket being generated?
                    If the client is a domain member, and everything is configured correctly, the HTTP ticket will appear in klist..

                    Check and confirm if the path to the proxy inside Internet Explorer (Windows proxy configuration), is set correctly.

                    Are you using Samba and DNS backend ?
                    If so there are some tests you can do, check the Kerberos part in the link below, also perform the DNS tests to confirm if everything is set up as it should be.

                    https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

                    SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                    K 1 Reply Last reply Reply Quote 0
                    • K
                      killmasta93 @mcury last edited by

                      @mcury

                      Thanks for the reply, as the proxy this is how i have it configured
                      626c4e7a-d589-43d3-af92-70d39dbff1e7-image.png

                      when i open chrome and then check the klist i get the ticket

                      C:\Users\administrador.CASA>klist
                      
                      El id. de inicio de sesión actual es 0:0xb410d
                      
                      Vales almacenados en caché: (2)
                      
                      #0>     Cliente: administrador @ CASA.LOCAL
                              Servidor: krbtgt/CASA.LOCAL @ CASA.LOCAL
                              Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                              Marcas de vale 0x40e00000 -> forwardable renewable initial pre_authent
                              Hora de inicio: 5/8/2021 16:21:07 (local)
                              Hora de finalización:   5/9/2021 2:21:07 (local)
                              Hora de renovación: 5/15/2021 16:21:07 (local)
                              Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                              Marcas de caché: 0x1 -> PRIMARY
                              KDC llamado: apolo.casa.local
                      
                      #1>     Cliente: administrador @ CASA.LOCAL
                              Servidor: LDAP/apolo.casa.local/casa.local @ CASA.LOCAL
                              Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                              Marcas de vale 0x40ac0000 -> forwardable renewable pre_authent ok_as_del
                      egate 0x80000
                              Hora de inicio: 5/8/2021 16:21:07 (local)
                              Hora de finalización:   5/9/2021 2:21:07 (local)
                              Hora de renovación: 5/15/2021 16:21:07 (local)
                              Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                              Marcas de caché: 0
                              KDC llamado: apolo.casa.local
                      

                      But not sure what else im doing wrong, currently running zentyal as my domain controller

                      Thank you

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mcury @killmasta93 last edited by

                        @killmasta93 Dirección, you set the IP, told you to use the hostname and not the IP.
                        Change that 192.168.3.254 and use the proxy hostname, hostname.casa.local

                        SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                        K 1 Reply Last reply Reply Quote 0
                        • K
                          killmasta93 @mcury last edited by

                          @mcury
                          thanks for the reply so i changed to hostname but still get the popup

                          76ca37e5-c84e-459b-9230-1505e87c098e-image.png

                          i also checked if the get the ticket

                          im not sure if the above steps when configuring squid i did it correctly which i think might be the problem?

                          aaaab9e1-d75a-4718-84ad-0a96e44eb770-image.png

                          Tutorials:

                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                          M 1 Reply Last reply Reply Quote 0
                          • M
                            mcury @killmasta93 last edited by

                            Check if your pfsense can perform the following command successfully.

                            kninit administrator

                            If it works, update here and we follow from that.

                            SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                            K 1 Reply Last reply Reply Quote 0
                            • K
                              killmasta93 @mcury last edited by

                              @mcury
                              Thanks for the reply this is what i get

                              [2.4.5-RELEASE][root@Olympus.casa.local]/root: kinit administrador
                              administrador@CASA.LOCAL's Password: 
                              [2.4.5-RELEASE][root@Olympus.casa.local]/root: klist
                              Credentials cache: FILE:/tmp/krb5cc_0
                                      Principal: administrador@CASA.LOCAL
                              
                                Issued                Expires               Principal
                              May  9 20:09:35 2021  May 10 06:09:35 2021  krbtgt/CASA.LOCAL@CASA.LOCAL
                              

                              Tutorials:

                              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                              M 1 Reply Last reply Reply Quote 0
                              • M
                                mcury @killmasta93 last edited by mcury

                                Now check if your pfsense can perform these commands:
                                Assuming that olympus is the hostname of the AD DNS server and the domain is casa.local

                                host -t SRV _ldap._tcp.casa.local.
                                host -t SRV _kerberos._udp.casa.local.
                                host -t A olympus.casa.local.
                                

                                I would remove these lines from krb5.conf to test:
                                You will need to generate a new keytab after changing these settings

                                default_tgs_enctypes = aes128-cts-hmac-sha1-96
                                default_tkt_enctypes = aes128-cts-hmac-sha1-96
                                permitted_enctypes = aes128-cts-hmac-sha1-96
                                

                                SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                K 1 Reply Last reply Reply Quote 0
                                • K
                                  killmasta93 @mcury last edited by

                                  @mcury said in Kerberos Squid without authentication?:

                                  host -t A olympus.casa.local.

                                  Thanks for the reply, as for the AD DNS the server is called apolo which has an ip of 192.168.3.150 and olympus is the pfsense with IP 192.168.3.254

                                  i ran the following commands without removing the lines and seemed to worked

                                  [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _ldap._tcp.casa.local.
                                  _ldap._tcp.casa.local has SRV record 0 100 389 apolo.casa.local.
                                  [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _kerberos._udp.casa.local.
                                  _kerberos._udp.casa.local has SRV record 100 100 88 apolo.casa.local.
                                  _kerberos._udp.casa.local has SRV record 0 100 88 apolo.casa.local.
                                  [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t A apolo.casa.local.
                                  apolo.casa.local has address 192.168.3.150
                                  

                                  Tutorials:

                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    mcury @killmasta93 last edited by

                                    @killmasta93 said in Kerberos Squid without authentication?:

                                    [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _kerberos._udp.casa.local.
                                    _kerberos._udp.casa.local has SRV record 100 100 88 apolo.casa.local.
                                    _kerberos._udp.casa.local has SRV record 0 100 88 apolo.casa.local.

                                    I would remove the following lines from krb5.conf to test:
                                    You will need to generate a new keytab after that, then replace the keytab in pfsense, and logout and login again with the client to test.

                                    Following lines to remove will use the default enctypes.
                                    default_tgs_enctypes = aes128-cts-hmac-sha1-96
                                    default_tkt_enctypes = aes128-cts-hmac-sha1-96
                                    permitted_enctypes = aes128-cts-hmac-sha1-96

                                    SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                    K 1 Reply Last reply Reply Quote 0
                                    • K
                                      killmasta93 @mcury last edited by

                                      @mcury
                                      Thanks for the reply, so did the following deleted the following lines and recreated the keytab but same issue

                                      1e13ead3-f8da-481e-bc43-4c9b1dc26d83-image.png

                                      993a40a7-81b3-4982-a5d0-3b8cf8bee96b-image.png

                                      7b88e87e-2a79-45b4-bbd4-3962f014576d-image.png

                                      Tutorials:

                                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                      M 1 Reply Last reply Reply Quote 0
                                      • M
                                        mcury @killmasta93 last edited by

                                        auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidkeytab.keytab
                                        auth_param negotiate children 1000
                                        auth_param negotiate keep_alive on
                                        acl auth proxy_auth REQUIRED
                                        http_access deny auth
                                        http_access allow auth

                                        name is squidkeytab.keytab and not squidproxy.keytabb ?

                                        SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                        K 1 Reply Last reply Reply Quote 0
                                        • K
                                          killmasta93 @mcury last edited by

                                          @mcury
                                          Thanks for the reply, just realized that it was an error but after changing same issue

                                          c94d8927-3857-4fc6-85b0-4ef09f37aabd-image.png

                                          Tutorials:

                                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                          M 1 Reply Last reply Reply Quote 0
                                          • M
                                            mcury @killmasta93 last edited by

                                            df438830-1f39-49e6-a13d-748436058fb2-image.png
                                            This is the ticket that should appear in klist..

                                            Everything seems to be OK with your configuration, at least between pfsense and AD.

                                            Show squid logs again after changing the keytab.
                                            Can you test with another client?

                                            SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                            K 1 Reply Last reply Reply Quote 0
                                            • K
                                              killmasta93 @mcury last edited by

                                              @mcury
                                              Thanks again for the reply, so im trying another machine which is in the domain but same issue

                                              aed2b95d-d81f-417c-b591-85de356c47f9-image.png

                                              32bd5b2a-74ea-4215-ab8b-4c65081e31db-image.png

                                              Tutorials:

                                              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                              M 1 Reply Last reply Reply Quote 0
                                              • M
                                                mcury @killmasta93 last edited by

                                                Did you create the user and enabled it in AD ?

                                                8cbf2dcb-d511-4859-a23d-79155901eca4-image.png

                                                SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                K 1 Reply Last reply Reply Quote 0
                                                • K
                                                  killmasta93 @mcury last edited by

                                                  @mcury
                                                  Thanks for the reply, correct already did that
                                                  on the Service principal name

                                                  f9688ac1-9018-4ebd-8b50-23e2c29f4c76-image.png

                                                  Tutorials:

                                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                  M 1 Reply Last reply Reply Quote 0
                                                  • M
                                                    mcury @killmasta93 last edited by mcury

                                                    Maybe you are facing the same problem as this guy was, take a look:

                                                    http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html

                                                    Quote:
                                                    You should see a request from the client to Active Directory asking for a TGS for HTTP/<fqdn of proxy>. If that does not happen or get refused by AD the client will fall back to NTLM (wrapped into the Negotiate response) which is waht you see on the proxy.

                                                    I would set a packet capture like that guy did to check, port 88

                                                    SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                    K 1 Reply Last reply Reply Quote 0
                                                    • K
                                                      killmasta93 @mcury last edited by

                                                      @mcury
                                                      Finally got it to authenticate but im still getting the popup

                                                      525feae3-d657-4d22-b5de-aa1e3611b3fd-image.png

                                                      Tutorials:

                                                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                      M 1 Reply Last reply Reply Quote 0
                                                      • M
                                                        mcury @killmasta93 last edited by mcury

                                                        Why are you authenticating as administrador@CASA.LOCAL ?
                                                        The user should be appearing there and not administrator. Should be user@CASA.LOCAL

                                                        The user need to be member of the group used in ldapusersearch in Squidguard

                                                        SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                        K 1 Reply Last reply Reply Quote 0
                                                        • K
                                                          killmasta93 @mcury last edited by killmasta93

                                                          @mcury
                                                          its because im opening the chrome inside of the windows server which im logged on as administrador

                                                          this is another user

                                                          68db97a0-6e2f-4ab8-b790-b01fded9a4c1-image.png

                                                          Tutorials:

                                                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                          M 1 Reply Last reply Reply Quote 0
                                                          • M
                                                            mcury @killmasta93 last edited by

                                                            Ok, in this last screenshot, the username is Windows10?
                                                            Is this user a member of the group used in ldapusersearch?

                                                            You are almost there.. soon we will find the problem

                                                            SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                            K 1 Reply Last reply Reply Quote 0
                                                            • K
                                                              killmasta93 @mcury last edited by

                                                              @mcury
                                                              thanks for the reply,
                                                              so on the squidguard

                                                              ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                                              

                                                              and the user is located in

                                                              CN=windows10,CN=Users,DC=casa,DC=local
                                                              

                                                              Tutorials:

                                                              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                              M 1 Reply Last reply Reply Quote 0
                                                              • M
                                                                mcury @killmasta93 last edited by mcury

                                                                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

                                                                You used a %2c in the wrong place (It means a ',')

                                                                It should be:

                                                                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                                                

                                                                It's important to notice that you are not filtering users by group in this case..
                                                                I would create a group, like internet, add the members to this group, and then filter like this:

                                                                ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                                                

                                                                SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                                K 1 Reply Last reply Reply Quote 0
                                                                • K
                                                                  killmasta93 @mcury last edited by

                                                                  @mcury said in Kerberos Squid without authentication?:

                                                                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

                                                                  Thanks again for the reply, so i changed to

                                                                  ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
                                                                  

                                                                  then created group called internet added windows10 and administrador but same issue with popup

                                                                  CN=internet,CN=Users,DC=casa,DC=local
                                                                  

                                                                  Im thinking its a squid issue but dont know what else to do :(

                                                                  Tutorials:

                                                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                                  M 1 Reply Last reply Reply Quote 0
                                                                  • M
                                                                    mcury @killmasta93 last edited by

                                                                    Try port 389 instead of 3268.. Who knows..

                                                                    SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                                    K 1 Reply Last reply Reply Quote 0
                                                                    • K
                                                                      killmasta93 last edited by killmasta93

                                                                      @mcury

                                                                      Thanks for the reply,
                                                                      so on squid i had to remove

                                                                      http_access allow deny
                                                                      

                                                                      now i got to squidguard i see this log

                                                                      (squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),
                                                                      

                                                                      i also had to configure on squidguard
                                                                      21f45554-d0d5-41a6-9fb8-52ef0216d7ff-image.png

                                                                      Tutorials:

                                                                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                                      M 1 Reply Last reply Reply Quote 0
                                                                      • M
                                                                        mcury @killmasta93 last edited by

                                                                        So, is it working now ?

                                                                        if not, I would focus on the ldapusersearch..

                                                                        SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • K
                                                                          killmasta93 @mcury last edited by

                                                                          thanks for the reply,
                                                                          so correct its navigating with the user now i need to block but i see the log on squidguard

                                                                          12.05.2021 19:45:34	(squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName)
                                                                          

                                                                          Tutorials:

                                                                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                                          M 1 Reply Last reply Reply Quote 0
                                                                          • M
                                                                            mcury @killmasta93 last edited by mcury

                                                                            Try to tick that option in squidguard: Strip NT domain name.
                                                                            If ticking it doesn't work, undo it..

                                                                            SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                                            M 1 Reply Last reply Reply Quote 0
                                                                            • M
                                                                              mcury @mcury last edited by

                                                                              Test this:

                                                                              1 - Disable Squidguard authentication tab
                                                                              2 - Enable Squid authentication tab with the following details:

                                                                              Squid Authentication LDAP Settings > LDAP Base Domain:
                                                                              DC=casa,DC=local -R

                                                                              (-R option will enable the recursive search in domain).

                                                                              Note: keep the ldapusersearch the same as before, using port 3268

                                                                              Then try again and post here in case it works.

                                                                              SG-3100 22.05 / Unifi Flex Mini / Unifi NanoHD / Synology DS218+ / Raspberry Pi 4b - Graylog / Raspberry Pi 3b - Samba-ad-dc / Apache / Unifi controller / Freeradius

                                                                              K 1 Reply Last reply Reply Quote 0
                                                                              • K
                                                                                KaP last edited by

                                                                                Google Chrome and other browsers from a certain version onwards (I can't say from which one) don't allow "Transparent" authentication without the Pop Up window appearing.
                                                                                So I don't think you will be able to accomplish what you intended.

                                                                                If I am wrong can you correct me please.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • K
                                                                                  killmasta93 @mcury last edited by

                                                                                  @mcury
                                                                                  Thanks for the reply, so got it working, i used the pf2ad script
                                                                                  but on ldap for squidguard how to add a group with a space the group is called domain users

                                                                                  ldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))
                                                                                  

                                                                                  Tutorials:

                                                                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • First post
                                                                                    Last post