• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Kerberos Squid without authentication?

Scheduled Pinned Locked Moved Cache/Proxy
39 Posts 3 Posters 5.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mcury @killmasta93
    last edited by mcury May 8, 2021, 8:08 AM May 8, 2021, 7:40 AM

    You can leave the authentication tab in Squid disabled, and use the ldapusersearch mentioned above in Squidguard.
    The popup will disappear if you do it correctly.

    I never tried to block using only Squid , so unfortunately I can't help you..

    dead on arrival, nowhere to be found.

    K 1 Reply Last reply May 8, 2021, 5:53 PM Reply Quote 0
    • K
      killmasta93 @mcury
      last edited by killmasta93 May 8, 2021, 5:55 PM May 8, 2021, 5:53 PM

      @mcury
      Thanks for the reply, so i used the ldapusersearch

      ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))
      

      8fafaf1d-0f94-4479-9e00-922244df6db8-image.png
      and this is the location of the users

      CN=Users,DC=casa,DC=local
      

      but im still getting the popup

      i checked the squid logs so i think im missing something on squid

      93213b96-d216-40cb-9285-31df50eea5f5-image.png

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      M 1 Reply Last reply May 8, 2021, 7:23 PM Reply Quote 0
      • M
        mcury @killmasta93
        last edited by mcury May 8, 2021, 7:28 PM May 8, 2021, 7:23 PM

        @killmasta93 Is the ticket being generated?
        If the client is a domain member, and everything is configured correctly, the HTTP ticket will appear in klist..

        Check and confirm if the path to the proxy inside Internet Explorer (Windows proxy configuration), is set correctly.

        Are you using Samba and DNS backend ?
        If so there are some tests you can do, check the Kerberos part in the link below, also perform the DNS tests to confirm if everything is set up as it should be.

        https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

        dead on arrival, nowhere to be found.

        K 1 Reply Last reply May 8, 2021, 9:22 PM Reply Quote 0
        • K
          killmasta93 @mcury
          last edited by May 8, 2021, 9:22 PM

          @mcury

          Thanks for the reply, as the proxy this is how i have it configured
          626c4e7a-d589-43d3-af92-70d39dbff1e7-image.png

          when i open chrome and then check the klist i get the ticket

          C:\Users\administrador.CASA>klist
          
          El id. de inicio de sesión actual es 0:0xb410d
          
          Vales almacenados en caché: (2)
          
          #0>     Cliente: administrador @ CASA.LOCAL
                  Servidor: krbtgt/CASA.LOCAL @ CASA.LOCAL
                  Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                  Marcas de vale 0x40e00000 -> forwardable renewable initial pre_authent
                  Hora de inicio: 5/8/2021 16:21:07 (local)
                  Hora de finalización:   5/9/2021 2:21:07 (local)
                  Hora de renovación: 5/15/2021 16:21:07 (local)
                  Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                  Marcas de caché: 0x1 -> PRIMARY
                  KDC llamado: apolo.casa.local
          
          #1>     Cliente: administrador @ CASA.LOCAL
                  Servidor: LDAP/apolo.casa.local/casa.local @ CASA.LOCAL
                  Tipo de cifrado de vale Kerberos: RSADSI RC4-HMAC(NT)
                  Marcas de vale 0x40ac0000 -> forwardable renewable pre_authent ok_as_del
          egate 0x80000
                  Hora de inicio: 5/8/2021 16:21:07 (local)
                  Hora de finalización:   5/9/2021 2:21:07 (local)
                  Hora de renovación: 5/15/2021 16:21:07 (local)
                  Tipo de clave de sesión: RSADSI RC4-HMAC(NT)
                  Marcas de caché: 0
                  KDC llamado: apolo.casa.local
          

          But not sure what else im doing wrong, currently running zentyal as my domain controller

          Thank you

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          M 1 Reply Last reply May 8, 2021, 9:41 PM Reply Quote 0
          • M
            mcury @killmasta93
            last edited by May 8, 2021, 9:41 PM

            @killmasta93 Dirección, you set the IP, told you to use the hostname and not the IP.
            Change that 192.168.3.254 and use the proxy hostname, hostname.casa.local

            dead on arrival, nowhere to be found.

            K 1 Reply Last reply May 9, 2021, 4:11 PM Reply Quote 0
            • K
              killmasta93 @mcury
              last edited by May 9, 2021, 4:11 PM

              @mcury
              thanks for the reply so i changed to hostname but still get the popup

              76ca37e5-c84e-459b-9230-1505e87c098e-image.png

              i also checked if the get the ticket

              im not sure if the above steps when configuring squid i did it correctly which i think might be the problem?

              aaaab9e1-d75a-4718-84ad-0a96e44eb770-image.png

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              M 1 Reply Last reply May 10, 2021, 12:18 AM Reply Quote 0
              • M
                mcury @killmasta93
                last edited by May 10, 2021, 12:18 AM

                Check if your pfsense can perform the following command successfully.

                kninit administrator

                If it works, update here and we follow from that.

                dead on arrival, nowhere to be found.

                K 1 Reply Last reply May 10, 2021, 1:13 AM Reply Quote 0
                • K
                  killmasta93 @mcury
                  last edited by May 10, 2021, 1:13 AM

                  @mcury
                  Thanks for the reply this is what i get

                  [2.4.5-RELEASE][root@Olympus.casa.local]/root: kinit administrador
                  administrador@CASA.LOCAL's Password: 
                  [2.4.5-RELEASE][root@Olympus.casa.local]/root: klist
                  Credentials cache: FILE:/tmp/krb5cc_0
                          Principal: administrador@CASA.LOCAL
                  
                    Issued                Expires               Principal
                  May  9 20:09:35 2021  May 10 06:09:35 2021  krbtgt/CASA.LOCAL@CASA.LOCAL
                  

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  M 1 Reply Last reply May 10, 2021, 10:51 AM Reply Quote 0
                  • M
                    mcury @killmasta93
                    last edited by mcury May 10, 2021, 11:12 AM May 10, 2021, 10:51 AM

                    Now check if your pfsense can perform these commands:
                    Assuming that olympus is the hostname of the AD DNS server and the domain is casa.local

                    host -t SRV _ldap._tcp.casa.local.
                    host -t SRV _kerberos._udp.casa.local.
                    host -t A olympus.casa.local.
                    

                    I would remove these lines from krb5.conf to test:
                    You will need to generate a new keytab after changing these settings

                    default_tgs_enctypes = aes128-cts-hmac-sha1-96
                    default_tkt_enctypes = aes128-cts-hmac-sha1-96
                    permitted_enctypes = aes128-cts-hmac-sha1-96
                    

                    dead on arrival, nowhere to be found.

                    K 1 Reply Last reply May 10, 2021, 4:44 PM Reply Quote 0
                    • K
                      killmasta93 @mcury
                      last edited by May 10, 2021, 4:44 PM

                      @mcury said in Kerberos Squid without authentication?:

                      host -t A olympus.casa.local.

                      Thanks for the reply, as for the AD DNS the server is called apolo which has an ip of 192.168.3.150 and olympus is the pfsense with IP 192.168.3.254

                      i ran the following commands without removing the lines and seemed to worked

                      [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _ldap._tcp.casa.local.
                      _ldap._tcp.casa.local has SRV record 0 100 389 apolo.casa.local.
                      [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _kerberos._udp.casa.local.
                      _kerberos._udp.casa.local has SRV record 100 100 88 apolo.casa.local.
                      _kerberos._udp.casa.local has SRV record 0 100 88 apolo.casa.local.
                      [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t A apolo.casa.local.
                      apolo.casa.local has address 192.168.3.150
                      

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      M 1 Reply Last reply May 10, 2021, 5:17 PM Reply Quote 0
                      • M
                        mcury @killmasta93
                        last edited by May 10, 2021, 5:17 PM

                        @killmasta93 said in Kerberos Squid without authentication?:

                        [2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _kerberos._udp.casa.local.
                        _kerberos._udp.casa.local has SRV record 100 100 88 apolo.casa.local.
                        _kerberos._udp.casa.local has SRV record 0 100 88 apolo.casa.local.

                        I would remove the following lines from krb5.conf to test:
                        You will need to generate a new keytab after that, then replace the keytab in pfsense, and logout and login again with the client to test.

                        Following lines to remove will use the default enctypes.
                        default_tgs_enctypes = aes128-cts-hmac-sha1-96
                        default_tkt_enctypes = aes128-cts-hmac-sha1-96
                        permitted_enctypes = aes128-cts-hmac-sha1-96

                        dead on arrival, nowhere to be found.

                        K 1 Reply Last reply May 10, 2021, 7:29 PM Reply Quote 0
                        • K
                          killmasta93 @mcury
                          last edited by May 10, 2021, 7:29 PM

                          @mcury
                          Thanks for the reply, so did the following deleted the following lines and recreated the keytab but same issue

                          1e13ead3-f8da-481e-bc43-4c9b1dc26d83-image.png

                          993a40a7-81b3-4982-a5d0-3b8cf8bee96b-image.png

                          7b88e87e-2a79-45b4-bbd4-3962f014576d-image.png

                          Tutorials:

                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                          M 1 Reply Last reply May 10, 2021, 7:32 PM Reply Quote 0
                          • M
                            mcury @killmasta93
                            last edited by May 10, 2021, 7:32 PM

                            auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidkeytab.keytab
                            auth_param negotiate children 1000
                            auth_param negotiate keep_alive on
                            acl auth proxy_auth REQUIRED
                            http_access deny auth
                            http_access allow auth

                            name is squidkeytab.keytab and not squidproxy.keytabb ?

                            dead on arrival, nowhere to be found.

                            K 1 Reply Last reply May 10, 2021, 7:46 PM Reply Quote 0
                            • K
                              killmasta93 @mcury
                              last edited by May 10, 2021, 7:46 PM

                              @mcury
                              Thanks for the reply, just realized that it was an error but after changing same issue

                              c94d8927-3857-4fc6-85b0-4ef09f37aabd-image.png

                              Tutorials:

                              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                              M 1 Reply Last reply May 10, 2021, 8:35 PM Reply Quote 0
                              • M
                                mcury @killmasta93
                                last edited by May 10, 2021, 8:35 PM

                                df438830-1f39-49e6-a13d-748436058fb2-image.png
                                This is the ticket that should appear in klist..

                                Everything seems to be OK with your configuration, at least between pfsense and AD.

                                Show squid logs again after changing the keytab.
                                Can you test with another client?

                                dead on arrival, nowhere to be found.

                                K 1 Reply Last reply May 10, 2021, 9:38 PM Reply Quote 0
                                • K
                                  killmasta93 @mcury
                                  last edited by May 10, 2021, 9:38 PM

                                  @mcury
                                  Thanks again for the reply, so im trying another machine which is in the domain but same issue

                                  aed2b95d-d81f-417c-b591-85de356c47f9-image.png

                                  32bd5b2a-74ea-4215-ab8b-4c65081e31db-image.png

                                  Tutorials:

                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                  M 1 Reply Last reply May 10, 2021, 10:15 PM Reply Quote 0
                                  • M
                                    mcury @killmasta93
                                    last edited by May 10, 2021, 10:15 PM

                                    Did you create the user and enabled it in AD ?

                                    8cbf2dcb-d511-4859-a23d-79155901eca4-image.png

                                    dead on arrival, nowhere to be found.

                                    K 1 Reply Last reply May 10, 2021, 10:46 PM Reply Quote 0
                                    • K
                                      killmasta93 @mcury
                                      last edited by May 10, 2021, 10:46 PM

                                      @mcury
                                      Thanks for the reply, correct already did that
                                      on the Service principal name

                                      f9688ac1-9018-4ebd-8b50-23e2c29f4c76-image.png

                                      Tutorials:

                                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                      M 1 Reply Last reply May 10, 2021, 10:57 PM Reply Quote 0
                                      • M
                                        mcury @killmasta93
                                        last edited by mcury May 10, 2021, 10:58 PM May 10, 2021, 10:57 PM

                                        Maybe you are facing the same problem as this guy was, take a look:

                                        http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html

                                        Quote:
                                        You should see a request from the client to Active Directory asking for a TGS for HTTP/<fqdn of proxy>. If that does not happen or get refused by AD the client will fall back to NTLM (wrapped into the Negotiate response) which is waht you see on the proxy.

                                        I would set a packet capture like that guy did to check, port 88

                                        dead on arrival, nowhere to be found.

                                        K 1 Reply Last reply May 11, 2021, 10:21 PM Reply Quote 0
                                        • K
                                          killmasta93 @mcury
                                          last edited by May 11, 2021, 10:21 PM

                                          @mcury
                                          Finally got it to authenticate but im still getting the popup

                                          525feae3-d657-4d22-b5de-aa1e3611b3fd-image.png

                                          Tutorials:

                                          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                          M 1 Reply Last reply May 11, 2021, 11:20 PM Reply Quote 0
                                          25 out of 39
                                          • First post
                                            25/39
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received