Kerberos Squid without authentication?

mcury · May 10, 2021, 5:17 PM

@killmasta93 said in Kerberos Squid without authentication?:

[2.4.5-RELEASE][root@Olympus.casa.local]/root: host -t SRV _kerberos._udp.casa.local.
_kerberos._udp.casa.local has SRV record 100 100 88 apolo.casa.local.
_kerberos._udp.casa.local has SRV record 0 100 88 apolo.casa.local.

I would remove the following lines from krb5.conf to test:
You will need to generate a new keytab after that, then replace the keytab in pfsense, and logout and login again with the client to test.

Following lines to remove will use the default enctypes.
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96

killmasta93 · May 10, 2021, 7:29 PM

@mcury
Thanks for the reply, so did the following deleted the following lines and recreated the keytab but same issue

mcury · May 10, 2021, 7:32 PM

auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -k /usr/local/etc/squid/squidkeytab.keytab
auth_param negotiate children 1000
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny auth
http_access allow auth

name is squidkeytab.keytab and not squidproxy.keytabb ?

killmasta93 · May 10, 2021, 7:46 PM

@mcury
Thanks for the reply, just realized that it was an error but after changing same issue

mcury · May 10, 2021, 8:35 PM

This is the ticket that should appear in klist..

Everything seems to be OK with your configuration, at least between pfsense and AD.

Show squid logs again after changing the keytab.
Can you test with another client?

killmasta93 · May 10, 2021, 9:38 PM

@mcury
Thanks again for the reply, so im trying another machine which is in the domain but same issue

mcury · May 10, 2021, 10:15 PM

Did you create the user and enabled it in AD ?

killmasta93 · May 10, 2021, 10:46 PM

@mcury
Thanks for the reply, correct already did that
on the Service principal name

mcury · May 10, 2021, 10:58 PM

Maybe you are facing the same problem as this guy was, take a look:

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html

Quote:
You should see a request from the client to Active Directory asking for a TGS for HTTP/<fqdn of proxy>. If that does not happen or get refused by AD the client will fall back to NTLM (wrapped into the Negotiate response) which is waht you see on the proxy.

I would set a packet capture like that guy did to check, port 88

killmasta93 · May 11, 2021, 10:21 PM

@mcury
Finally got it to authenticate but im still getting the popup

mcury · May 11, 2021, 11:21 PM

Why are you authenticating as administrador@CASA.LOCAL ?
The user should be appearing there and not administrator. Should be user@CASA.LOCAL

The user need to be member of the group used in ldapusersearch in Squidguard

killmasta93 · May 12, 2021, 12:07 AM

@mcury
its because im opening the chrome inside of the windows server which im logged on as administrador

this is another user

mcury · May 12, 2021, 2:39 AM

Ok, in this last screenshot, the username is Windows10?
Is this user a member of the group used in ldapusersearch?

You are almost there.. soon we will find the problem

killmasta93 · May 12, 2021, 2:39 AM

@mcury
thanks for the reply,
so on the squidguard

ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

and the user is located in

CN=windows10,CN=Users,DC=casa,DC=local

mcury · May 12, 2021, 3:48 AM

ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

You used a %2c in the wrong place (It means a ',')

It should be:

ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

It's important to notice that you are not filtering users by group in this case..
I would create a group, like internet, add the members to this group, and then filter like this:

ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

killmasta93 · May 12, 2021, 4:18 AM

@mcury said in Kerberos Squid without authentication?:

ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

Thanks again for the reply, so i changed to

ldapusersearch ldap://apolo.casa.local:3268/dc=casa,dc=local?userPrincipalName?sub?(&(memberof=CN=internet%2cCN=Users%2cDC=casa%2cDC=local)(userPrincipalName=%s))

then created group called internet added windows10 and administrador but same issue with popup

CN=internet,CN=Users,DC=casa,DC=local

Im thinking its a squid issue but dont know what else to do :(

mcury · May 12, 2021, 5:09 AM

Try port 389 instead of 3268.. Who knows..

killmasta93 · May 12, 2021, 11:18 PM

@mcury

Thanks for the reply,
so on squid i had to remove

http_access allow deny

now i got to squidguard i see this log

(squidGuard): ldap_search_ext_s failed: Operations error (params: dc=casa,dc=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)),

i also had to configure on squidguard

mcury · May 13, 2021, 12:24 AM

So, is it working now ?

if not, I would focus on the ldapusersearch..

killmasta93 · May 13, 2021, 12:47 AM

thanks for the reply,
so correct its navigating with the user now i need to block but i see the log on squidguard

12.05.2021 19:45:34	(squidGuard): ldap_search_ext_s failed: Operations error (params: DC=casa,DC=local, 2, (&(memberof=CN=internet,CN=Users,DC=casa,DC=local)(userPrincipalName=administrador)), userPrincipalName)