pfsense + squid +AD (not support rc4-hmac)
-
Good afternoon, I am using pfsense 2.7.2 FreeBSD 14.0-CURRENT to configure Internet access via squid.
When creating a keytab with RC4-HMAC-NT encryption on the pfsense server, the kinit -k command HTTP/pfsense.domain.local@DOMAIN.LOCAL returns the error "Segmentation fault (core dumped)". I found on the Internet that in the latest versions of pfsense (or rather kerberos) it is disabled by default.I decided to create a keytab with AES128-SHA1 encryption (user settings for using 128 and 256 are enabled), the kinit team worked well, issued a ticket, but when I set up a proxy on the client and try to log in to squid logs, an error appears:
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Request ticket server HTTP/pfsense...@DOMAIN.LOCAL kvno 3 found in keytab but not with enctype rc4-hmac
I went back to setting up krb5.conf and added:
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96After I rebooted the server (just in case) completely, but it didn't solve my problem. What am I doing wrong and where should I move on?
I did all the settings by https://habr.com/ru/articles/492684/
-
S stephenw10 moved this topic from General pfSense Questions on