Re: [squid-users] Problems with Squid Authentication
that can be wrong. > > > > post what you see here : > > /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br@ > EMPRESA.COM.BR –d –i > > > > > > >> kinit and klist are ok > > >> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) > > These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP > spn. > > And in the krb5.keytab i have the host SPN and netbios_name($) > > > > How to test the kerberos auth.. hmm, thats a difficult one for me. > > I know lot but not all.. :-( . > > > > But what i do iknow, you can test with > > /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME > > If that works its probely an SPN or dns problem. > > If that isnt working, then do check the time on the ad server and proxy > server. > > > > I can only say. > > The proxy servername must exist in dns and must have A and PTR record. ( > add this in the samba AD ) > > The reverse zone is ( maybe ) created, if not, create it yourself and add > the ptr records. > > > > Cat /etc/hosts file may NOT contain any. > > 127.0.1.1yourhostname.. .. > > if its in there, you installed with dhcp ip. > > > > It should contain > > 127.0.0.1 localhost > > IP_OF_SERVER hostname.domain.tld hostname > > The is there if you install with a static ip. > > > > Time must be in sync with the AD server ( max difference i allow is 1 min. > ) > > If needed install ntp on the proxy and point the server to the ad dc. > > > > And post what you now have in krb5.conf > > > > These are the most common pitfalls, i’ll see what i can do to help out. > > > > > > Greetz, > > > > Louis > > > > > > > > > > > -- > > *Van:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *Namens > *Marcio Demetrio Bacci > *Verzonden:* vrijdag 19 augustus 2016 3:50 > *Aan:* Squid Users > *Onderwerp:* [squid-users] Problems with Squid Authentication > > > > My Kerberos Authentication doesn't work. This is very hard! > > > > My Squid3 is join in the Domain > > kinit and klist are ok > > wbinfo -g and wbinfo -u are ok too. > > > > I have created the squid3 file in /etc/default with the following content: > > KRB5_KTNAME=/etc/squid3/HTTP.keytab > > export KRB5_KTNAME > > > > I have two keytab files: > > /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) > > > > I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages > because my Squid server is Debian 8. But I didn't use msktutil tool. I have > only joined Squid server in the Domain (net ads join -U administrator) > > > > How can I debbug the problem? > > How can I test kerberos authentication in terminal (command line)? > > > > Below is my squid.conf file: > > > > ### Configuracoes Basicas > > > > cache_mgr administra...@empresa.com.br > > > > http_port 3128 > > > > #debug_options ALL,111,2 29,9 84,6 > > > > cache_mem 512 MB > > cache_swap_low 80 > > cache_swap_high 90 > > > > maximum_object_size 512 MB > > minimum_object_size 0 KB > > > > maximum_object_size_in_memory 4096 KB > > > > cache_replacement_policy heap LFUDA > > memory_replacement_policy heap LFUDA > > > > #Para não bloquear downloads > > quick_abort_min -1 KB > > > > > > #Resolve um problema com conexoes persistentes > > detect_broken_pconn on > > > > fqdncache_size 1024 > > > > ### Parametros de atualizacao da memoria cache > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0%0 > > refresh_pattern . 0 20% 4320 > > > > ### Localizacao dos logs > > access_log /var/log/squid3/access.log > > cache_log /var/log/squid3/cache.log > > > > > > ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai > e subdiretorios > > cache_dir aufs /var/spool/squid3 600 16 256 > > > > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s > HTTP/proxy.empresa.com...@empresa.com.br > > auth_param negotiate children 20 > > auth_param negotiate keep_alive on > > > > visible_hostname proxy.empresa.com.br > > > > ### acls > > #acl manager proto cache_object > > acl localhost src * MailScanner heeft een e-mail met mogelijk een poging > tot fraude gevonden van "1
Re: [squid-users] Problems with Squid Authentication
Hai, Yes, all new things are hard.. I need some extra info because there are lots of things that can be wrong. post what you see here : /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com...@empresa.com.br ?d ?i >> kinit and klist are ok >> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP spn. And in the krb5.keytab i have the host SPN and netbios_name($) How to test the kerberos auth.. hmm, thats a difficult one for me. I know lot but not all.. :-( . But what i do iknow, you can test with /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME If that works its probely an SPN or dns problem. If that isnt working, then do check the time on the ad server and proxy server. I can only say. The proxy servername must exist in dns and must have A and PTR record. ( add this in the samba AD ) The reverse zone is ( maybe ) created, if not, create it yourself and add the ptr records. Cat /etc/hosts file may NOT contain any. 127.0.1.1 yourhostname.. .. if its in there, you installed with dhcp ip. It should contain 127.0.0.1 localhost IP_OF_SERVER hostname.domain.tld hostname The is there if you install with a static ip. Time must be in sync with the AD server ( max difference i allow is 1 min. ) If needed install ntp on the proxy and point the server to the ad dc. And post what you now have in krb5.conf These are the most common pitfalls, i?ll see what i can do to help out. Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Marcio Demetrio Bacci Verzonden: vrijdag 19 augustus 2016 3:50 Aan: Squid Users Onderwerp: [squid-users] Problems with Squid Authentication My Kerberos Authentication doesn't work. This is very hard! My Squid3 is join in the Domain kinit and klist are ok wbinfo -g and wbinfo -u are ok too. I have created the squid3 file in /etc/default with the following content: KRB5_KTNAME=/etc/squid3/HTTP.keytab export KRB5_KTNAME I have two keytab files: /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined Squid server in the Domain (net ads join -U administrator) How can I debbug the problem? How can I test kerberos authentication in terminal (command line)? Below is my squid.conf file: ### Configuracoes Basicas cache_mgr administra...@empresa.com.br http_port 3128 #debug_options ALL,111,2 29,9 84,6 cache_mem 512 MB cache_swap_low 80 cache_swap_high 90 maximum_object_size 512 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA #Para não bloquear downloads quick_abort_min -1 KB #Resolve um problema com conexoes persistentes detect_broken_pconn on fqdncache_size 1024 ### Parametros de atualizacao da memoria cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ### Localizacao dos logs access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios cache_dir aufs /var/spool/squid3 600 16 256 auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.empresa.com...@empresa.com.br auth_param negotiate children 20 auth_param negotiate keep_alive on visible_hostname proxy.empresa.com.br ### acls #acl manager proto cache_object acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32 acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32 acl SSL_ports port 22 443 563 7071 1 # ssh, https, snews, zimbra, webmin acl Safe_ports port 21 # ftp acl Safe_ports port 70 # gopher acl Safe_ports port 80 # http acl Safe_ports port 88 # kerberos acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 389 # ldap acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 563 # snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3001 # imprenssa nacional acl Safe_ports port 8080 # http acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT ### Regras iniciais do Squ
[squid-users] Problems with Squid Authentication
My Kerberos Authentication doesn't work. This is very hard! My Squid3 is join in the Domain kinit and klist are ok wbinfo -g and wbinfo -u are ok too. I have created the squid3 file in /etc/default with the following content: KRB5_KTNAME=/etc/squid3/HTTP.keytab export KRB5_KTNAME I have two keytab files: /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined Squid server in the Domain (net ads join -U administrator) How can I debbug the problem? How can I test kerberos authentication in terminal (command line)? Below is my squid.conf file: ### Configuracoes Basicas cache_mgr administra...@empresa.com.br http_port 3128 #debug_options ALL,111,2 29,9 84,6 cache_mem 512 MB cache_swap_low 80 cache_swap_high 90 maximum_object_size 512 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA #Para não bloquear downloads quick_abort_min -1 KB #Resolve um problema com conexoes persistentes detect_broken_pconn on fqdncache_size 1024 ### Parametros de atualizacao da memoria cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ### Localizacao dos logs access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios cache_dir aufs /var/spool/squid3 600 16 256 auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.empresa.com...@empresa.com.br auth_param negotiate children 20 auth_param negotiate keep_alive on visible_hostname proxy.empresa.com.br ### acls #acl manager proto cache_object acl localhost src 192.168.200.7/32 acl to_localhost dst 192.168.200.7/32 acl SSL_ports port 22 443 563 7071 1 # ssh, https, snews, zimbra, webmin acl Safe_ports port 21 # ftp acl Safe_ports port 70 # gopher acl Safe_ports port 80 # http acl Safe_ports port 88 # kerberos acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 389 # ldap acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 563 # snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3001 # imprenssa nacional acl Safe_ports port 8080 # http acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT ### Regras iniciais do Squid http_access allow localhost http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ### Exige autenticacao acl autenticados proxy_auth REQUIRED http_access allow autenticados ### Rede do Local # acl rede_local src 192.168.200.0/22 ### Nega acesso de quem nao esta na rede local http_access allow rede_local #negando o acesso para todos que nao estiverem nas regras anteriores http_access deny all ### Erros em portugues error_directory /usr/share/squid3/errors/pt-br #cache_effective_user proxy coredump_dir /var/spool/squid3 Regards, Márcio ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
