Hai Rafael, Yes, i did that in an older setup, with you site guidance.. That works also very good .. Once i have time i'll see if i can update the squid wiki. Greetz, Louis
Van: Rafael Akchurin [mailto:rafael.akchu...@diladele.com] Verzonden: woensdag 25 september 2019 17:27 Aan: L.P.H. van Belle; squid-users@lists.squid-cache.org Onderwerp: RE: [squid-users] Kerberos nad keytab problem Hello everyone, Just my two cents too. Note you can map the *user* to the Kerberos SPN – this lets you have your squid proxy live outside of the AD. Just setup the dedicated user in the AD, map SPN to it and export the keytab to your squid. See https://docs.diladele.com/administrator_guide_stable/active_directory/index.html Downside – the password for that designated user needs to be non expiring or you’d be regenerating keytabs everytime the password changes. Which is not difficult anyway too. Best regards, Rafael Akchurin Diladele B.V. From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of L.P.H. van Belle Sent: Wednesday, 25 September 2019 17:02 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Kerberos nad keytab problem I also had problems with msktutil.. so i suggest you try this, see below.. Im using it for few years and it always works (for me offcourse).. It should be pretty simple, but the site squid-cache (wiki) is in my opinion a bit outdated. And its for Amos to adapt it on the site. Amos or Alex, please review below, you might want to add it. And add your parts to it, like running this without a correct spn. Its tested in use and and working since squid 3.1 upto 4.8. Tested on debian Wheezy (7) upto Buster (10) Below assumes the server your setting up, does have an A and PTR record. (note, which should be added at the domain join of winbind, as of samba4.x ) This is my howto. A Debian based, with Kerberos Auth against an Samba Active Directory Should be adaptable for any OS, should also work with MS Active Directory. But since i dont have any, im not testing it. # Install a minimal OS, at install only choose base + ssh server. # Setup these variable for a copy/past, might be handy, and then "it just works" # Obligated to set. # ADDOM; # This should match the netbios (NT4) domain name in caps, per example from a login: NTDOM\username ADDOM="NTDOM" # These should be fine, but if you have multiple ipnumbers and hostnames, you might want to adjust these. FQDN="$(hostname -f)" HOSTN="$(hostname -s)" # Requirements before you start installing the sofrware like: squid winbind krb5-user # Login, sudo to root. # /etc/resolv.conf, set as followed. #search must.match.your.primarydnsdomain.tld # nameserver ip_of_AD_DC # Verify it: grep search /etc/resolv.conf grep nameserver /etc/resolv.conf # If ok, then run : apt update apt install squid winbind krb5-user -y # Just hit enter on every question, the defaults are fine. (verified in Debian). # And now verify /etc/krb5.conf less /etc/krb5.conf # It should look like this : #[libdefaults] # default_realm = YOUR.Detected_REALM.TLD # # The following krb5.conf variables are only for MIT Kerberos. # kdc_timesync = 1 # ccache_type = 4 # forwardable = true # proxiable = true # ... and more.. # >> P.s. i never touch krb5.conf, never needed, it "just works" << # Set REALM Variable now, default should be ok. dont touch it. REALM="$(grep default_realm /etc/krb5.conf |awk {' print $NF '}) " # It's used for smb.conf and the auth part of squid. # then stop squid and samba and configure it. systemctl stop squid winbind # flush the log, so if you start it you start with a clean log. > /var/log/squid/cache.log # Configure smb.conf and join the AD domain, the minimal setting for smb.conf. cp /etc/samba/smb.conf{,.original} echo "# Auth-Only setup with winbind. ( no Shares ) workgroup = ${ADDOM} security = ADS realm = ${REALM} netbios name = $(echo ${HOSTN^^}) ## make sure the below number never overlap system ranges, see /etc/adduser.conf ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config ${ADDOM} : backend = rid idmap config ${ADDOM} : range = 10000-3999999 kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes " > /etc/samba/smb.conf # And verify it. less /etc/samba/smb.conf # Next step, join the AD domain. # Login/auth with kerberos. kinit Administrator # and join the domain. net ads join -k # Creating the squid keytab file. export KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab net ads keytab ADD HTTP/${FQDN} #Verify the keytab file : klist -ke /etc/squid/squid-HTTP-${HOSTN}.keytab # destroy you authentication ticket for Administrator. kdestroy # set correct rights. chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab # Note, you might need to change the "proxy" group name here. # and setup you squid auth. echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\ --kerberos /usr/lib/squid/negotiate_kerberos_auth \\ -k etc/squid/squid-HTTP-${HOSTN}.keytab" \\ -s HTTP/"${FQDN}"@"${REALM}" \\ --ntlm /usr/bin/ntlm_auth \\ --helper-protocol=gss-spnego --domain="${ADDOM}" auth_param negotiate children 30 startup=5 idle=5 auth_param negotiate children 10 auth_param negotiate keep_alive on" > /etc/squid/conf.d/auth.conf systemctl start winbind squid # Done # And check squid log how it started. cat /var/log/squid/cache.log Now go configure the other parts you need of squid. And enjoy.. :-) Greetz, Louis Van: squid-users [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org" mailto:squid-users-boun...@lists.squid-cache.org] Namens Tevfik Ceydeliler Verzonden: woensdag 25 september 2019 13:59 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] Kerberos nad keytab problem Hi, I try to use kerberos in my squid. Nut I get an error message : ############################33 msktutil --auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 95 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QCbGC5 -- destroy_g_context: Destroying Kerberos Context -- initialize_g_context: Creating Kerberos Context -- finalize_exec: SAM Account Name is: suqidpnb1$ -- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local keytab -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local keytab -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/localhost from local keytab -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for suqidpnb1$ with password -- create_default_machine_password: Default machine password for suqidpnb1$ is suqidpnb1 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found) -- try_user_creds: User ticket cache was not valid Error: could not find any credentials to authenticate with. Neither keytab, default machine password, nor calling user's tickets worked. Try "kinit"ing yourself some tickets with permission to create computer objects, or pre-creating the computer object in AD and selecting 'reset account'. #############################33 Can't find why this happen: My AD is 2012R2 function level I create keytab with this: msktutil -c -b "OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k /etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes 28 Keytab file permission is: -rw-r----- 1 root squid 933 Sep 25 13:37 PROXY.keytab and keytab file (klist -k output): 3 SQUIDPNB1$@TOYO.GRP 3 SQUIDPNB1$@TOYO.GRP 3 SQUIDPNB1$@TOYO.GRP 3 HTTP/squidtoyopnb1.toyo....@toyo.grp 3 HTTP/squidtoyopnb1.toyo....@toyo.grp 3 HTTP/squidtoyopnb1.toyo....@toyo.grp 3 host/squidtoyop...@toyo.grp 3 host/squidtoyop...@toyo.grp 3 host/squidtoyop...@toyo.grp 3 host/squidtoyopnb1.toyo....@toyo.grp 3 host/squidtoyopnb1.toyo....@toyo.grp 3 host/squidtoyopnb1.toyo....@toyo.grp krb5.conf: [libdefaults] default_realm = TOYO.GRP dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid/PROXY.keytab ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] TOYO.GRP = { kdc = dctoyo1.toyo.grp kdc = DCTOYO2.toyo.grp admin_server = 10.65.12.254 default_domain = toyo.grp } [domain_realm] toyo.grp = TOYO.GRP .toyo.grp = TOYO.GRP [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log -- Tevfik Ceydeliler
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users