Search squid archive

Error with Squid proxy to Kerberos authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hiya, 

I'm trying to get my squid to authenticate users for web access through
kerberos but it ain't working. 
I keep getting the 407 message. 

This is what I used to make the keytab file : 

ktpass /out proxy.squid.example.keytab /princ
host/proxy.example.nl@example.LOCAL /mapuser svc-squid-da /pass xxxxxx
/crypto all /ptype KRB5_NT_PRINCIPAL /mapop add /target
example.example.local 


Here is the squid.conf : 

http_port 3128 
ftp_passive off 

hierarchy_stoplist cgi-bin ? 

acl QUERY urlpath_regex cgi-bin \? 
no_cache deny QUERY 

#auth_param basic realm      proxy.snt.nl: Log in met uw EIGEN windows
gebruikersnaam en wachtwoord 
#auth_param basic program    /usr/sbin/squid_kerb_auth 
#auth_param basic program    /usr/sbin/msnt_auth 
#auth_param basic children   1 
#auth_param basic credentialsttl  2 hours 
#acl password proxy_auth REQUIRED 

auth_param negotiate program    /usr/sbin/squid_kerb_auth -d -s
host/proxy.example.nl@example.LOCAL 
auth_param negotiate children   1 
auth_param negotiate keep_alive on 
acl password proxy_auth REQUIRED 

refresh_pattern ^ftp: 1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern . 0 20% 4320 

acl mymime req_mime_type application/x-msn-messenger 
acl video req_header User-Agent NSPlayer 
acl video req_header User-Agent NextWare 
acl video req_header User-Agent Windows-Media-Player 
acl video req_header User-Agent Mozilla.*Google.Desktop 
acl video req_header User-Agent kh_lt/LT 
acl video req_header User-Agent uvnx 
acl video req_header User-Agent contype 
acl video req_header User-Agent BW-C-2.0 
acl video req_header User-Agent AutoUpdateAgent 
acl video req_header User-Agent Tioga 
acl proxy urlpath_regex anoniem 
acl proxy urlpath_regex mozilla.exe 
acl proxy urlpath_regex vancouver 
acl proxy urlpath_regex winterspel 
acl proxy urlpath_regex wintergame 
acl proxy urlpath_regex winter-spel 
acl proxy urlpath_regex winter-game 

acl manager proto cache_object 
acl localhost src 127.0.0.1 
acl to_localhost dst 127.0.0.0/8 
acl SSL_ports  port    21 
acl SSL_ports  port   443 
acl SSL_ports  port   1935 # rtmp voor studiemeter 
acl SSL_ports  port   6667 
acl SSL_ports  port   11438 # xxxxxxxxxx 
acl Safe_ports port    80 # http 
acl Safe_ports port    82 # 83.163.161.48 (webeasy klimaatbeheersing) 
acl Safe_ports port    21 # ftp 
acl Safe_ports port   443 # https 
acl Safe_ports port  1935 # rtmp voor studiemeter 
acl Safe_ports port  2222 # Marcel Wobbes server 
acl Safe_ports port  6667 # Martin Ayttm 
acl Safe_ports port  6969 # Martin Ayttm 
acl Safe_ports port  11438 # Remote-support-Centric 
acl Safe_ports port  8888 # kpn: CRM-SDF 
acl CONNECT method CONNECT 

acl net0 src 10.0.200.0/24 
acl net30 src 10.30.0.0/16 
acl net301 src 10.30.1.0/24 
acl net40 src 10.40.0.0/16 
acl net401 src 10.40.1.0/24 
acl net80 src 10.80.0.0/16 
acl net801 src 10.80.1.0/24 
acl net110 src 10.110.1.0/24 
acl net137 src 10.137.80.0/20 
acl net1371 src 10.137.80.0/24 
acl net128 src 128.1.0.0/16 
acl net1281 src 128.1.1.0/24 
acl net140 src 140.140.0.0/16 
acl net1401 src 140.140.2.0/24 
acl net1409 src 140.140.9.0/24 
acl net192 src 192.168.0.0/16 
acl our_networks src 140.140.0.0/16 10.0.200.0/24 10.30.0.0/16 10.40.0.0/16
10.80.0.0/16 10.110.0.0/16 10.137.80.0/20 192.168.0.0/16 

http_access allow net0 
http_access allow net301 
http_access allow net401 
http_access allow net801 
http_access allow net110 
http_access allow net1281 
http_access allow net1371 
http_access allow net1401 
http_access allow net1409 

http_access deny proxy 
http_access deny mymime 
http_access deny video 
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 

http_access allow manager localhost 
http_access deny manager 

http_access allow password 
http_access allow our_networks 
http_access allow localhost 

http_reply_access allow all 
icp_access allow all 
reply_body_max_size 400 MB 
cache_mgr dcc@xxxxxxxxxxxxxx 

acl alw_direct dstdomain .teezir.com .custhelp.com .rightnowtech.com
.rightnow.com .dhl.com .arflexit.nl .helptu.nl .ottobv.nl .twitter.com 

no_cache deny alw_direct 
always_direct allow alw_direct 

snmp_port 0 

delay_pools 11 

delay_class 1 3 
delay_class 2 3 
delay_class 3 3 
delay_class 4 3 
delay_class 5 3 
delay_class 6 3 
delay_class 7 3 
delay_class 8 3 
delay_class 9 3 
delay_class 10 3 
delay_class 11 3 

delay_parameters 1 -1/-1 1250000/1250000 500000/500000 
delay_parameters 2 -1/-1 1250000/1250000 500000/500000 
delay_parameters 3 -1/-1 1250000/1250000 250000/250000 
delay_parameters 4 -1/-1 1250000/1250000 500000/500000 
delay_parameters 5 -1/-1 1250000/1250000 125000/125000 
delay_parameters 6 -1/-1 1250000/1250000 375000/375000 
delay_parameters 7 -1/-1 1250000/1250000 125000/125000 
delay_parameters 8 -1/-1 1250000/1250000 750000/750000 
delay_parameters 9 -1/-1 1250000/1250000 125000/125000 
delay_parameters 10 -1/-1 1250000/1250000 125000/125000 
delay_parameters 11 -1/-1 1250000/1250000 125000/125000 

delay_access 1 allow net1401 
delay_access 2 allow net1409 
delay_access 3 allow net140 
delay_access 4 allow net0 
delay_access 5 allow net30 
delay_access 6 allow net40 
delay_access 7 allow net80 
delay_access 8 allow net110 
delay_access 9 allow net128 
delay_access 10 allow net192 
delay_access 11 allow net137 

delay_access 1 deny all 
delay_access 2 deny all 
delay_access 3 deny all 
delay_access 4 deny all 
delay_access 5 deny all 
delay_access 6 deny all 
delay_access 7 deny all 
delay_access 8 deny all 
delay_access 9 deny all 
delay_access 10 deny all 
delay_access 11 deny all 

http_access allow net1401 
http_access allow net1409 
http_access allow net140 
http_access allow net0 
http_access allow net30 
http_access allow net40 
http_access allow net80 
http_access allow net110 
http_access allow net128 
http_access allow net192 
http_access allow net137 
http_access deny all 


And here is the krb5.conf 

[libdefaults] 
        default_realm = EXAMPLE.LOCAL 
        dns_lookup_realm = true 
        dns_lookup_kdc = true 
        ticket_lifetime = 24h 
        forwardable = true 

[realms] 
        EXAMPLE.LOCAL = { 
                kdc = example.example.local 
                admin_server = example.example.local 
                default_domain = EXAMPLE.LOCAL 
        
        } 

[logging] 
        kdc = FILE:/var/log/krb5/krb5kdc.log 
        admin_server = FILE:/var/log/krb5/kadmind.log 
        default = SYSLOG:NOTICE:DAEMON 

[appdefaults] 
        pam = { 
                debug = false 
                ticket_lifetime = 36000 
                renew_lifetime = 36000 
                forwardable = true 
                krb4_convert = false 
        } 


Any input would be gratefull... 

Thnx Vaelenor 



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-with-Squid-proxy-to-Kerberos-authentication-tp4656265.html
Sent from the Squid - Users mailing list archive at Nabble.com.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux