|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Configuring_a_Squid_Server_to_authenticate_from_Kerberos 14.07.2016 23:59, Yuri Voinov пишет: > > Man, > > did your RTFM? > > Kerberos security has perfect manual. > > > 14.07.2016 22:07, Sergio Belkin пишет: > > Hi, > > > > > Using squid squid-3.5.19-1.el7.centos.x86_64, > > > > > I obtain a kerberos ticket but I get the following when > trying to use the proxy: > > > > > 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) > authenticate: No Proxy-Auth header and no working alternative. > Requesting auth header. > > > 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487) > addReplyAuthHeader: headertype:46 authuser:NULL > > > 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: > Sending type:46 header: 'Negotiate' > > > 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) > authenticate: No Proxy-Auth header and no working alternative. > Requesting auth header. > > > 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487) > addReplyAuthHeader: headertype:46 authuser:NULL > > > 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: > Sending type:46 header: 'Negotiate' > > > > > My squid.conf is as follows: > > > > > > > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> > > > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> > > > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> > > > acl localnet src fc00::/7 > > > acl localnet src fe80::/10 > > > acl SSL_ports port 443 > > > acl Safe_ports port 80 > > > acl Safe_ports port 21 > > > acl Safe_ports port 443 > > > acl Safe_ports port 70 > > > acl Safe_ports port 210 > > > acl Safe_ports port 1025-65535 > > > acl Safe_ports port 280 > > > acl Safe_ports port 488 > > > acl Safe_ports port 591 > > > acl Safe_ports port 777 > > > acl CONNECT method CONNECT > > > acl step1 at_step SslBump1 > > > acl step2 at_step SslBump2 > > > acl step3 at_step SslBump3 > > > acl nobumpSites ssl::server_name > "/etc/squid/acls/nobumpSites.txt" > > > http_access deny !Safe_ports > > > http_access deny CONNECT !SSL_ports > > > http_access allow localhost manager > > > http_access deny manager > > > acl social_ips src "/etc/squid/acls/social_ips" > > > acl social_dom dstdomain "/etc/squid/acls/social_dom" > > > auth_param negotiate program > /usr/lib64/squid/negotiate_kerberos_auth -d -s > HTTP/proxy.example.local@EXAMPLE.LOCAL > > > auth_param negotiate children 10 > > > auth_param negotiate keep_alive on > > > acl kerb_auth proxy_auth REQUIRED > > > ssl_bump peek step1 all > > > ssl_bump splice nobumpSites > > > ssl_bump bump > > > http_access allow kerb_auth > > > http_access deny social_ips > > > http_access deny social_dom > > > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > > > acl connect method CONNECT > > > http_access deny connect numeric_IPs all > > > http_access allow localnet > > > http_access allow localhost > > > http_access deny all > > > always_direct allow all > > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s > /var/spool/squid_ssldb -M 4MB > > > visible_hostname proxy.example.local > > > http_port 3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem > > > coredump_dir /var/spool/squid > > > refresh_pattern ^ftp: 1440 20% 10080 > > > refresh_pattern ^gopher: 1440 0% 1440 > > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > > refresh_pattern . 0 20% 4320 > > > url_rewrite_program /usr/sbin/ufdbgclient –l > /var/ufdbguard/logs > > > url_rewrite_children 64 > > > access_log daemon:/var/log/squid/access.log combined > > > > > And klist output: > > > > > klist -k /etc/squid/HTTP.keytab > > > > > Keytab name: FILE:/etc/squid/HTTP.keytab > > > KVNO Principal > > > ---- > -------------------------------------------------------------------------- > > > 2 host/proxy.example.local@EXAMPLE.LOCAL > > > 2 host/proxy.example.local@EXAMPLE.LOCAL > > > 2 host/proxy.example.local@EXAMPLE.LOCAL > > > 2 host/proxy.example.local@EXAMPLE.LOCAL > > > 2 host/proxy.example.local@EXAMPLE.LOCAL > > > 2 host/proxy@EXAMPLE.LOCAL > > > 2 host/proxy@EXAMPLE.LOCAL > > > 2 host/proxy@EXAMPLE.LOCAL > > > 2 host/proxy@EXAMPLE.LOCAL > > > 2 host/proxy@EXAMPLE.LOCAL > > > 2 KANBAN$@EXAMPLE.LOCAL > > > 2 KANBAN$@EXAMPLE.LOCAL > > > 2 KANBAN$@EXAMPLE.LOCAL > > > 2 KANBAN$@EXAMPLE.LOCAL > > > 2 KANBAN$@EXAMPLE.LOCAL > > > 2 HTTP/proxy.example.local@EXAMPLE.LOCAL > > > 2 HTTP/proxy.example.local@EXAMPLE.LOCAL > > > 2 HTTP/proxy.example.local@EXAMPLE.LOCAL > > > 2 HTTP/proxy.example.local@EXAMPLE.LOCAL > > > 2 HTTP/proxy.example.local@EXAMPLE.LOCAL > > > 2 HTTP/proxy@EXAMPLE.LOCAL > > > 2 HTTP/proxy@EXAMPLE.LOCAL > > > 2 HTTP/proxy@EXAMPLE.LOCAL > > > 2 HTTP/proxy@EXAMPLE.LOCAL > > > 2 HTTP/proxy@EXAMPLE.LOCAL > > > > > End of output, > > > > > Please could you help me? Am I doing something wrong? > > > > > Thanks in advance! > > > > > -- > > > -- > > > Sergio Belkin > > > LPIC-2 Certified - http://www.lpi.org > > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXh9ghAAoJENNXIZxhPexGzrEH/RVcpHnp49B7r2X3DkAKLKv+ a3y9g8CUxydE6n7AW1bN/miRLqmbjg9UzuBqM48m8PIJEEU6Itr5NDLsdV1F7I3a IgoPZa3U7T3lmHwGcloCdAb7Zzmj4s1t2I+u6KMEufEZFssWSlHcznmRIGHnCpXz C9eceL7DGRyXWl1ehEWSZIe3ApDdBtvHxwdNpBvhCPfNfLmHxNUpRRYLOcXPar5b 5scY/awmYVxYr2SATraMc3XO6URQDagXVCj4JZOH+snkQAB1FetAhU+WoTCXu1Th RTdfAX2/p2Xrw9UGECiI2Aastf6ONlv+hMJztKlxPfUhVuX2kZxYwvSPXs7ovQ0= =vivP -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
