|
Hai, Yes, all new things are hard.. I need some extra info because there are
lots of things that can be wrong. post what you see here : /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br@xxxxxxxxxxxxxx
–d –i >> kinit and klist are ok >> /etc/krb5.keytab and
/etc/squid3/HTTP.keytab (both are identical) These are normaly not identical. In the
HTTPkeytab i have ONLY the HTTP spn. And in the krb5.keytab i have the host
SPN and netbios_name($) How to test the kerberos auth.. hmm, thats
a difficult one for me. I know lot but not all.. :-( . But what i do iknow, you can test with /usr/lib/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME If that works its probely an SPN or dns
problem. If that isnt working, then do check the
time on the ad server and proxy server. I can only say. The proxy servername must exist in dns and
must have A and PTR record. ( add this in the samba AD ) The reverse zone is ( maybe ) created, if
not, create it yourself and add the ptr records. Cat /etc/hosts file may NOT contain any. 127.0.1.1
yourhostname..
.. if its in there, you installed with dhcp
ip. It should contain 127.0.0.1 localhost IP_OF_SERVER hostname.domain.tld
hostname The is there if you install with a static
ip. Time must be in sync with the AD server (
max difference i allow is 1 min. ) If needed install ntp on the proxy and
point the server to the ad dc. And post what you now have in krb5.conf These are the most common pitfalls, i’ll
see what i can do to help out. Greetz, Louis Van: squid-users
[mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Marcio Demetrio Bacci My Kerberos Authentication doesn't work. This is very hard! My Squid3 is join in the Domain kinit and klist are ok wbinfo -g and wbinfo -u are ok too. I have created the squid3 file in /etc/default with the following
content: KRB5_KTNAME=/etc/squid3/HTTP.keytab export KRB5_KTNAME I have two keytab files: /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages
because my Squid server is Debian 8. But I didn't use msktutil tool. I have
only joined Squid server in the Domain (net ads join -U administrator) How can I debbug the problem? How can I test kerberos authentication in terminal (command line)? Below is my squid.conf file: ### Configuracoes Basicas cache_mgr administrator@xxxxxxxxxxxxxx http_port 3128 #debug_options ALL,111,2 29,9 84,6 cache_mem 512 MB cache_swap_low 80 cache_swap_high 90 maximum_object_size 512 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA #Para não bloquear downloads quick_abort_min -1 KB #Resolve um problema com conexoes persistentes detect_broken_pconn on fqdncache_size 1024 ### Parametros de atualizacao da memoria cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ### Localizacao dos logs access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log ### define a localizacao do cache de disco, tamanho, qtd de diretorios
pai e subdiretorios cache_dir aufs /var/spool/squid3 600 16 256 auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
HTTP/proxy.empresa.com.br@xxxxxxxxxxxxxx auth_param negotiate children 20 auth_param negotiate keep_alive on visible_hostname proxy.empresa.com.br ### acls #acl manager proto cache_object acl to_localhost dst MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.200.7" MailScanner warning:
numerical links are often malicious: 192.168.200.7/32 acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra,
webmin acl Safe_ports port 21 # ftp acl Safe_ports port 70 # gopher acl Safe_ports port 80 # http acl Safe_ports port 88 # kerberos acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 389 # ldap acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 563 # snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3001 # imprenssa
nacional acl Safe_ports port 8080 # http acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT ### Regras iniciais do Squid http_access allow localhost http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ### Exige autenticacao acl autenticados proxy_auth REQUIRED http_access allow autenticados ### Rede do Local ##### acl rede_local src MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.200.0" MailScanner warning:
numerical links are often malicious: 192.168.200.0/22 ### Nega acesso de quem nao esta na rede local http_access allow rede_local #negando o acesso para todos que nao estiverem nas regras anteriores http_access deny all ### Erros em portugues error_directory /usr/share/squid3/errors/pt-br #cache_effective_user proxy coredump_dir /var/spool/squid3 Regards, Márcio |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
