I also had problems with msktutil.. so i suggest you
try this, see below..
Im using it for few years and it always works (for me
offcourse)..
It should be pretty simple, but the site
squid-cache (wiki) is in my opinion a bit outdated.
And its for Amos to adapt it on the
site.
Amos or Alex, please review below, you might want to
add it.
And add your parts to it, like running this without a
correct spn.
Its tested in use and and working since squid 3.1
upto 4.8.
Tested on debian Wheezy (7) upto Buster
(10)
Below assumes the server your setting up, does have an
A and PTR record.
(note, which should be added at the domain join of
winbind, as of samba4.x )
This is my howto.
A Debian based, with Kerberos Auth against an
Samba Active Directory
Should be adaptable for any OS, should also work with MS Active Directory.
Should be adaptable for any OS, should also work with MS Active Directory.
But since i dont have any, im not testing it.
# Install a minimal OS, at install only choose base +
ssh server.
#
Setup these variable for a copy/past, might be handy, and then "it just
works"
#
Obligated to set. # ADDOM;
# This
should match the netbios (NT4) domain name in caps, per example from a login:
NTDOM\username
ADDOM="NTDOM"
#
These should be fine, but if you have multiple ipnumbers and hostnames, you
might want to adjust these.
FQDN="$(hostname -f)"
HOSTN="$(hostname -s)"
# Requirements before you start installing the sofrware like: squid winbind krb5-user
HOSTN="$(hostname -s)"
# Requirements before you start installing the sofrware like: squid winbind krb5-user
#
Login, sudo to root.
# /etc/resolv.conf, set as followed.
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC
# Verify it:
grep search /etc/resolv.conf
grep nameserver
/etc/resolv.conf
# If
ok, then run :
apt
update
apt
install squid winbind krb5-user -y
# Just
hit enter on every question, the defaults are fine. (verified in
Debian).
# And now verify /etc/krb5.conf
less /etc/krb5.conf
less /etc/krb5.conf
# It should look like this :
#[libdefaults]
# default_realm = YOUR.Detected_REALM.TLD
#[libdefaults]
# default_realm = YOUR.Detected_REALM.TLD
#
# The following krb5.conf variables are only for MIT
Kerberos.
# kdc_timesync = 1
# ccache_type = 4
# forwardable = true
# proxiable = true
# kdc_timesync = 1
# ccache_type = 4
# forwardable = true
# proxiable = true
# ... and more..
# >> P.s. i never touch krb5.conf, never needed, it "just works" <<
# Set
REALM Variable now, default should be ok. dont touch it.
REALM="$(grep default_realm
/etc/krb5.conf |awk {' print $NF '}) "
# It's
used for smb.conf and the auth part of squid.
# then stop squid and samba and configure
it.
systemctl stop squid winbind
systemctl stop squid winbind
# flush the log, so if you start it you start with
a clean log.
> /var/log/squid/cache.log
# Configure smb.conf and join the AD domain,
the minimal setting for smb.conf.
cp /etc/samba/smb.conf{,.original}
cp /etc/samba/smb.conf{,.original}
echo "# Auth-Only setup with winbind. ( no Shares
)
workgroup =
${ADDOM}
security = ADS
realm = ${REALM}
netbios name = $(echo ${HOSTN^^})
security = ADS
realm = ${REALM}
netbios name = $(echo ${HOSTN^^})
## make sure the below number never
overlap system ranges, see /etc/adduser.conf
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 2000-9999
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 2000-9999
## map ids from the domain and (*)
the range may not overlap !
idmap config ${ADDOM} : backend = rid
idmap config ${ADDOM} : range = 10000-3999999
idmap config ${ADDOM} : backend = rid
idmap config ${ADDOM} : range = 10000-3999999
kerberos method = secrets and
keytab
dedicated keytab file = /etc/krb5.keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos
ticket
winbind refresh tickets = yes
" > /etc/samba/smb.conf
winbind refresh tickets = yes
" > /etc/samba/smb.conf
# And verify it.
less /etc/samba/smb.conf
less /etc/samba/smb.conf
# Next step, join the AD domain.
# Login/auth with kerberos.
kinit Administrator
kinit Administrator
# and join the domain.
net ads join -k
# Creating the squid keytab file.
export
KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab
net ads keytab ADD HTTP/${FQDN}
net ads keytab ADD HTTP/${FQDN}
#Verify the keytab file :
klist -ke /etc/squid/squid-HTTP-${HOSTN}.keytab
#
destroy you authentication ticket for Administrator.
kdestroy
# set correct rights.
chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab
chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab
# Note, you might need to change the "proxy" group name here.
chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab
chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab
# Note, you might need to change the "proxy" group name here.
# and setup you squid auth.
echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\
--kerberos /usr/lib/squid/negotiate_kerberos_auth \\
-k etc/squid/squid-HTTP-${HOSTN}.keytab" \\
-s HTTP/"${FQDN}"@"${REALM}" \\
--ntlm /usr/bin/ntlm_auth \\
--helper-protocol=gss-spnego --domain="${ADDOM}"
echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\
--kerberos /usr/lib/squid/negotiate_kerberos_auth \\
-k etc/squid/squid-HTTP-${HOSTN}.keytab" \\
-s HTTP/"${FQDN}"@"${REALM}" \\
--ntlm /usr/bin/ntlm_auth \\
--helper-protocol=gss-spnego --domain="${ADDOM}"
auth_param negotiate children 30 startup=5
idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on" > /etc/squid/conf.d/auth.conf
auth_param negotiate children 10
auth_param negotiate keep_alive on" > /etc/squid/conf.d/auth.conf
systemctl start winbind squid
# Done
# And
check squid log how it started.
cat
/var/log/squid/cache.log
Now go
configure the other parts you need of squid.
And
enjoy.. :-)
Greetz,
Louis
Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Tevfik Ceydeliler
Verzonden: woensdag 25 september 2019 13:59
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Kerberos nad keytab problemHi, I try to use kerberos in my squid. Nut I get an error message :############################33msktutil --auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 95
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QCbGC5
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: suqidpnb1$
-- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/localhost from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for suqidpnb1$ with password
-- create_default_machine_password: Default machine password for suqidpnb1$ is suqidpnb1
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets
-- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
-- try_user_creds: User ticket cache was not valid
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.#############################33Can't find why this happen:My AD is 2012R2 function levelI create keytab with this:msktutil -c -b "OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k /etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes 28Keytab file permission is:-rw-r----- 1 root squid 933 Sep 25 13:37 PROXY.keytaband keytab file (klist -k output):3 SQUIDPNB1$@TOYO.GRP
3 SQUIDPNB1$@TOYO.GRP
3 SQUIDPNB1$@TOYO.GRP
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxxkrb5.conf:[libdefaults]
default_realm = TOYO.GRP
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
TOYO.GRP = {
kdc = dctoyo1.toyo.grp
kdc = DCTOYO2.toyo.grp
admin_server = 10.65.12.254
default_domain = toyo.grp
}
[domain_realm]
toyo.grp = TOYO.GRP
.toyo.grp = TOYO.GRP
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log--
Tevfik Ceydeliler
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
