Hai,
This is the most stable way to run with kerberos, or at least for me.
* below works for me since with samba 3.x-4.11.x and squid 3.2 upto 4.10
Im running this on Debian Buster now. ( samba 4.11.6 + squid 4.10 )
( all packaged in own repo.)
1) Setup samba and join the domain. this asumes an auth only setup.
Install winbind : and setup smb.conf
#Example auth only smb.conf
[global]
workgroup = NTDOM_IN_CAPS
security = ads
realm = YOUR.REALM.TLD_IN_CAPS
netbios name = HOSTNAME_IN_CAPS
preferred master = no
domain master = no
host msdfs = no
interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes
dns proxy = yes
#Add and Update TLS Key
# Consider useing Certificates for samba also, you can re-use them in squid.
tls enabled = yes
tls keyfile = /etc/ssl/local/proxy1.key.pem
tls certfile = /etc/ssl/local/proxy1.cert.pem
tls cafile = /etc/ssl/certs/ca.pem
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the range may not overlap !
# BACKEND RID, assuming no windows use expect proxy/auth.
idmap config NTDOM : backend = rid
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket ! MUSE USE THIS
winbind refresh tickets = yes
# Optional use.
winbind use default domain = yes
# enable offline logins
winbind offline logon = yes
# Added for freeradius support, if needed.
#ntlm auth = mschapv2-and-ntlmv2-only
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#
And start winbind
Now create the squid keytab file.
KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP -U Administrator
chown proxy:proxy /root/squid.keytab
chmod 640 /root/squid.keytab
And your done, move the keytab to where you need it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens
> Rafael Silva Daniel
> Verzonden: zondag 16 februari 2020 20:16
> Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Onderwerp: Re: please, can someone help me with
> the negotiate kerberos?
>
> Hey guys! im still testing it, but i think i found my
> mistake, so i will let
> it here for future reference
>
> i compared the way i arranged things in my test enviroment between the
> production enviroment, e noticed some differences in the
> keytab, i still
> dont know if its obligatory, im still testing it, but when i
> deleted the
> keytab, the account for the keytab in ad, the account for the
> machine in the
> active directory, and created another one, i used a different
> name for HTTP/
>
> like, the way i did that dont worked:
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn
> HTTP/squid2.domain.local
> --server dc01.domain.local --verbose --enctypes 28
>
> the way i did that worked:
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn
> HTTP/squidproxy.domain.local --server dc01.domain.local
> --verbose --enctypes
> 28
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
