Search squid archive

Re: please, can someone help me with the negotiate kerberos?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hai, 

This is the most stable way to run with kerberos, or at least for me. 
* below works for me since with samba 3.x-4.11.x and squid 3.2 upto 4.10

Im running this on Debian Buster now.  ( samba 4.11.6 + squid 4.10 ) 
( all packaged in own repo.) 

1) Setup samba and join the domain. this asumes an auth only setup. 
Install winbind : and setup smb.conf

#Example auth only smb.conf 
[global]
    workgroup = NTDOM_IN_CAPS
    security = ads
    realm = YOUR.REALM.TLD_IN_CAPS

    netbios name = HOSTNAME_IN_CAPS
    preferred master = no
    domain master = no
    host msdfs = no

    interfaces = 192.168.0.1 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    #Add and Update TLS Key
	# Consider useing Certificates for samba also, you can re-use them in squid.
    tls enabled = yes
    tls keyfile = /etc/ssl/local/proxy1.key.pem
    tls certfile = /etc/ssl/local/proxy1.cert.pem
    tls cafile = /etc/ssl/certs/ca.pem

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain  the range may not overlap !
	# BACKEND RID, assuming no windows use expect proxy/auth.
    idmap config NTDOM : backend = rid
    idmap config NTDOM : range = 10000-3999999

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket ! MUSE USE THIS
    winbind refresh tickets = yes

    # Optional use. 
    winbind use default domain = yes

    # enable offline logins
    winbind offline logon = yes
	
    # Added for freeradius support, if needed.
    #ntlm auth = mschapv2-and-ntlmv2-only

    # disable usershares creating, when set empty no error log messages.
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

# 

And start winbind

Now create the squid keytab file. 
KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP -U Administrator
chown proxy:proxy /root/squid.keytab
chmod 640 /root/squid.keytab

And your done, move the keytab to where you need it. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens 
> Rafael Silva Daniel
> Verzonden: zondag 16 februari 2020 20:16
> Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Onderwerp: Re:  please, can someone help me with 
> the negotiate kerberos?
> 
> Hey guys! im still testing it, but i think i found my 
> mistake, so i will let
> it here for future reference
> 
> i compared the way i arranged things in my test enviroment between the
> production enviroment, e noticed some differences in the 
> keytab, i still
> dont know if its obligatory, im still testing it, but when i 
> deleted the
> keytab, the account for the keytab in ad, the account for the 
> machine in the
> active directory, and created another one, i used a different 
> name for HTTP/
> 
> like, the way i did that dont worked:
> 
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn 
> HTTP/squid2.domain.local
> --server dc01.domain.local --verbose --enctypes 28
> 
> the way i did that worked:
> 
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn
> HTTP/squidproxy.domain.local --server dc01.domain.local 
> --verbose --enctypes
> 28
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
> 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux