Ps., forgot to say, After installing winbind and setting up smb.conf Join the domain offcourse. net ads join -U Adminsitrator or, kinit Administrator net ads join -k yes In debian, there is not need to change any files except the smb.conf as shown. All other defaults, should work out of the box. > -----Oorspronkelijk bericht----- > Van: squid-users > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > L.P.H. van Belle > Verzonden: maandag 17 februari 2020 10:00 > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: please, can someone help me with > the negotiate kerberos? > > Hai, > > This is the most stable way to run with kerberos, or at least for me. > * below works for me since with samba 3.x-4.11.x and squid > 3.2 upto 4.10 > > Im running this on Debian Buster now. ( samba 4.11.6 + squid 4.10 ) > ( all packaged in own repo.) > > 1) Setup samba and join the domain. this asumes an auth only setup. > Install winbind : and setup smb.conf > > #Example auth only smb.conf > [global] > workgroup = NTDOM_IN_CAPS > security = ads > realm = YOUR.REALM.TLD_IN_CAPS > > netbios name = HOSTNAME_IN_CAPS > preferred master = no > domain master = no > host msdfs = no > > interfaces = 192.168.0.1 127.0.0.1 > bind interfaces only = yes > dns proxy = yes > > #Add and Update TLS Key > # Consider useing Certificates for samba also, you can > re-use them in squid. > tls enabled = yes > tls keyfile = /etc/ssl/local/proxy1.key.pem > tls certfile = /etc/ssl/local/proxy1.cert.pem > tls cafile = /etc/ssl/certs/ca.pem > > ## map id's outside to domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > ## map ids from the domain the range may not overlap ! > # BACKEND RID, assuming no windows use expect proxy/auth. > idmap config NTDOM : backend = rid > idmap config NTDOM : range = 10000-3999999 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # renew the kerberos ticket ! MUSE USE THIS > winbind refresh tickets = yes > > # Optional use. > winbind use default domain = yes > > # enable offline logins > winbind offline logon = yes > > # Added for freeradius support, if needed. > #ntlm auth = mschapv2-and-ntlmv2-only > > # disable usershares creating, when set empty no error > log messages. > usershare path = > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # > > And start winbind > > Now create the squid keytab file. > KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP > -U Administrator > chown proxy:proxy /root/squid.keytab > chmod 640 /root/squid.keytab > > And your done, move the keytab to where you need it. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: squid-users > > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > > Rafael Silva Daniel > > Verzonden: zondag 16 februari 2020 20:16 > > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > > Onderwerp: Re: please, can someone help me with > > the negotiate kerberos? > > > > Hey guys! im still testing it, but i think i found my > > mistake, so i will let > > it here for future reference > > > > i compared the way i arranged things in my test enviroment > between the > > production enviroment, e noticed some differences in the > > keytab, i still > > dont know if its obligatory, im still testing it, but when i > > deleted the > > keytab, the account for the keytab in ad, the account for the > > machine in the > > active directory, and created another one, i used a different > > name for HTTP/ > > > > like, the way i did that dont worked: > > > > msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k > > /etc/squid/HTTP.keytab --computer-name squid2 --upn > > HTTP/squid2.domain.local > > --server dc01.domain.local --verbose --enctypes 28 > > > > the way i did that worked: > > > > msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k > > /etc/squid/HTTP.keytab --computer-name squid2 --upn > > HTTP/squidproxy.domain.local --server dc01.domain.local > > --verbose --enctypes > > 28 > > > > > > > > -- > > Sent from: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users > > -f1019091.html > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
