Thanks will do! When you say outdated you means cyphers? Or instructions? Raf -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of L.P.H. van Belle Sent: Monday, 17 February 2020 11:23 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: please, can someone help me with the negotiate kerberos? Hai Rafeal, Yes, i agree, this is the other most simple way, but i suggest, you remove/change on this page: https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html The generated Kerberos configuration file will usually look like: [libdefaults] default_realm = EXAMPLE.LAN default_tgs_enctypes = rc4-hmac des3-hmac-sha1 default_tkt_enctypes = rc4-hmac des3-hmac-sha1 These are really outdated. ;-) To ( just the default ) [libdefaults] default_realm = EXAMPLE.LAN dns_lookup_kdc = true dns_lookup_realm = false Keytabs and samba, read: https://wiki.samba.org/index.php/Generating_Keytabs https://wiki.samba.org/index.php/Keytab_Extraction Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Rafael > Akchurin > Verzonden: maandag 17 februari 2020 11:06 > Aan: Rafael Silva Daniel; squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: please, can someone help me with the > negotiate kerberos? > > Hello Rafael, > > There is an easier option *without* joining the Squid machine to the > domain, See tutorial at > https://docs.diladele.com/administrator_guide_stable/active_di > rectory/index.html (it also applies to vanilla Squid without our UI - > just you would need to do more manual steps). > > Raf > > -----Original Message----- > From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> > On Behalf Of Rafael Silva Daniel > Sent: Saturday, 15 February 2020 21:08 > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: please, can someone help me with the negotiate > kerberos? > > Helo! i think i did almost everything right, firstly i made it in a > test enviroment with debian stretch running squid 3.5 and a windows > server 2008 based domain controller, and it worked! > > but when i tried to deploy it in the production enviroment running > debian stretch, squid 3.5 and windows server 2012 as the domain > controller the authentication never works, the file > /var/log/squid/cache.log shows this: > > 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating > user. > Result: {result=BH, notes={message: gss_acquire_cred() > failed: Unspecified GSS failure. Minor code may provide more > information. No principal in keytab matches desired name; }} > negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22| > negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from > squid > (length: 2439). > negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22| > negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' > (decoded > length: 1826). > > Obs1:I replaced a big string with letters and numbers by "(LETTERS AND > NUMBERS)" > Obs2: i posted more of the file in this link > https://pastebin.com/Z2fe98dB > > well, the results of running: kinit -kt /etc/squid/HTTP.keytab > HTTP/squid2.domain.local@DOMAIN.LOCAL: > root@SERVER:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: HTTP/squid2.domain.local@DOMAIN.LOCAL > > Valid starting Expires Service principal > 02/15/2020 10:55:32 02/15/2020 20:55:32 > krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL > renew until 02/16/2020 09:55:32 > > > > The results of running:klist -kte /etc/squid/HTTP.keytab > > Keytab name: FILE:/etc/squid/HTTP.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac) > 1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac) > 1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL > (arcfour-hmac) > 1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (arcfour-hmac) > 1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac) > 3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac) > 3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL > (arcfour-hmac) > 3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (arcfour-hmac) > 3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL > (aes128-cts-hmac-sha1-96) > 3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL > (aes256-cts-hmac-sha1-96) > > And the results of running: root@SERVER:~# > /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local > Token: (Alonglinewithnumbersandletters) > > the configs of the /etc/krb5.conf: > > [libdefaults] > default_realm = DOMAIN.LOCAL > dns_lookup_kdc = no > dns_lookup_realm = no > ticket_lifetime = 24h > default_keytab_name = /etc/squid/HTTP.keytab > > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc > des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac > des-cbc-crc > des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc > des-cbc-md5 > > [realms] > DOMAIN.LOCAL = { > kdc = dc01.domain.local > admin_server = dc01.domain.local > default_domain = domain.local > } > > [domain_realm] > .domain.local = DOMAIN.LOCAL > domain.local = DOMAIN.LOCAL > > and the /etc/squid/squid.conf: > > http_port 3128 > dns_nameservers 200.198.5.4 200.198.5.5 visible_hostname PROXY > cache_dir ufs /var/spool/squid 100 16 256 coredump_dir > /var/spool/squid > > url_rewrite_program /usr/bin/squidGuard > > #auth parameter NEGOTIATE > auth_param negotiate program > /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/squid.domain.local > -k /etc/squid/HTTP.keytab auth_param negotiate children 30 auth_param > negotiate keep_alive on > > acl Safe_ports port 80 # http > acl Safe_ports port 443 # https > acl Safe_ports port 90 # metodo > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method > CONNECT acl auth proxy_auth REQUIRED > > http_access deny !Safe_ports > http_access deny CONNECT !Safe_ports > http_access allow localhost manager > http_access deny manager > http_access allow localhost > http_access deny !auth > http_access allow auth > > > > In the domain controller i created in the two zones the proper dns > records, the host with squid can have his ip resolved to its right > hostname, and its hostname resolved to its right ip, in the clients i > setted the proxy as server.domain.local, and in the squid access.log > the requests came but are all denied and a prompt for user and > password are showed to the user > > Obs: the only data edited while posting was that i replaced our domain > by domain.local, the name of the host by SERVER, and long strings of > data in the cache log and negotiate kerberos test out, all the rest > is what is really running in the files. > > please someone help me, i tried to read everything i could find but i > am not finding how to understand what i am doing wrong, thanks in > advance, D: > > > > > > -- > Sent from: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users > -f1019091.html > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
