please, can someone help me with the negotiate kerberos?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

please, can someone help me with the negotiate kerberos?

Rafael Silva Daniel
This post was updated on .
Helo! i think i did almost everything right, firstly i made it in a test
enviroment with debian stretch running squid 3.5 and a windows server 2008
based domain controller, and it worked!

but when i tried to deploy it in the production enviroment running debian
stretch, squid 3.5 and windows server 2012 as the domain controller the
authentication never works, the file /var/log/squid/cache.log shows this:

2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified
GSS failure.  Minor code may provide more information. No principal in
keytab matches desired name; }}
negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from squid
(length: 2439).
negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' (decoded
length: 1826).

Obs1:I replaced a big string with letters and numbers by "(LETTERS AND
NUMBERS)"
Obs2: i posted more of the file in this link https://pastebin.com/Z2fe98dB

well, the results of running: kinit -kt /etc/squid/HTTP.keytab
HTTP/squid2.domain.local@DOMAIN.LOCAL:
root@SERVER:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/squid2.domain.local@DOMAIN.LOCAL

Valid starting       Expires              Service principal
02/15/2020 10:55:32  02/15/2020 20:55:32  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
        renew until 02/16/2020 09:55:32



The results of running:klist -kte /etc/squid/HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp           Principal
---- -------------------
------------------------------------------------------
   1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
(arcfour-hmac)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local@DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)

And the results of running: root@SERVER:~#
/usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
Token: (Alonglinewithnumbersandletters)

the configs of the /etc/krb5.conf:

[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/HTTP.keytab

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]
    DOMAIN.LOCAL = {
        kdc = dc01.domain.local
        admin_server = dc01.domain.local
        default_domain = domain.local
    }

[domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL

and the /etc/squid/squid.conf:

http_port 3128
dns_nameservers 200.198.5.4 200.198.5.5
visible_hostname PROXY
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

url_rewrite_program /usr/bin/squidGuard

#auth parameter NEGOTIATE
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s
HTTP/squid.domain.local -k /etc/squid/HTTP.keytab
auth_param negotiate children 30
auth_param negotiate keep_alive on

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 90 # metodo
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access allow auth

and i created the keytab using:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k /etc/squid/HTTP.keytab --computer-name squid2 --upn HTTP/squid2.domain.local --server dc01.domain.local --verbose --enctypes 28

i mostly used this guides:

https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#DNS_Configuration
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#krb5.conf_Configuration



In the domain controller i created in the two zones the proper dns records,
the host with squid can have his ip resolved to its right hostname, and its
hostname resolved to its right ip, in the clients i setted the proxy as
server.domain.local, and in the squid access.log the requests came but are
all denied and a prompt for user and password are showed to the user

Obs: the only data edited while posting was that i replaced our domain by
domain.local, the name of the host by SERVER, and long strings of data in
the cache log  and negotiate kerberos test out, all the rest is what is
really running in the files.

please someone help me, i tried to read everything i could find but i am not
finding how to understand what i am doing wrong, thanks in advance, D:





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

Rafael Silva Daniel
Hey guys! im still testing it, but i think i found my mistake, so i will let
it here for future reference

i compared the way i arranged things in my test enviroment between the
production enviroment, e noticed some differences in the keytab, i still
dont know if its obligatory, im still testing it, but when i deleted the
keytab, the account for the keytab in ad, the account for the machine in the
active directory, and created another one, i used a different name for HTTP/

like, the way i did that dont worked:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
/etc/squid/HTTP.keytab --computer-name squid2 --upn HTTP/squid2.domain.local
--server dc01.domain.local --verbose --enctypes 28

the way i did that worked:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
/etc/squid/HTTP.keytab --computer-name squid2 --upn
HTTP/squidproxy.domain.local --server dc01.domain.local --verbose --enctypes
28



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

L.P.H. van Belle
Hai,

This is the most stable way to run with kerberos, or at least for me.
* below works for me since with samba 3.x-4.11.x and squid 3.2 upto 4.10

Im running this on Debian Buster now.  ( samba 4.11.6 + squid 4.10 )
( all packaged in own repo.)

1) Setup samba and join the domain. this asumes an auth only setup.
Install winbind : and setup smb.conf

#Example auth only smb.conf
[global]
    workgroup = NTDOM_IN_CAPS
    security = ads
    realm = YOUR.REALM.TLD_IN_CAPS

    netbios name = HOSTNAME_IN_CAPS
    preferred master = no
    domain master = no
    host msdfs = no

    interfaces = 192.168.0.1 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    #Add and Update TLS Key
        # Consider useing Certificates for samba also, you can re-use them in squid.
    tls enabled = yes
    tls keyfile = /etc/ssl/local/proxy1.key.pem
    tls certfile = /etc/ssl/local/proxy1.cert.pem
    tls cafile = /etc/ssl/certs/ca.pem

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain  the range may not overlap !
        # BACKEND RID, assuming no windows use expect proxy/auth.
    idmap config NTDOM : backend = rid
    idmap config NTDOM : range = 10000-3999999

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket ! MUSE USE THIS
    winbind refresh tickets = yes

    # Optional use.
    winbind use default domain = yes

    # enable offline logins
    winbind offline logon = yes
       
    # Added for freeradius support, if needed.
    #ntlm auth = mschapv2-and-ntlmv2-only

    # disable usershares creating, when set empty no error log messages.
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

#

And start winbind

Now create the squid keytab file.
KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP -U Administrator
chown proxy:proxy /root/squid.keytab
chmod 640 /root/squid.keytab

And your done, move the keytab to where you need it.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens
> Rafael Silva Daniel
> Verzonden: zondag 16 februari 2020 20:16
> Aan: [hidden email]
> Onderwerp: Re: [squid-users] please, can someone help me with
> the negotiate kerberos?
>
> Hey guys! im still testing it, but i think i found my
> mistake, so i will let
> it here for future reference
>
> i compared the way i arranged things in my test enviroment between the
> production enviroment, e noticed some differences in the
> keytab, i still
> dont know if its obligatory, im still testing it, but when i
> deleted the
> keytab, the account for the keytab in ad, the account for the
> machine in the
> active directory, and created another one, i used a different
> name for HTTP/
>
> like, the way i did that dont worked:
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn
> HTTP/squid2.domain.local
> --server dc01.domain.local --verbose --enctypes 28
>
> the way i did that worked:
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> /etc/squid/HTTP.keytab --computer-name squid2 --upn
> HTTP/squidproxy.domain.local --server dc01.domain.local
> --verbose --enctypes
> 28
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

L.P.H. van Belle
Ps., forgot to say,

After installing winbind and setting up smb.conf

Join the domain offcourse.
net ads join -U Adminsitrator

or,
kinit Administrator
net ads join -k yes

In debian, there is not need to change any files except the smb.conf as shown.
All other defaults, should work out of the box.


> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens
> L.P.H. van Belle
> Verzonden: maandag 17 februari 2020 10:00
> Aan: [hidden email]
> Onderwerp: Re: [squid-users] please, can someone help me with
> the negotiate kerberos?
>
> Hai,
>
> This is the most stable way to run with kerberos, or at least for me.
> * below works for me since with samba 3.x-4.11.x and squid
> 3.2 upto 4.10
>
> Im running this on Debian Buster now.  ( samba 4.11.6 + squid 4.10 )
> ( all packaged in own repo.)
>
> 1) Setup samba and join the domain. this asumes an auth only setup.
> Install winbind : and setup smb.conf
>
> #Example auth only smb.conf
> [global]
>     workgroup = NTDOM_IN_CAPS
>     security = ads
>     realm = YOUR.REALM.TLD_IN_CAPS
>
>     netbios name = HOSTNAME_IN_CAPS
>     preferred master = no
>     domain master = no
>     host msdfs = no
>
>     interfaces = 192.168.0.1 127.0.0.1
>     bind interfaces only = yes
>     dns proxy = yes
>
>     #Add and Update TLS Key
> # Consider useing Certificates for samba also, you can
> re-use them in squid.
>     tls enabled = yes
>     tls keyfile = /etc/ssl/local/proxy1.key.pem
>     tls certfile = /etc/ssl/local/proxy1.cert.pem
>     tls cafile = /etc/ssl/certs/ca.pem
>
>     ## map id's outside to domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>
>     ## map ids from the domain  the range may not overlap !
> # BACKEND RID, assuming no windows use expect proxy/auth.
>     idmap config NTDOM : backend = rid
>     idmap config NTDOM : range = 10000-3999999
>
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>
>     # renew the kerberos ticket ! MUSE USE THIS
>     winbind refresh tickets = yes
>
>     # Optional use.
>     winbind use default domain = yes
>
>     # enable offline logins
>     winbind offline logon = yes
>
>     # Added for freeradius support, if needed.
>     #ntlm auth = mschapv2-and-ntlmv2-only
>
>     # disable usershares creating, when set empty no error
> log messages.
>     usershare path =
>
>     # Disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
> #
>
> And start winbind
>
> Now create the squid keytab file.
> KRB5_KTNAME=FILE:/root/squid.keytab net ads keytab add HTTP
> -U Administrator
> chown proxy:proxy /root/squid.keytab
> chmod 640 /root/squid.keytab
>
> And your done, move the keytab to where you need it.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: squid-users
> > [mailto:[hidden email]] Namens
> > Rafael Silva Daniel
> > Verzonden: zondag 16 februari 2020 20:16
> > Aan: [hidden email]
> > Onderwerp: Re: [squid-users] please, can someone help me with
> > the negotiate kerberos?
> >
> > Hey guys! im still testing it, but i think i found my
> > mistake, so i will let
> > it here for future reference
> >
> > i compared the way i arranged things in my test enviroment
> between the
> > production enviroment, e noticed some differences in the
> > keytab, i still
> > dont know if its obligatory, im still testing it, but when i
> > deleted the
> > keytab, the account for the keytab in ad, the account for the
> > machine in the
> > active directory, and created another one, i used a different
> > name for HTTP/
> >
> > like, the way i did that dont worked:
> >
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squid2.domain.local -k
> > /etc/squid/HTTP.keytab --computer-name squid2 --upn
> > HTTP/squid2.domain.local
> > --server dc01.domain.local --verbose --enctypes 28
> >
> > the way i did that worked:
> >
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.domain.local -k
> > /etc/squid/HTTP.keytab --computer-name squid2 --upn
> > HTTP/squidproxy.domain.local --server dc01.domain.local
> > --verbose --enctypes
> > 28
> >
> >
> >
> > --
> > Sent from:
> > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> > -f1019091.html
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

Rafael Akchurin
In reply to this post by Rafael Silva Daniel
Hello Rafael,

There is an easier option *without* joining the Squid machine to the domain,
See tutorial at https://docs.diladele.com/administrator_guide_stable/active_directory/index.html (it also applies to vanilla Squid without our UI - just you would need to do more manual steps).

Raf

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Rafael Silva Daniel
Sent: Saturday, 15 February 2020 21:08
To: [hidden email]
Subject: [squid-users] please, can someone help me with the negotiate kerberos?

Helo! i think i did almost everything right, firstly i made it in a test enviroment with debian stretch running squid 3.5 and a windows server 2008 based domain controller, and it worked!

but when i tried to deploy it in the production enviroment running debian stretch, squid 3.5 and windows server 2012 as the domain controller the authentication never works, the file /var/log/squid/cache.log shows this:

2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No principal in keytab matches desired name; }}
negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from squid
(length: 2439).
negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' (decoded
length: 1826).

Obs1:I replaced a big string with letters and numbers by "(LETTERS AND NUMBERS)"
Obs2: i posted more of the file in this link https://pastebin.com/Z2fe98dB

well, the results of running: kinit -kt /etc/squid/HTTP.keytab
HTTP/[hidden email]:
root@SERVER:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[hidden email]

Valid starting       Expires              Service principal
02/15/2020 10:55:32  02/15/2020 20:55:32  krbtgt/[hidden email]
        renew until 02/16/2020 09:55:32



The results of running:klist -kte /etc/squid/HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp           Principal
---- -------------------
------------------------------------------------------
   1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/[hidden email]
(arcfour-hmac)
   1 02/12/2020 17:33:16 HTTP/[hidden email]
(aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/[hidden email]
(aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/[hidden email] (arcfour-hmac)
   1 02/12/2020 17:33:16 host/[hidden email] (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/[hidden email] (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/[hidden email]
(arcfour-hmac)
   3 02/12/2020 17:36:59 HTTP/[hidden email]
(aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/[hidden email]
(aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/[hidden email] (arcfour-hmac)
   3 02/12/2020 17:36:59 host/[hidden email] (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/[hidden email] (aes256-cts-hmac-sha1-96)

And the results of running: root@SERVER:~# /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
Token: (Alonglinewithnumbersandletters)

the configs of the /etc/krb5.conf:

[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/HTTP.keytab

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]
    DOMAIN.LOCAL = {
        kdc = dc01.domain.local
        admin_server = dc01.domain.local
        default_domain = domain.local
    }

[domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL

and the /etc/squid/squid.conf:

http_port 3128
dns_nameservers 200.198.5.4 200.198.5.5
visible_hostname PROXY
cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid

url_rewrite_program /usr/bin/squidGuard

#auth parameter NEGOTIATE
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/squid.domain.local -k /etc/squid/HTTP.keytab auth_param negotiate children 30 auth_param negotiate keep_alive on

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 90 # metodo
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access allow auth



In the domain controller i created in the two zones the proper dns records, the host with squid can have his ip resolved to its right hostname, and its hostname resolved to its right ip, in the clients i setted the proxy as server.domain.local, and in the squid access.log the requests came but are all denied and a prompt for user and password are showed to the user

Obs: the only data edited while posting was that i replaced our domain by domain.local, the name of the host by SERVER, and long strings of data in the cache log  and negotiate kerberos test out, all the rest is what is really running in the files.

please someone help me, i tried to read everything i could find but i am not finding how to understand what i am doing wrong, thanks in advance, D:





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

L.P.H. van Belle
Hai Rafeal,

Yes, i agree, this is the other most simple way, but i suggest, you remove/change on this page:

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html 
The generated Kerberos configuration file will usually look like:

[libdefaults]
default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1
default_tkt_enctypes = rc4-hmac des3-hmac-sha1

These are really outdated. ;-)


To ( just the default )

[libdefaults]
    default_realm = EXAMPLE.LAN
    dns_lookup_kdc = true
    dns_lookup_realm = false


Keytabs and samba, read:
https://wiki.samba.org/index.php/Generating_Keytabs

https://wiki.samba.org/index.php/Keytab_Extraction 



Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens
> Rafael Akchurin
> Verzonden: maandag 17 februari 2020 11:06
> Aan: Rafael Silva Daniel; [hidden email]
> Onderwerp: Re: [squid-users] please, can someone help me with
> the negotiate kerberos?
>
> Hello Rafael,
>
> There is an easier option *without* joining the Squid machine
> to the domain,
> See tutorial at
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory/index.html (it also applies to vanilla Squid without
> our UI - just you would need to do more manual steps).
>
> Raf
>
> -----Original Message-----
> From: squid-users <[hidden email]>
> On Behalf Of Rafael Silva Daniel
> Sent: Saturday, 15 February 2020 21:08
> To: [hidden email]
> Subject: [squid-users] please, can someone help me with the
> negotiate kerberos?
>
> Helo! i think i did almost everything right, firstly i made
> it in a test enviroment with debian stretch running squid 3.5
> and a windows server 2008 based domain controller, and it worked!
>
> but when i tried to deploy it in the production enviroment
> running debian stretch, squid 3.5 and windows server 2012 as
> the domain controller the authentication never works, the
> file /var/log/squid/cache.log shows this:
>
> 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication
> validating user.
> Result: {result=BH, notes={message: gss_acquire_cred()
> failed: Unspecified GSS failure.  Minor code may provide more
> information. No principal in keytab matches desired name; }}
> negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND
> NUMBERS)' from squid
> (length: 2439).
> negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND
> NUMBERS)' (decoded
> length: 1826).
>
> Obs1:I replaced a big string with letters and numbers by
> "(LETTERS AND NUMBERS)"
> Obs2: i posted more of the file in this link
> https://pastebin.com/Z2fe98dB
>
> well, the results of running: kinit -kt /etc/squid/HTTP.keytab
> HTTP/[hidden email]:
> root@SERVER:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/[hidden email]
>
> Valid starting       Expires              Service principal
> 02/15/2020 10:55:32  02/15/2020 20:55:32  
> krbtgt/[hidden email]
>         renew until 02/16/2020 09:55:32
>
>
>
> The results of running:klist -kte /etc/squid/HTTP.keytab
>
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp           Principal
> ---- -------------------
> ------------------------------------------------------
>    1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 HTTP/[hidden email]
> (arcfour-hmac)
>    1 02/12/2020 17:33:16 HTTP/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 HTTP/[hidden email]
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 host/[hidden email] (arcfour-hmac)
>    1 02/12/2020 17:33:16 host/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 host/[hidden email]
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 HTTP/[hidden email]
> (arcfour-hmac)
>    3 02/12/2020 17:36:59 HTTP/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 HTTP/[hidden email]
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 host/[hidden email] (arcfour-hmac)
>    3 02/12/2020 17:36:59 host/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 host/[hidden email]
> (aes256-cts-hmac-sha1-96)
>
> And the results of running: root@SERVER:~#
> /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
> Token: (Alonglinewithnumbersandletters)
>
> the configs of the /etc/krb5.conf:
>
> [libdefaults]
>     default_realm = DOMAIN.LOCAL
>     dns_lookup_kdc = no
>     dns_lookup_realm = no
>     ticket_lifetime = 24h
>     default_keytab_name = /etc/squid/HTTP.keytab
>
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc
> des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc
> des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
> [realms]
>     DOMAIN.LOCAL = {
>         kdc = dc01.domain.local
>         admin_server = dc01.domain.local
>         default_domain = domain.local
>     }
>
> [domain_realm]
>     .domain.local = DOMAIN.LOCAL
>     domain.local = DOMAIN.LOCAL
>
> and the /etc/squid/squid.conf:
>
> http_port 3128
> dns_nameservers 200.198.5.4 200.198.5.5
> visible_hostname PROXY
> cache_dir ufs /var/spool/squid 100 16 256 coredump_dir
> /var/spool/squid
>
> url_rewrite_program /usr/bin/squidGuard
>
> #auth parameter NEGOTIATE
> auth_param negotiate program
> /usr/lib/squid/negotiate_kerberos_auth -d -s
> HTTP/squid.domain.local -k /etc/squid/HTTP.keytab auth_param
> negotiate children 30 auth_param negotiate keep_alive on
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Safe_ports port 90 # metodo
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports acl
> CONNECT method CONNECT acl auth proxy_auth REQUIRED
>
> http_access deny !Safe_ports
> http_access deny CONNECT !Safe_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny !auth
> http_access allow auth
>
>
>
> In the domain controller i created in the two zones the
> proper dns records, the host with squid can have his ip
> resolved to its right hostname, and its hostname resolved to
> its right ip, in the clients i setted the proxy as
> server.domain.local, and in the squid access.log the requests
> came but are all denied and a prompt for user and password
> are showed to the user
>
> Obs: the only data edited while posting was that i replaced
> our domain by domain.local, the name of the host by SERVER,
> and long strings of data in the cache log  and negotiate
> kerberos test out, all the rest is what is really running in
> the files.
>
> please someone help me, i tried to read everything i could
> find but i am not finding how to understand what i am doing
> wrong, thanks in advance, D:
>
>
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

Rafael Akchurin
Thanks will do!
When you say outdated you means cyphers? Or instructions?

Raf

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of L.P.H. van Belle
Sent: Monday, 17 February 2020 11:23
To: [hidden email]
Subject: Re: [squid-users] please, can someone help me with the negotiate kerberos?

Hai Rafeal,

Yes, i agree, this is the other most simple way, but i suggest, you remove/change on this page:

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
The generated Kerberos configuration file will usually look like:

[libdefaults]
default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 default_tkt_enctypes = rc4-hmac des3-hmac-sha1

These are really outdated. ;-)


To ( just the default )

[libdefaults]
    default_realm = EXAMPLE.LAN
    dns_lookup_kdc = true
    dns_lookup_realm = false


Keytabs and samba, read:
https://wiki.samba.org/index.php/Generating_Keytabs

https://wiki.samba.org/index.php/Keytab_Extraction 



Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens Rafael
> Akchurin
> Verzonden: maandag 17 februari 2020 11:06
> Aan: Rafael Silva Daniel; [hidden email]
> Onderwerp: Re: [squid-users] please, can someone help me with the
> negotiate kerberos?
>
> Hello Rafael,
>
> There is an easier option *without* joining the Squid machine to the
> domain, See tutorial at
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory/index.html (it also applies to vanilla Squid without our UI -
> just you would need to do more manual steps).
>
> Raf
>
> -----Original Message-----
> From: squid-users <[hidden email]>
> On Behalf Of Rafael Silva Daniel
> Sent: Saturday, 15 February 2020 21:08
> To: [hidden email]
> Subject: [squid-users] please, can someone help me with the negotiate
> kerberos?
>
> Helo! i think i did almost everything right, firstly i made it in a
> test enviroment with debian stretch running squid 3.5 and a windows
> server 2008 based domain controller, and it worked!
>
> but when i tried to deploy it in the production enviroment running
> debian stretch, squid 3.5 and windows server 2012 as the domain
> controller the authentication never works, the file
> /var/log/squid/cache.log shows this:
>
> 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating
> user.
> Result: {result=BH, notes={message: gss_acquire_cred()
> failed: Unspecified GSS failure.  Minor code may provide more
> information. No principal in keytab matches desired name; }}
> negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from
> squid
> (length: 2439).
> negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)'
> (decoded
> length: 1826).
>
> Obs1:I replaced a big string with letters and numbers by "(LETTERS AND
> NUMBERS)"
> Obs2: i posted more of the file in this link
> https://pastebin.com/Z2fe98dB
>
> well, the results of running: kinit -kt /etc/squid/HTTP.keytab
> HTTP/[hidden email]:
> root@SERVER:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/[hidden email]
>
> Valid starting       Expires              Service principal
> 02/15/2020 10:55:32  02/15/2020 20:55:32
> krbtgt/[hidden email]
>         renew until 02/16/2020 09:55:32
>
>
>
> The results of running:klist -kte /etc/squid/HTTP.keytab
>
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp           Principal
> ---- -------------------
> ------------------------------------------------------
>    1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 HTTP/[hidden email]
> (arcfour-hmac)
>    1 02/12/2020 17:33:16 HTTP/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 HTTP/[hidden email]
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 host/[hidden email] (arcfour-hmac)
>    1 02/12/2020 17:33:16 host/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 host/[hidden email]
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 HTTP/[hidden email]
> (arcfour-hmac)
>    3 02/12/2020 17:36:59 HTTP/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 HTTP/[hidden email]
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 host/[hidden email] (arcfour-hmac)
>    3 02/12/2020 17:36:59 host/[hidden email]
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 host/[hidden email]
> (aes256-cts-hmac-sha1-96)
>
> And the results of running: root@SERVER:~#
> /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
> Token: (Alonglinewithnumbersandletters)
>
> the configs of the /etc/krb5.conf:
>
> [libdefaults]
>     default_realm = DOMAIN.LOCAL
>     dns_lookup_kdc = no
>     dns_lookup_realm = no
>     ticket_lifetime = 24h
>     default_keytab_name = /etc/squid/HTTP.keytab
>
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc
> des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc
> des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
> [realms]
>     DOMAIN.LOCAL = {
>         kdc = dc01.domain.local
>         admin_server = dc01.domain.local
>         default_domain = domain.local
>     }
>
> [domain_realm]
>     .domain.local = DOMAIN.LOCAL
>     domain.local = DOMAIN.LOCAL
>
> and the /etc/squid/squid.conf:
>
> http_port 3128
> dns_nameservers 200.198.5.4 200.198.5.5 visible_hostname PROXY
> cache_dir ufs /var/spool/squid 100 16 256 coredump_dir
> /var/spool/squid
>
> url_rewrite_program /usr/bin/squidGuard
>
> #auth parameter NEGOTIATE
> auth_param negotiate program
> /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/squid.domain.local
> -k /etc/squid/HTTP.keytab auth_param negotiate children 30 auth_param
> negotiate keep_alive on
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Safe_ports port 90 # metodo
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method
> CONNECT acl auth proxy_auth REQUIRED
>
> http_access deny !Safe_ports
> http_access deny CONNECT !Safe_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny !auth
> http_access allow auth
>
>
>
> In the domain controller i created in the two zones the proper dns
> records, the host with squid can have his ip resolved to its right
> hostname, and its hostname resolved to its right ip, in the clients i
> setted the proxy as server.domain.local, and in the squid access.log
> the requests came but are all denied and a prompt for user and
> password are showed to the user
>
> Obs: the only data edited while posting was that i replaced our domain
> by domain.local, the name of the host by SERVER, and long strings of
> data in the cache log  and negotiate kerberos test out, all the rest
> is what is really running in the files.
>
> please someone help me, i tried to read everything i could find but i
> am not finding how to understand what i am doing wrong, thanks in
> advance, D:
>
>
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

Rafael Silva Daniel
In reply to this post by L.P.H. van Belle
ooh, thanks L.P.H.!! this is exactly what i was wanting, a more stable way to
feel secure using this authentication, i will experiment with this today!
thanks a lot for the attention!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

Rafael Silva Daniel
In reply to this post by Rafael Akchurin
ooh thanks too Rafael! while i was researching i used your guide as reference
to understand better the mechanics, in part thanks to it i got this far
ahahah very well documented! but some points i feared it would be
distribution specic and felt insecure to try, with your tip i will read more
deeply into it! thanks!

when i get the things settled in the server i will post a conclusion, really
thanks for the attention guys, it will really help me get unstuck with this



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

Rafael Silva Daniel
In reply to this post by Rafael Silva Daniel
Just to close the case and concluding, Louis tip worked flawlessly, it
combined well with the settings i already was using and the authentication
is working rock solid and stable, and the documentation Rafael provided
clarificate a lot of the ins and outs of kerberos authentication with squid
so i recomended to everyone who is having difficulties learning how to set
up kerberos authentication with squid to combine the official config example
from squid with their tips and information, you will get it totally covered

Thanks for the help!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: please, can someone help me with the negotiate kerberos?

L.P.H. van Belle
Yeah, if you know how it is pretty simple ;-)
And thank for the reply back and nice words..

And your welkom..  :-)


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens
> Rafael Silva Daniel
> Verzonden: vrijdag 21 februari 2020 14:30
> Aan: [hidden email]
> Onderwerp: Re: [squid-users] please, can someone help me with
> the negotiate kerberos?
>
> Just to close the case and concluding, Louis tip worked flawlessly, it
> combined well with the settings i already was using and the
> authentication
> is working rock solid and stable, and the documentation
> Rafael provided
> clarificate a lot of the ins and outs of kerberos
> authentication with squid
> so i recomended to everyone who is having difficulties
> learning how to set
> up kerberos authentication with squid to combine the official
> config example
> from squid with their tips and information, you will get it
> totally covered
>
> Thanks for the help!
>
>
>
> --
> Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users