I configure Squid through kerberos authorization. When a user tries to log in to the proxy through a browser, the text in cache.log is:
negotiate_kerberos_auth.cc(487): pid=10851 :2018/07/11 08:46:25| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq negotiate_kerberos_auth.cc(546): pid=10851 :2018/07/11 08:46:25| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab negotiate_kerberos_auth.cc(570): pid=10851 :2018/07/11 08:46:25| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_10851 negotiate_kerberos_auth.cc(610): pid=10258 :2018/07/11 08:32:06| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid (length: 59). negotiate_kerberos_auth.cc(663): pid=10258 :2018/07/11 08:32:06| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded length: 40). negotiate_kerberos_auth.cc(673): pid=10258 :2018/07/11 08:32:06| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2018/07/11 08:32:06 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} kpass set up like this:
ktpass -princ HTTP/proxy1.spz.int@SPZ.INT -mapuser squidproxy@spz.int -crypto RC4-HMAC-NT -pass passW0rd -ptype KRB5_NT_PRINCIPAL -out C:\proxy.keytab ============= squid.conf ========================
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy1.spz.int@SPZ.INT auth_param negotiate children 10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED ============= /etc/krb5.conf =========================
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = SPZ.INT default_ccache_name = KEYRING:persistent:%{uid} default_keytab_name = /etc/squid/proxy.keytab [realms] SPZ.INT = { kdc = spz.int } [domain_realm] .spz.int = SPZ.INT spz.int = SPZ.INT ================================================= ==
Through kinit, authorization passes:
kinit -V -k -t /etc/squid/squidproxy.keytab HTTP/proxy1.spz.int@SPZ.INT
Using default cache: persistent: 0: 0 Using principal: HTTP/proxy1.spz.int@SPZ.INT Using keytab: /etc/squid/proxy.keytab Authenticated to Kerberos v5
klist
Ticket cache: KEYRING: persistent: 0: 0 Default principal: HTTP/proxy1.spz.int@SPZ.INT
Valid starting Expires Service principal 07/11/2018 08:59:23 07/11/2018 18:59:23 krbtgt/SPZ.INT@SPZ.INT renew until 07/18/2018 08:59:23
negotiate_kerberos_auth: WARNING: received type 1 NTLM token. Your browser (or something you go to the proxy) "shoves" in the squid NTLM token. Those. the facts are not trying to authenticate with the kerberos ticket. To start the debabyc from the client’s side (for example, windows 7) you should look at the list of tickets issued by the domain controller: theklistcommand Among the list of tickets there should be something like this:HTTP/proxy1.spz.int@SPZ.INTafter you made an attempt to open the site in the browser. - de_frag