squid, kerberos error authentication with Windows Domain
Hi All,
I am trying to setup squid with kerberos based auth on a windows domain with both 2008_R2 and 2003 domain controllers (purpose is to provide a proxy that logs the useranme of the user accessing the internet but does not prompt for a username and password), but encounter the same error everytime:
I cannot get past this error and have rebuilt the Centos many times fresh.
"authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information." is in the squid logs when I try to open a browser.
The internet explorer, prompts for a username and password (which i dont want but need the username in the squid logs), it never accepts the username and password as I have a acl to deny if auth fails.
I followed instructions from "https://www.dalemacartney.com/2012/07/06/squid-proxy-integration-with-active-directory-the-quick-and-simple-way/"
joining Centos to the domain using the link on the webpage above worked fine
dig -x returns the DNS Name of the proxy and domain controller as expected.
the resolv.conf is setup correctly and hostname is correct.
getent passwd Administrator command worked fine and returned data as expected
wbinfo –g and wbinfo –u work as expected as well (returning users/groups from AD)
There were not errors during carrying out the instructions from the webpage
Here are the changes I put in the /etc/init.d/squid startup:
start() {
KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME
probe
parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
--------------
Here is the permissions on the keytab file:
-rwxr-----. 1 root squid 951 Aug 3 23:59 /etc/squid/squid.keytab
Here is the msktutil command I ran - I assume lower case is fine
msktutil -c -b "CN=COMPUTERS" -s HTTP/cenprox.domain.com.au -k /etc/squid/squid.keytab --computer-name cenprox --upn HTTP/cenprox.domain.com.au --server dc.domain.com.au --enctypes 28
Here are the top lines of my squid.conf:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
acl ad_auth proxy_auth REQUIRE
And further down:
# from where browsing should be allowed
# http_access allow localnet
# http_access allow localhost
http_access allow ad_auth
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
----------------------------
This is the smb.conf (but should not matter as it joined AD fine)
workgroup = WORKGROUP
realm = DOMAIN.COM.AU
security = ads
idmap config * : range = 16777216-33554431
idmap config WORKGROUP:backend = rid
idmap config WORKGROUP:range = 10000000-19999999
template homedir = /home/%U
template shell = /sbin/nologin
winbind use default domain = true
winbind offline logon = false
map untrusted to domain = Yes
I have also tried setting the --computer-name to cenprox1 instead of cenprox as another webpage with instructions said using the same name as winbind does can casue NTLM to fail.
I need to get this completed this weekend, any help to fix this or progress would be appreciated. This is only the first step and I cannot get past it, the next is to add a external NIC, restrict squid to the internal NIC, setup reporting and setup firewall.
Thanks,
Glenn
Last edited by glemmas; 08-04-2013 at 03:27 AM.
|