i would recommend to .. 1) use debian buster, 2) use squid 4.12 3) use samba (winbind). needed in smb.conf ( only shown whats really needed ), there is more offcourse.
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes # Added for freeradius support #ntlm auth = mschapv2-and-ntlmv2-only apt install winbind krb5-user should be sufficient. samba joins the domain. /etc/krb5.keytab contains the default part and refreshed the server kerberos passworks/tickes. And for squid its keytab. kinit Administrator export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator # alias name to keytab net ads keytab ADD HTTP/CNAME.FQDN # check keytab file. klist -ke /etc/squid/HTTP-$(hostname -s).keytab unset KRB5_KTNAME # set rights. chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab chmod g+r /etc/squid/HTTP-$(hostname -s).keytab And i use in squid auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \ -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM Point to think about. server IP's needs A + PTR use CNAMEs in the DNS. and make sure the resolving is setup correctly. Add a caching DNS to the proxy. ( and let squid use it also ) I had this working (without HAproxy) but with keepalived. As far i can tel, your problem is in how the hostnames and ip are used. but above might give you ideas. Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Service MV Verzonden: donderdag 23 juli 2020 17:36 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication Hi, everybody. I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration authenticating and browsing without problems: cache.log squid_kerb_auth: User some.user authenticated access.log 10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: 172.217.162.3 - The problem starts when I try to configure a HAProxy 1.8 load balancer to which by redundancy I configured a virtual IP with the keepalived service. When I point my browser to the DNS A record (balancer.mydomain.local) which in turn points to the keepalived virtual IP, the authentication stops working: cache.log no records access.log 10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - HIER_NONE/- text/ In the client browser a prompt appears requesting authentication. I find it strange that the IP registered by SQUID is 10.10.8.207, which is the physical IP of my VM, instead of the virtual IP configured in HAProxy, which is the IP 10.10.8.213. I send you all the configurations that I have made to see if you can help me to find where my configuration error is. keepalived.conf global_defs { notification_email { some.user@mydomain.local } notification_email_from balancer1@mydomain.local smtp_server smtp. mydomain.local smtp_connect_timeout 60 } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 101 priority 101 advert_int 1 authentication { auth_type PASS auth_pass somepass123 } virtual_ipaddress { 10.10.8.213 } } haproxy.conf global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon maxconn 4000 ca-base /etc/ssl/certs crt-base /etc/ssl/private server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults balance source log global mode http option httplog option dontlognull option http-server-close option forwardfor except MailScanner warning: numerical links are often malicious: 127.0.0.0/8 timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http ### statistics listen stats bind MailScanner warning: numerical links are often malicious: 10.10.8.213:1936 mode http stats enable stats hide-version stats realm Haproxy\ Statistics stats uri /haproxy?stats stats auth haproxy:somepass123 ### balancer listen squid bind MailScanner warning: numerical links are often malicious: 10.10.8.213:3128 mode http option httplog balance source hash-type consistent option httpclose cookie SERVERID insert indirect nocache option forwardfor header X-Client server proxy1 MailScanner warning: numerical links are often malicious: 10.10.8.205:3128 check inter 2000 rise 2 fall 5 server proxy2 MailScanner warning: numerical links are often malicious: 10.10.8.206:3128 check inter 2000 rise 2 fall 5 squid.conf # minimal configuration for testing visible_hostname proxy1.mydomain.local http_port 3128 debug_options ALL, 1 33, 2 28, 9 maximum_object_size 8192 KB error_directory /opt/squid411/share/errors/es-ar shutdown_lifetime 0 seconds forwarded_for on auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s GSS_C_NO_NAME auth_param negotiate children 300 startup=150 idle=10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access allow auth acl SSL_ports port 443 acl Safe_ports port 80 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all squid -v Squid Cache: Version 4.11 Service Name: squid This binary uses OpenSSL 1.0.2u 20 Dec 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/opt/squid411' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/opt/squid411/var' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline' '--enable-async-io' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers' '--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation' '--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--enable-ltdl-convenience' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' env KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab KRB5RCACHETYPE=none /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] MYDOMAIN.LOCAL = { kdc = s-dc00.mydomain.local kdc = s-dc01.mydomain.local kdc = s-dc02.mydomain.local admin_server = s-dc00.mydomain.local } [domain_realm] .mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL msktutil -c -b "OU=SERVIDORES" -s HTTP/debian-proxy.mydomain.local -k /opt/squid411/etc/PROXY.keytab --computer-name DEBIAN-PROXY --upn HTTP/debian-proxy.mydomain.local --server s-dc00.mydomain.local --verbose --enctypes 28 # permissions for kaytab file chgrp proxy /opt/squid411/etc/PROXY.keytab chmod g+r /opt/squid411/etc/PROXY.keytab klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: some.user@MYDOMAIN.LOCAL Valid starting Expires Service principal 07/23/2020 11:59:45 07/23/2020 21:59:45 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 07/24/2020 11:59:40 One thing I didn't quite understand is the procedure to authenticate from HAProxy. According to the documentation I read, I did the following: I created a DNS A record and its PTR in my DNS server pointing to the virtual IP of the keepalived (10.10.8.213) in the HAProxy. Then I created a "HTTP_inet" user account in Active Directory. Then on my domain controller, in a CMD with administrator permissions, I ran: setspn -S HTTP/inet.mydomain.local HTTP_inet setspn -S HTTP/inet HTTP_inet In both cases the message was: object updated. Then in my SQUID servers, I executed: kinit HTTP_inet@MYDOMAIN.LOCAL It asks for the user's password. Start the ktutil tool That's where I write: addent -password -p HTTP/inet.mydomain.local -k 2 -e rc4-hmac Ask the user password addent -password -p HTTP/inet -k 2 -e rc4-hmac Ask the user password wkt /opt/squid411/etc/PROXY.keytab quit list the keys in keytab: ktutil read_kt /opt/squid411/etc/PROXY.keytab 1 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL 2 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL 3 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL 4 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL 5 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL 6 1 HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL 7 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL 8 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL 9 1 host/DEBIAN-PROXY@MYDOMAIN.LOCAL 10 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL 11 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL 12 1 host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL 13 2 HTTP/inet.mydomain.local@MYDOMAIN.LOCAL 14 2 HTTP/inet@MYDOMAIN.LOCAL It's this last part I understand the least, maybe the mistake is there. Or somewhere else. I appreciate any help you can offer me. Best regards, Gabriel
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
