Hi,
i wan to configure a sles (SUSE Linux Enterprise Server 11 (x86_64) V11, PL3) to run a squid proxy with kerberos authentification to the local domain. i start to install/configure with this link:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
the keytab was generated with samba.
wbinfo -g show me the existing ad groups. also wbinfo -u shows the current ad users. i also see the kerberos traffic to the windows dc on the wireshark that is installed on the sles system.
if i start a webbrowser that is configured to use the proxy service i get a login prombt, but authentication don´t work. i also see no traffic from the sles system to the windows dc!
error in sqiod log:
2014/07/10 11:24:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
2014/07/10 11:24:41| squid_kerb_auth: WARNING: received type 1 NTLM token
krb5.conf
[CODE][libdefaults]
default_realm = EXAMPLE.COM
default_realm = LOCAL
default_realm = EPSCENTRAL.NET
# Fred auf 2 x auf true
dns_lookup_kdc = true
dns_lookup_realm = true
default_keytab_name = /etc/squid/HTTP.keytab
ticket_lifetime = 24h
renew_lifetime = 7d
formwardable = true
clockskew = 300
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
EPSCENTRAL.NET = {
default_domain = epscentral.net
kdc = derigs0019srv.epscentral.net
admin_server = derigs0019srv.epscentral.net
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.epscentral.net = EPSCENTRAL.NET
epscentral.net = EPSCENTRAL.NET
.EPSCENTRAL.NET = EPSCENTRAL.NET
EPSCENTRAL.NET = EPSCENTRAL.NET
.stuttgart = EPSCENTRAL.NET
stuttgart = EPSCENTRAL.NET
.STUTTGART = EPSCENTRAL.NET
STUTTGART = EPSCENTRAL.NET
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
keytab = /etc/squid/HTTP.keytab
}
[/CODE]
squid.conf:
auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s HTTP/squid-proxy-3.epscentral.net@EPSCENTRAL.NET
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED
# Error erscheint wenn aktiv: acl all src all
# acl all src all
# ACHTUNG FUER TEST - wenn diese Zeile aktiv, dann funktioniert Proxy, da ohne Kerberos (Domain) Zugriff vom localnet erlaubt ist
# http_access allow localnet
# oder:
# localhost
# als letzte Regel: alles verbieten
http_access deny !auth
http_access allow auth
http_access deny allany ideas?
thanks, markus