Re: [squid-users] Error with Squid proxy to Kerberos authentication from Rickifer Barros on 2012-08-20 (squid-users)

From: Rickifer Barros <rickiferbarros_at_gmail.com>
Date: Mon, 20 Aug 2012 09:44:40 -0300

Hi,

Did you give permissions to user "proxy" over the keytab file?

On Mon, Aug 20, 2012 at 8:47 AM, Vaelenor <ajaglal_at_hotmail.com> wrote:
> Hiya,
>
> I'm trying to get my squid to authenticate users for web access through
> kerberos but it ain't working.
> I keep getting the 407 message.
>
> This is what I used to make the keytab file :
>
> ktpass /out proxy.squid.example.keytab /princ
> host/proxy.example.nl_at_example.LOCAL /mapuser svc-squid-da /pass xxxxxx
> /crypto all /ptype KRB5_NT_PRINCIPAL /mapop add /target
> example.example.local
>
>
> Here is the squid.conf :
>
> http_port 3128
> ftp_passive off
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> #auth_param basic realm proxy.snt.nl: Log in met uw EIGEN windows
> gebruikersnaam en wachtwoord
> #auth_param basic program /usr/sbin/squid_kerb_auth
> #auth_param basic program /usr/sbin/msnt_auth
> #auth_param basic children 1
> #auth_param basic credentialsttl 2 hours
> #acl password proxy_auth REQUIRED
>
> auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s
> host/proxy.example.nl_at_example.LOCAL
> auth_param negotiate children 1
> auth_param negotiate keep_alive on
> acl password proxy_auth REQUIRED
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl mymime req_mime_type application/x-msn-messenger
> acl video req_header User-Agent NSPlayer
> acl video req_header User-Agent NextWare
> acl video req_header User-Agent Windows-Media-Player
> acl video req_header User-Agent Mozilla.*Google.Desktop
> acl video req_header User-Agent kh_lt/LT
> acl video req_header User-Agent uvnx
> acl video req_header User-Agent contype
> acl video req_header User-Agent BW-C-2.0
> acl video req_header User-Agent AutoUpdateAgent
> acl video req_header User-Agent Tioga
> acl proxy urlpath_regex anoniem
> acl proxy urlpath_regex mozilla.exe
> acl proxy urlpath_regex vancouver
> acl proxy urlpath_regex winterspel
> acl proxy urlpath_regex wintergame
> acl proxy urlpath_regex winter-spel
> acl proxy urlpath_regex winter-game
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 21
> acl SSL_ports port 443
> acl SSL_ports port 1935 # rtmp voor studiemeter
> acl SSL_ports port 6667
> acl SSL_ports port 11438 # xxxxxxxxxx
> acl Safe_ports port 80 # http
> acl Safe_ports port 82 # 83.163.161.48 (webeasy klimaatbeheersing)
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 1935 # rtmp voor studiemeter
> acl Safe_ports port 2222 # Marcel Wobbes server
> acl Safe_ports port 6667 # Martin Ayttm
> acl Safe_ports port 6969 # Martin Ayttm
> acl Safe_ports port 11438 # Remote-support-Centric
> acl Safe_ports port 8888 # kpn: CRM-SDF
> acl CONNECT method CONNECT
>
> acl net0 src 10.0.200.0/24
> acl net30 src 10.30.0.0/16
> acl net301 src 10.30.1.0/24
> acl net40 src 10.40.0.0/16
> acl net401 src 10.40.1.0/24
> acl net80 src 10.80.0.0/16
> acl net801 src 10.80.1.0/24
> acl net110 src 10.110.1.0/24
> acl net137 src 10.137.80.0/20
> acl net1371 src 10.137.80.0/24
> acl net128 src 128.1.0.0/16
> acl net1281 src 128.1.1.0/24
> acl net140 src 140.140.0.0/16
> acl net1401 src 140.140.2.0/24
> acl net1409 src 140.140.9.0/24
> acl net192 src 192.168.0.0/16
> acl our_networks src 140.140.0.0/16 10.0.200.0/24 10.30.0.0/16 10.40.0.0/16
> 10.80.0.0/16 10.110.0.0/16 10.137.80.0/20 192.168.0.0/16
>
> http_access allow net0
> http_access allow net301
> http_access allow net401
> http_access allow net801
> http_access allow net110
> http_access allow net1281
> http_access allow net1371
> http_access allow net1401
> http_access allow net1409
>
> http_access deny proxy
> http_access deny mymime
> http_access deny video
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access allow password
> http_access allow our_networks
> http_access allow localhost
>
> http_reply_access allow all
> icp_access allow all
> reply_body_max_size 400 MB
> cache_mgr dcc_at_nl.example.com
>
> acl alw_direct dstdomain .teezir.com .custhelp.com .rightnowtech.com
> .rightnow.com .dhl.com .arflexit.nl .helptu.nl .ottobv.nl .twitter.com
>
> no_cache deny alw_direct
> always_direct allow alw_direct
>
> snmp_port 0
>
> delay_pools 11
>
> delay_class 1 3
> delay_class 2 3
> delay_class 3 3
> delay_class 4 3
> delay_class 5 3
> delay_class 6 3
> delay_class 7 3
> delay_class 8 3
> delay_class 9 3
> delay_class 10 3
> delay_class 11 3
>
> delay_parameters 1 -1/-1 1250000/1250000 500000/500000
> delay_parameters 2 -1/-1 1250000/1250000 500000/500000
> delay_parameters 3 -1/-1 1250000/1250000 250000/250000
> delay_parameters 4 -1/-1 1250000/1250000 500000/500000
> delay_parameters 5 -1/-1 1250000/1250000 125000/125000
> delay_parameters 6 -1/-1 1250000/1250000 375000/375000
> delay_parameters 7 -1/-1 1250000/1250000 125000/125000
> delay_parameters 8 -1/-1 1250000/1250000 750000/750000
> delay_parameters 9 -1/-1 1250000/1250000 125000/125000
> delay_parameters 10 -1/-1 1250000/1250000 125000/125000
> delay_parameters 11 -1/-1 1250000/1250000 125000/125000
>
> delay_access 1 allow net1401
> delay_access 2 allow net1409
> delay_access 3 allow net140
> delay_access 4 allow net0
> delay_access 5 allow net30
> delay_access 6 allow net40
> delay_access 7 allow net80
> delay_access 8 allow net110
> delay_access 9 allow net128
> delay_access 10 allow net192
> delay_access 11 allow net137
>
> delay_access 1 deny all
> delay_access 2 deny all
> delay_access 3 deny all
> delay_access 4 deny all
> delay_access 5 deny all
> delay_access 6 deny all
> delay_access 7 deny all
> delay_access 8 deny all
> delay_access 9 deny all
> delay_access 10 deny all
> delay_access 11 deny all
>
> http_access allow net1401
> http_access allow net1409
> http_access allow net140
> http_access allow net0
> http_access allow net30
> http_access allow net40
> http_access allow net80
> http_access allow net110
> http_access allow net128
> http_access allow net192
> http_access allow net137
> http_access deny all
>
>
> And here is the krb5.conf
>
> [libdefaults]
> default_realm = EXAMPLE.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = true
>
> [realms]
> EXAMPLE.LOCAL = {
> kdc = example.example.local
> admin_server = example.example.local
> default_domain = EXAMPLE.LOCAL
>
> }
>
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> Any input would be gratefull...
>
> Thnx Vaelenor
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-with-Squid-proxy-to-Kerberos-authentication-tp4656265.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Mon Aug 20 2012 - 12:44:47 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 20 2012 - 12:00:04 MDT