The squid web cache include a authenticator for kerberos, it is simple to use, but the documentation is not very clear about how to make it work. Below some steps used by me to make Squid 3.2 Stable authenticate against Active Directory (Windows 2008 Directory Service).
Authentication
In this article we’ll use Negotiate (using Kerberos).
To use Negotiate authentication method the web browser must be writed to understand it and configure correctly to do so, and the computer use need to be authenticated by the kerberos infra-structure and receive the appropriated key from the KDC (Key Distribution Center). I’m using Firefox and Internet Explorer for Windows
CONFIGURATION
This part is divided in two parts, one in FreeBSD (proxy-kerb) box other in Windows Domain Controlle (dc.itsol.biz and domain itsol.biz or ITSOL).
Windows Step:
Create a user account, ex. proxy.user, and using ktpass command tool create a keytab file.
ktpass -princ HTTP/squid.itsol.biz@itsol.biz -mapuser ITSOL\proxy.user -pass ******* -crypto all -out squid.keytab
After this copy squid.keytab file to FreeBSD box in folder /usr/local/etc/squid
FreeBSD Step:
Check /etc/resolv.conf for proper set of domain and nameserver. You must have somthing like this:
domain itsol.biz
nameserver 192.168.0.10Add an entry in the DNS server for you Proxy’s server hostname and testi it – it is important.
#nslookup squid.itsol.biz Server: 192.168.0.10 Address: 192.168.0.10#53 Non-authoritative answer: Name: squid32.procreditbank.bg Address: 192.168.0.5
#nslookup 192.168.0.5 Server: 192.168.0.10 Address: 192.168.0.10#53 Non-authoritative answer: 5.0.168.192.in-addr.arpa name = squid.itsol.biz.
Install Kerberos from ports /usr/ports/security/krb5 and make configuration file /etc/krb5.conf with this settings:
[libdefaults]
default_realm = ITSOL.BIZ
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/squid/squid.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
PROCREDITBANK.BG = {
kdc = dc.itsol.biz
admin_server = dc.itsol.biz
default_domain = dc.itsol.biz
}
[domain_realm]
.itsol.biz = ITSOL.BIZ
itsol.biz = ITSOL.BIZTest Kerberos
kinit -k HTTP/squid.itsol.biz
If no error or warning – everything is OK
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: HTTP/squid.itsol.biz@ITSOL.BIZ
Issued Expires Principal
Feb 14 17:06:12 Feb 15 03:06:12 krbtgt/ITSOL.BIZ@ITSOL.BIZ
Add the following to the squid startup script (Make sure the keytab is readable by the squid process owner )
export KRB5_KTNAME=/usr/local/etc/squid/squid.keytab
Add this lines to squid.conf to activate authentication:
#Authentication helpers auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -i -s HTTP/squid.itsol.biz auth_param negotiate children 50 startup=10 idle=5 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth
Restart Squid. That is all!
Have you ever retrieved 0x2 using ktpass?
In most cases this means that you need to specify the user more fully, by prefacing the user name with the domain name, where DOMAIN name is the NetBIOS version.
Little correction. It’s not
nameserer 192.168.0.10
but of course
nameserver 192.168.0.10
;)
Thank you for this great post !
Thanks for the correction :)
Useful article. I’m using OpenBSD but your post seems to apply. However, I’m having a problem with IE. Firefox works fine, but IE does not. It keeps prompting for credentials and eventually fails. I
I’ve tested the kerberos, and it works. I did all you described here. Any idea what I’m still missing?
Try this:
Open Internet Explorer and select select Tools, then select Internet Options. Then, select the Advanced tab. Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box.
Click the OK button and then, restart the browser so that the settings take effect.
Hi, I’ve some problems (squid does not work configuring kerberos this way). If I try the command
kinit -k HTTP/demo2-proxy.demo2.demo.local
I get this output:
kinit: krb5_get_init_creds: Additional pre-authentication required
Can you help me troubleshooting this problem?
Thanks in advance.
Two things you can check:
– time on both machines should be synchronized
– on AD Users and Computers, select user Properties, Account tab and check Account options. There is a check-box “Do not require Kerberos preauthentication” – unchecke this box
hi Bisser, now it seems better :)
I still get an error in squid, I think the problem is the
export KRB5_KTNAME=/usr/local/etc/squid/squid.keytab
in /usr/local/etc/rc.d/squid
in which point exactly do I have to insert this line?
Thank you in advance!
On top of the file, after the commented rows.
Check permissions – squid should have at least read access to squid.keytab
Hi Bisser, now kerberos seems to work (all tokens and klist are fine), but squid does not work and fails all authentication. Here is the cache.log:
2014/07/08 18:44:42 kid1| ERROR: Negotiate Authentication validating user. Error returned ‘BH gss_accept_sec_context() failed: Miscellaneous failure (see text). unknown mech-code 0 for mech unknown’
2014/07/08 18:44:42| negotiate_kerberos_auth: INFO: User not authenticated
Thank you very much for your help.