Integrating squid with active directory

Question

I am trying to integrate squid as a web proxy for my users in active directory. I have followed the tutorial in the squid site in here. When i run the command :

msktutil -c -b "CN=Administrator" -s HTTP/proxy.example.com -k /etc/squid3/PROXY.keytab \
--computer-name SQUIDPROXY-K --upn HTTP/proxy.example.com --server acdc.example.com --enctypes 28 --verbose

i got the error :

SASL/GSSAPI authentication started  
Error: ldap_sasl_interactive_bind_s failed (Local error)  
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)  
Error: ldap_connect failed.

The file /etc/squid3/PROXY.tab is not populated neither. I have searched all over the internet but i cant find anything about this problem.

Here are my config files :

/etc/krb5.conf

[logging]
default = FILE
kdc = FILE
admin_server = FILE

[libdefaults]
    default_realm = DOMAIN.COM
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid3/PROXY.keytab



; for Windows 2008 with AES
;      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5



[realms]
DOMAIN.COM = {
   default_domain = domain.com
   kdc = acdc.domain.com
   kdc = acdc2.domain.com
   admin_server = acdc.domain.com
}

[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM

Here is the error output:

     -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 84
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RoP6Kh
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: SQUIDPROXY-K$
 -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unsupported key table format version number)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/routerdr from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with password.
 -- create_default_machine_password: Default machine password for SQUIDPROXY-K$ is squidproxy-k
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=YES
 -- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
 -- ~KRB5Context: Destroying Kerberos Context

Those are ok. 'kinit administrator' doesn't give any output after i type the password (which means it's ok), 'klist' : `Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@DOMAIN.COM Valid starting Expires Service principal 03/01/2016 16:35:47 03/02/2016 02:35:47 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 03/02/2016 16:35:43 ` — Vini7, Mar 01 '16 at 15:35
is that a typing mistake, the line started with `#[logging]` in krb5.conf? You need to comment the following lines too (the whole block). — Diamond, Mar 01 '16 at 15:39
or remove the `#`, from the [logging], if you want to keep it. But now you have misconfigured krb5.conf. — Diamond, Mar 01 '16 at 15:47
I've uncommented the line [logging] and still gives this error. `... -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unsupported key table format version number) ...Error: ldap_sasl_interactive_bind_s failed (Local error) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Error: ldap_connect failed` — Vini7, Mar 01 '16 at 16:09
Is your domain name really domain.com or did you just replace the name in the config? Seems like you didn't adjust the domain name. — Daniel Nachtrub, Mar 01 '16 at 17:40
No the domain is another. I've changed it for illustration purposes. — Vini7, Mar 01 '16 at 17:47
Check the link from squid again. CN=Computers ..not administrator — Diamond, Mar 01 '16 at 18:27
@Edvin7, I feel your pain. I was hitting those Kerberos errors earlier. I ended up wiping my CentOS 7 and just starting from scratch with the AD integration. Never could get Kerberos working properly — beeks, Mar 02 '16 at 14:02

score 0 · Answer 1 · answered Mar 03 '16 at 17:08

There is another way to get Squid integrated with AD - by not joining the machine to AD but by mapping the AD user to principal name of Squid. This seems to be simpler - see http://docs.diladele.com/administrator_guide_4_3/active_directory/install_prerequisites_for_kerberos_authentication.html#prepare-a-user-in-example-lan-domain-to-be-used-by-squid-for-kerberos-authentication

Integrating squid with active directory

1 Answers1