1

I followed steps found on the link: https://journeyofthegeek.com/2017/12/30/pfsense-squid-kerberos/

And the kerberos authentication without AD group membership restriction works very well, but I don't want all the users to have internet access. I want only for users in Internet_access AD group to have access. So I made modification, but it doesn't work. Here are the detials:

PFSense version 2.4.2

Installed packages: squid


Kerberos config file (/etc/krb5.conf):

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
kdc_timesync = 1
ccache_type = 4
forwardable = yes
rdns = no
default_keytab_name = /path/to/squid.keytab
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96
clock_skew = 300

[realms]
DOMAIN.LOCAL = {
        kdc = server.domain.local
        admin_server = server.domain.local
        default_domain = DOMAIN.LOCAL
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[logging]
kdc = FILE:/var/log/kdc.log
Default = FILE:/var/log/krb5lib.log


Squid config file modification (Custom Options (Before Auth) in PFSense squid Web interface configuration):

auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s HTTP/proxyserver.domain.local
auth_param negotiate children 1000
auth_param negotiate keep_alive on

external_acl_type kerberos_group ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -g Internet_access -D DOMAIN.LOCAL

acl auth proxy_auth REQUIRED
acl GroupProxy external kerberos_group

http_access deny !auth
http_access allow GroupProxy auth
http_access deny all


I think that the problem may be in ext_kerberos_ldap_group_acl commmand that always returns "ERR Invalid request. No Username" when run in CLI, no matter what args it has. I have researched domumentation but no real help from there. Also I cannot find the squid init script in PFsense, so I can set variables KRB5_KTNAME and KRB5_CONFIG.

I whould be very thankful if there is some explaination how to make this configuration succeed.

Marko Farkas
  • 163
  • 3
  • 11

0 Answers0