Hai, Use winbind and never have this problem again. * install winbind only is sufficient, below works since squid 3.2 up to 4.10 An example of a minimal smb.conf for it. [global] # Auth-Only setup with winbind. ( no Shares ) workgroup = NTDOM security = ADS realm = YOUR.REALM.TLD netbios name = PROXY1 preferred master = no domain master = no host msdfs = no dns proxy = yes interfaces = IP_OR_INTERFACENAME 127.0.0.1 bind interfaces only = yes ### OBLIGATED PART begin ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOM: backend = rid idmap config NTDOM: range = 100000-3999999 kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ### OBLIGATED PART end # Disable usershares create.. ( removes (unneeded ) error from the logs ) usershare path = # Disable printing completely ( removes also (unneeded ) error from the logs. ) load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes -- --- and join the Windows domain. kinit administrator net ads join -k Allow the server in the AD to Delegate Kerberos for Squid. ( or all services ). thats up to you. After thats done, then Create Squid keytab: export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads keytab ADD HTTP/$(hostname -f) Verify it : klist -ke /etc/squid/HTTP-$(hostname -s).keytab unset KRB5_KTNAME # set rights. chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab chmod g+r /etc/squid/HTTP-$(hostname -s).keytab ! Optional krb5.conf ( most of the time the default should be sufficient. [libdefaults] default_realm = YOUR.REALM.TLD
## below her is optional. dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 forwardable = true proxiable = true ;https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262 ignore_k5login = true and the squid auth part. auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP-proxy1.keytab \ -s HTTP/[email protected] \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM Good luck. Greetz, Louis Van: squid-users [mailto:[email protected]] Namens Sébastien Genesta Verzonden: maandag 23 maart 2020 16:01 Aan: [email protected] Onderwerp: [squid-users] Squid - Kerberos - update keytab issue Hi, I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, my kerberos authentication breaks. (currently, to bypass this issue, I regenerate keytab file). Here, the command that I run every 6h to keep my keytab up to date. /usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k /etc/squid/squid.keytab Below log I have every run (when everything is ok): samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxx.xxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxx.xxxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago. -- execute: Exiting because password was changed recently. -- ~KRB5Context: Destroying Kerberos Context Below logs when things gone bad: lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxxxxx.xxxxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxxxx.xxxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxxxx.xxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 30 days ago. -- ldap_check_account: Checking that a computer account for KRB-PROX$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = xxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found Principal: HTTP/xxxxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found User Principal: HTTP/proxy.xxxxxxxxxxxxxxxxx.local -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try using keytab for KRB-PROX$ to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- set_password: krb5_change_password failed using keytab: (3) Authentication error -- ~KRB5Context: Destroying Kerberos Context lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain xxxxxxxxx.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxx.xxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/xxxxxxxxxxx.xxxxxxxxxx.local from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for KRB-PROX$ with password. -- create_default_machine_password: Default machine password for KRB-PROX$ is krb-prox -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxx.xxxxxxxxx.local -- ~KRB5Context: Destroying Kerberos Context Technical information: -Windows 2016 server (Kerberos) -Squid 3-x -msktutil version 1.0 Thanks for your help! Seb Sébastien GENESTA System & Network Administrator Avis Vérifiés +334 13 25 81 70 [email protected] www.avis-verifies.com
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
