
Squid is a caching web proxy, provides a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. This article provides a step by step approach to configure a SQUID server to support kerberos authentication.
Topic
-
How to configure squid proxy to support Kerberos authentication.
-
Kerberos configuration on squid proxy.
-
Squid kerberos authentication on Linux/Debian/Ubuntu/CentOS.
-
Linux squid proxy kerberos authentication.
Setup Information
AD Domain: example.com
Squid server name: proxysrv.example.com
Prerequisites
-
Make sure Squid server has a valid FQDN which must resolve using
dig
ornslookup
command. -
All client system must join to the AD domain in order to access the internet through
SQUID
proxy. -
Create a HTTP
keytab
orHTTP Host Principal
on the windows AD system which will be used for Kerberos authentication. Click here for the steps to create a HTTP service principal. -
Once the keytab is created transfer the keytab file to the Linux Squid system. In our case, we’ll store the keytab file in
/etc/squid/krb
directory. -
Content of keytab should look as following.
# ktutil
ktutil: rkt /etc/squid/krb/proxysrv.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 16 HTTP/proxysrv.example.com@EXAMPLE.COM
Squid Kerberos Configuration
Add the following configuration in /etc/squid/squid.conf
file.
visible proxysrv.example.com
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/krb/proxysrv.keytab -d -s HTTP/proxysrv.example.com@EXAMPLE.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
- Following are meaning of above options.
squid_kerb_auth [-d] [-i] [-s SPN] [-k keytab] [-c rcdir] [-t rctype]
-d full debug
-i informational messages
-r remove realm from username
-s service principal name
-k keytab name
-c replay cache directory
-t replay cache type
The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab
default SPN is HTTP/fqdn@DEFAULT_REALM
-
Define an
ACL
for AD or Kerberos authentication in thesquid.conf
file. Here the ACL name iskerb
.
acl kerb proxy_auth REQUIRED
-
Now force internet access with Kerberos authentication only by adding the following configuration in
squid.conf
file.
http_access allow kerb ## Allow AD auth to kerberos users
http_access deny all ## Deny all other users
Squid Kerberos Authentication testing
-
In the proxy setting of web browser, mention proxy server
FQDN
in the server field instead of proxy server IP address. -
Make sure the client system has been joined to the AD domain and has a valid kerberos ticket. This ticket will be used for kerberos authentication.
-
Now access internet
Squid Troubleshooting
Check /var/log/squid/cache.log
file to view authentication logs. You can also debug squid by the following confirmation in squid.conf
file.
## Squid debug
debug_options ALL,3
ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
many times tried still the same issue
ANOTHER ISSUE
/etc/squid/squid.conf:21 unrecognized: ‘visible