Squid Kerberos authentication configuration on Linux/Debian/Ubuntu/CentOS

Squid Kerberos Authentication

Squid is a caching web proxy, provides a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. This article provides a step by step approach to configure a SQUID server to support kerberos authentication.


Topic

  • How to configure squid proxy to support Kerberos authentication.
  • Kerberos configuration on squid proxy.
  • Squid kerberos authentication on Linux/Debian/Ubuntu/CentOS.
  • Linux squid proxy kerberos authentication.


Setup Information

AD Domain: example.com
Squid server name: proxysrv.example.com

Prerequisites

  • Make sure Squid server has a valid FQDN which must resolve using dig or nslookup command.

  • All client system must join to the AD domain in order to access the internet through SQUID proxy.

  • Create a HTTP keytab or HTTP Host Principal on the windows AD system which will be used for Kerberos authentication. Click here for the steps to create a HTTP service principal.

  • Once the keytab is created transfer the keytab file to the Linux Squid system. In our case, we’ll store the keytab file in /etc/squid/krb directory.

  • Content of keytab should look as following.

# ktutil 
ktutil:  rkt /etc/squid/krb/proxysrv.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1   16    HTTP/proxysrv.example.com@EXAMPLE.COM


Squid Kerberos Configuration

Add the following configuration in /etc/squid/squid.conf file.

visible proxysrv.example.com
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/krb/proxysrv.keytab -d -s HTTP/proxysrv.example.com@EXAMPLE.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on

  • Following are meaning of above options.
squid_kerb_auth [-d] [-i] [-s SPN] [-k keytab] [-c rcdir] [-t rctype]
-d full debug
-i informational messages
-r remove realm from username
-s service principal name
-k keytab name
-c replay cache directory
-t replay cache type
The SPN can be set to GSS_C_NO_NAME to allow any entry from keytab
default SPN is HTTP/fqdn@DEFAULT_REALM

  • Define an ACL for AD or Kerberos authentication in the squid.conf file. Here the ACL name is kerb.
    acl kerb proxy_auth REQUIRED

  • Now force internet access with Kerberos authentication only by adding the following configuration in squid.conf file.

http_access allow kerb ## Allow AD auth to kerberos users 
http_access deny all     ## Deny all other users 


Squid Kerberos Authentication testing

  • In the proxy setting of web browser, mention proxy server FQDN in the server field instead of proxy server IP address.

  • Make sure the client system has been joined to the AD domain and has a valid kerberos ticket. This ticket will be used for kerberos authentication.

  • Now access internet


Squid Troubleshooting

Check /var/log/squid/cache.log file to view authentication logs. You can also debug squid by the following confirmation in squid.conf file.

## Squid debug
  debug_options ALL,3


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

2 Comments

  1. ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}

    many times tried still the same issue

Leave a Reply

Your email address will not be published. Required fields are marked *