Integrando o squid com o diretório ativo

2

Estou tentando integrar o squid como um proxy da web para meus usuários no diretório ativo. Eu segui o tutorial no site do squid em aqui . Quando eu executo o comando:

msktutil -c -b "CN=Administrator" -s HTTP/proxy.example.com -k /etc/squid3/PROXY.keytab \
--computer-name SQUIDPROXY-K --upn HTTP/proxy.example.com --server acdc.example.com --enctypes 28 --verbose

recebi o erro:

SASL/GSSAPI authentication started  
Error: ldap_sasl_interactive_bind_s failed (Local error)  
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)  
Error: ldap_connect failed.

O arquivo /etc/squid3/PROXY.tab não é preenchido nem. Eu procurei por toda a internet, mas não consigo encontrar nada sobre este problema.

Aqui estão meus arquivos de configuração:

/etc/krb5.conf

[logging]
default = FILE
kdc = FILE
admin_server = FILE

[libdefaults]
    default_realm = DOMAIN.COM
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid3/PROXY.keytab



; for Windows 2008 with AES
;      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5



[realms]
DOMAIN.COM = {
   default_domain = domain.com
   kdc = acdc.domain.com
   kdc = acdc2.domain.com
   admin_server = acdc.domain.com
}

[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM

Aqui está a saída do erro:

     -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 84
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RoP6Kh
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: SQUIDPROXY-K$
 -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unsupported key table format version number)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/routerdr from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with password.
 -- create_default_machine_password: Default machine password for SQUIDPROXY-K$ is squidproxy-k
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=YES
 -- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
 -- ~KRB5Context: Destroying Kerberos Context
    
por Edvin7 01.03.2016 / 16:03

1 resposta

0

Existe outra maneira de integrar o Squid ao AD - não juntando a máquina ao AD, mas mapeando o usuário do AD para o nome principal do Squid. Isso parece ser mais simples - veja link

    
por 03.03.2016 / 18:08