Existe outra maneira de integrar o Squid ao AD - não juntando a máquina ao AD, mas mapeando o usuário do AD para o nome principal do Squid. Isso parece ser mais simples - veja link
Estou tentando integrar o squid como um proxy da web para meus usuários no diretório ativo. Eu segui o tutorial no site do squid em aqui . Quando eu executo o comando:
msktutil -c -b "CN=Administrator" -s HTTP/proxy.example.com -k /etc/squid3/PROXY.keytab \
--computer-name SQUIDPROXY-K --upn HTTP/proxy.example.com --server acdc.example.com --enctypes 28 --verbose
recebi o erro:
SASL/GSSAPI authentication started Error: ldap_sasl_interactive_bind_s failed (Local error) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Error: ldap_connect failed.
O arquivo /etc/squid3/PROXY.tab
não é preenchido nem. Eu procurei por toda a internet, mas não consigo encontrar nada sobre este problema.
Aqui estão meus arquivos de configuração:
/etc/krb5.conf
[logging]
default = FILE
kdc = FILE
admin_server = FILE
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
DOMAIN.COM = {
default_domain = domain.com
kdc = acdc.domain.com
kdc = acdc2.domain.com
admin_server = acdc.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
Aqui está a saída do erro:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 84
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RoP6Kh
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: SQUIDPROXY-K$
-- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unsupported key table format version number)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/routerdr from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with password.
-- create_default_machine_password: Default machine password for SQUIDPROXY-K$ is squidproxy-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=YES
-- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
-- ~KRB5Context: Destroying Kerberos Context
Existe outra maneira de integrar o Squid ao AD - não juntando a máquina ao AD, mas mapeando o usuário do AD para o nome principal do Squid. Isso parece ser mais simples - veja link