MEGATUTORIAL Squid 5. Quinta Parte.

PDF

ÍNDICE

Servidor Proxy. Conceptos y datos para el ejemplo a desarrollar.

1. Instalación de squid-5.0.2 por compilado.

1.1. Generando e instalando empaquetado “.deb” de squid-5.0.2.

2. Configuraciones en Squid.

2.1. Configuraciones básicas.

2.2. Proxy padre.

2.3. Caché.

2.4. Autenticación.

2.5. Patrones de refrescamiento.

2.6. Declaración de reglas (ACLs).

2.7. Aplicación de reglas.

2.8. Declaración y aplicación de otras reglas especiales.

2.8.1. Retardo con Delay Pools.

2.8.2. MITM con SSL Bump.

3. Integración de Squid-ADDC mediante Kerberos.

3.1. Configuraciones necesarias en el ADDC Samba4.

3.2. Sincronización de tiempo.

3.3. timesyncd.

3.4. ntpd & ntpdate.

3.5. Integración Squid-ADDC por Kerberos, mediante Ticket.

4. Ejemplo integrador de configuración de Squid.

4.1. Configuraciones del ejemplo.

Referencias Bibliográficas.

3.5 Integración Squid-ADDC por Kerberos, mediante Ticket.

Instalamos paquetes necesarios para Kerberos y herramientas para LDAP:

apt -y install krb5-user msktutil libsasl2-modules-gssapi-mit ldap-utils

1	apt -y install krb5-user msktutil libsasl2-modules-gssapi-mit ldap-utils

Editamos o creamos, si no existe, “/etc/default/squid”.

nano /etc/default/squid

1	nano /etc/default/squid

Agregamos lo siguiente:

KRB5RCACHETYPE=none
export KRB5RCACHETYPE 
KRB5_KTNAME=/etc/squid/proxysquid.keytab
export KRB5_KTNAME

KRB5RCACHETYPE=none

export KRB5RCACHETYPE

KRB5_KTNAME=/etc/squid/proxysquid.keytab

export KRB5_KTNAME

Configuración de Kerberos:

mv /etc/krb5.conf /etc/krb5.conf.salva
nano /etc/krb5.conf

1 2	mv /etc/krb5.conf /etc/krb5.conf.salva nano /etc/krb5.conf

Agregamos los siguiente:

[libdefaults]
        default_realm = EMPRESA.MIDOMINIO.CU
        dns_lookup_realm = false
        dns_lookup_kdc = true
        clockskew = 3600
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid/proxysquid.keytab
# The following krb5.conf variables are only for MIT Kerberos. 
        kdc_timesync = 1 
        ccache_type = 4 
        forwardable = true 
        proxiable = true

[realms]
        EMPRESA.MIDOMINIO.CU = {
                kdc = pdc1.empresa.midominio.cu
#               kdc = pdc2.empresa.midominio.cu
                master_kdc = pdc1.empresa.midominio.cu
                admin_server = pdc1.empresa.midominio.cu
                default_domain = empresa.midominio.cu
                }

        empresa.midominio.cu = {
                kdc = pdc1.empresa.midominio.cu
#               kdc = pdc2.empresa.midominio.cu
                master_kdc = pdc1.empresa.midominio.cu
                admin_server = pdc1.empresa.midominio.cu
                default_domain = empresa.midominio.cu
                }

[domain_realm]
        .empresa.midominio.cu = EMPRESA.MIDOMINIO.CU
        empresa.midominio.cu = EMPRESA.MIDOMINIO.CU

[libdefaults]

default_realm = EMPRESA.MIDOMINIO.CU

dns_lookup_realm = false

dns_lookup_kdc = true

clockskew = 3600

ticket_lifetime = 24h

default_keytab_name = /etc/squid/proxysquid.keytab

# The following krb5.conf variables are only for MIT Kerberos.

kdc_timesync = 1

ccache_type = 4

forwardable = true

proxiable = true

[realms]

EMPRESA.MIDOMINIO.CU = {

kdc = pdc1.empresa.midominio.cu

# kdc = pdc2.empresa.midominio.cu

master_kdc = pdc1.empresa.midominio.cu

admin_server = pdc1.empresa.midominio.cu

default_domain = empresa.midominio.cu

}

empresa.midominio.cu = {

kdc = pdc1.empresa.midominio.cu

# kdc = pdc2.empresa.midominio.cu

master_kdc = pdc1.empresa.midominio.cu

admin_server = pdc1.empresa.midominio.cu

default_domain = empresa.midominio.cu

}

[domain_realm]

.empresa.midominio.cu = EMPRESA.MIDOMINIO.CU

empresa.midominio.cu = EMPRESA.MIDOMINIO.CU

A continuación, se describe cómo generar el ticket “proxysquid.keytab” y registrar el SPN en el dominio, usándose un usuario con permisos de administración en el ADDC:

kinit administrator@EMPRESA.MIDOMINIO.CU

1	kinit administrator@EMPRESA.MIDOMINIO.CU

Nos sale para poner el password:

Password for administrator@EMPRESA.MIDOMINIO.CU: Admin*123

1	Password for administrator@EMPRESA.MIDOMINIO.CU: Admin*123

Generamos el ticket, el cual agregara una cuenta de computadora al ADDC con el nombre especificado:

msktutil -c -b "OU=Linux,OU=Servidores" \
-s HTTP/proxysquid.empresa.midominio.cu \
-h proxysquid.empresa.midominio.cu \
-k /etc/squid/proxysquid.keytab \
--computer-name PROXYSQUID \
--upn HTTP/proxysquid.empresa.midominio.cu \
--server pdc1.empresa.midominio.cu \
--verbose \
--dont-expire-password \
--no-reverse-lookups

msktutil -c -b "OU=Linux,OU=Servidores" \

-s HTTP/proxysquid.empresa.midominio.cu \

-h proxysquid.empresa.midominio.cu \

-k /etc/squid/proxysquid.keytab \

--computer-name PROXYSQUID \

--upn HTTP/proxysquid.empresa.midominio.cu \

--server pdc1.empresa.midominio.cu \

--verbose \

--dont-expire-password \

--no-reverse-lookups

Si el ADDC es un Windows Server Active Directory entonces el comando debe ser el siguiente:

msktutil -c -b "OU=Linux,OU=Servidores" \
-s HTTP/proxysquid.empresa.midominio.cu \
-h proxysquid.empresa.midominio.cu \
-k /etc/squid/proxysquid.keytab \
--computer-name PROXYSQUID \
--upn HTTP/proxysquid.empresa.midominio.cu \
--server pdc1.empresa.midominio.cu \
--verbose \
--dont-expire-password \
--no-reverse-lookups \
--enctypes 28

msktutil -c -b "OU=Linux,OU=Servidores" \

-s HTTP/proxysquid.empresa.midominio.cu \

-h proxysquid.empresa.midominio.cu \

-k /etc/squid/proxysquid.keytab \

--computer-name PROXYSQUID \

--upn HTTP/proxysquid.empresa.midominio.cu \

--server pdc1.empresa.midominio.cu \

--verbose \

--dont-expire-password \

--no-reverse-lookups \

--enctypes 28

Lo anterior debe devolver algo parecido a lo siguiente:

-- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 88
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-c66hIC
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: PROXYSQUID$
 -- try_machine_keytab_princ: Trying to authenticate for PROXYSQUID$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for PROXYSQUID$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/proxysquid.empresa.midominio.cu from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for PROXYSQUID$ with password.
 -- create_default_machine_password: Default machine password for PROXYSQUID$ is proxysquid10
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: pdc1.empresa.midominio.cu
SASL/GSSAPI authentication started
SASL username: administrator@EMPRESA.MIDOMINIO.CU
SASL SSF: 256
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=EMPRESA,dc=MIDOMINIO,dc=CU
 -- ldap_check_account: Checking that a computer account for PROXYSQUID$ exists
 -- ldap_create_account: Computer account not found, create the account
No computer account for PROXYSQUID found, creating a new one.
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_check_account_strings: Found userPrincipalName = 
 -- ldap_check_account_strings: userPrincipalName should be HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1
 -- ldap_get_kvno: KVNO is 1
 -- ldap_add_principal: Checking that adding principal HTTP/proxysquid.empresa.midominio.cu to PROXYSQUID$ won't cause a conflict
 -- ldap_add_principal: Adding principal HTTP/proxysquid.empresa.midominio.cu to LDAP entry
 -- ldap_add_principal: Checking that adding principal host/proxysquid.ecasa.avianet.cu to PROXYSQUID$ won't cause a conflict
 -- ldap_add_principal: Adding principal host/proxysquid.empresa.midominio.cu to LDAP entry
 -- execute: Updating all entries for proxysquid.empresa.midominio.cu in the keytab WRFILE:/etc/squid/proxysquid.keytab
 -- update_keytab: Updating all entries for PROXYSQUID$
 -- add_principal_keytab: Adding principal to keytab: PROXYSQUID$
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of EMPRES.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: PROXYSQUID$
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab: Deleting PROXYSQUID$@EMPRESA.MIDOMINIO.CU kvno=1, enctype=23
 -- add_principal_keytab: Deleting PROXYSQUID$@EMPRESA.MIDOMINIO.CU kvno=1, enctype=17
 -- add_principal_keytab: Deleting PROXYSQUID$@EMPRESA.MIDOMINIO.CU kvno=1, enctype=18
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresamidominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: HTTP/proxysquid.empresa.midominio.cu
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/PROXYSQUID
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- update_keytab: Entries for SPN HTTP/proxysquid.empresa.midominio.cu have already been added. Skipping ...
 -- add_principal_keytab: Adding principal to keytab: host/proxysquid.empresa.midominio.cu
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- ~KRB5Context: Destroying Kerberos Context

-- init_password: Wiping the computer password structure

-- generate_new_password: Generating a new, random password for the computer account

-- generate_new_password: Characters read from /dev/urandom = 88

-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-c66hIC

-- reload: Reloading Kerberos Context

-- finalize_exec: SAM Account Name is: PROXYSQUID$

-- try_machine_keytab_princ: Trying to authenticate for PROXYSQUID$ from local keytab...

-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)

-- try_machine_keytab_princ: Authentication with keytab failed

-- try_machine_keytab_princ: Trying to authenticate for PROXYSQUID$ from local keytab...

-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)

-- try_machine_keytab_princ: Authentication with keytab failed

-- try_machine_keytab_princ: Trying to authenticate for host/proxysquid.empresa.midominio.cu from local keytab...

-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)

-- try_machine_keytab_princ: Authentication with keytab failed

-- try_machine_password: Trying to authenticate for PROXYSQUID$ with password.

-- create_default_machine_password: Default machine password for PROXYSQUID$ is proxysquid10

-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)

-- try_machine_password: Authentication with password failed

-- try_user_creds: Checking if default ticket cache has tickets...

-- finalize_exec: Authenticated using method 5

-- LDAPConnection: Connecting to LDAP server: pdc1.empresa.midominio.cu

SASL/GSSAPI authentication started

SASL username: administrator@EMPRESA.MIDOMINIO.CU

SASL SSF: 256

SASL data security layer installed.

-- ldap_get_base_dn: Determining default LDAP base: dc=EMPRESA,dc=MIDOMINIO,dc=CU

-- ldap_check_account: Checking that a computer account for PROXYSQUID$ exists

-- ldap_create_account: Computer account not found, create the account

No computer account for PROXYSQUID found, creating a new one.

-- ldap_check_account_strings: Inspecting (and updating) computer account attributes

-- ldap_check_account_strings: Found userPrincipalName =

-- ldap_check_account_strings: userPrincipalName should be HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0

-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1

-- ldap_get_kvno: KVNO is 1

-- ldap_add_principal: Checking that adding principal HTTP/proxysquid.empresa.midominio.cu to PROXYSQUID$ won't cause a conflict

-- ldap_add_principal: Adding principal HTTP/proxysquid.empresa.midominio.cu to LDAP entry

-- ldap_add_principal: Checking that adding principal host/proxysquid.ecasa.avianet.cu to PROXYSQUID$ won't cause a conflict

-- ldap_add_principal: Adding principal host/proxysquid.empresa.midominio.cu to LDAP entry

-- execute: Updating all entries for proxysquid.empresa.midominio.cu in the keytab WRFILE:/etc/squid/proxysquid.keytab

-- update_keytab: Updating all entries for PROXYSQUID$

-- add_principal_keytab: Adding principal to keytab: PROXYSQUID$

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of EMPRES.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x12

-- add_principal_keytab: Adding principal to keytab: PROXYSQUID$

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab: Deleting PROXYSQUID$@EMPRESA.MIDOMINIO.CU kvno=1, enctype=23

-- add_principal_keytab: Deleting PROXYSQUID$@EMPRESA.MIDOMINIO.CU kvno=1, enctype=17

-- add_principal_keytab: Deleting PROXYSQUID$@EMPRESA.MIDOMINIO.CU kvno=1, enctype=18

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresamidominio.cu

-- add_principal_keytab: Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x12

-- add_principal_keytab: Adding principal to keytab: HTTP/proxysquid.empresa.midominio.cu

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x12

-- add_principal_keytab: Adding principal to keytab: host/PROXYSQUID

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x12

-- update_keytab: Entries for SPN HTTP/proxysquid.empresa.midominio.cu have already been added. Skipping ...

-- add_principal_keytab: Adding principal to keytab: host/proxysquid.empresa.midominio.cu

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab: Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x17

-- add_principal_keytab: Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x11

-- add_principal_keytab: Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu

-- add_principal_keytab: Adding entry of enctype 0x12

-- ~KRB5Context: Destroying Kerberos Context

Comprobamos que todo haya resultado bien:

kinit -k HTTP/proxysquid.empresa.midominio.cu

1	kinit -k HTTP/proxysquid.empresa.midominio.cu

El comando anterior no debe devolver nada, si todo está bien.

klist -k

klist -k

Nos debe devolver lo siguiente:

Keytab name: FILE:/etc/squid/proxysquid.keytab
KVNO Principal
---- -----------------------------------------------------------------
   1 PROXYSQUID$@EMPRESA.MIDOMINIO.CU
   1 PROXYSQUID$@EMPRESA.MIDOMINIO.CU
   1 PROXYSQUID$@EMPRESA.MIDOMINIO.CU
   1 HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
   1 HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
   1 HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
   1 host/PROXYSQUID@MIDOMINIO.CU
   1 host/PROXYSQUID@MIDOMINIO.CU
   1 host/PROXYSQUID@MIDOMINIO.CU
   1 host/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
   1 host/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
   1 host/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

Keytab name: FILE:/etc/squid/proxysquid.keytab

KVNO Principal

---- -----------------------------------------------------------------

1 PROXYSQUID$@EMPRESA.MIDOMINIO.CU

1 HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

1 host/PROXYSQUID@MIDOMINIO.CU

1 host/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

Establecemos los permisos del archivo keytab:

chown proxy:proxy /etc/squid/proxysquid.keytab
chmod 640 /etc/squid/proxysquid.keytab

1 2	chown proxy:proxy /etc/squid/proxysquid.keytab chmod 640 /etc/squid/proxysquid.keytab

Comprobamos que la cuenta de host se actualiza correctamente:

msktutil --auto-update --verbose --dont-expire-password \
-b "CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=EMPRESA,DC=MIDOMINIO,DC=CU" \
--user-creds-only \
--computer-name PROXYSQUID \
-k /etc/squid/proxysquid.keytab \
--server pdc1.empresa.midominio.cu \
--no-reverse-lookups

msktutil --auto-update --verbose --dont-expire-password \

-b "CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=EMPRESA,DC=MIDOMINIO,DC=CU" \

--user-creds-only \

--computer-name PROXYSQUID \

-k /etc/squid/proxysquid.keytab \

--server pdc1.empresa.midominio.cu \

--no-reverse-lookups

Lo anterior debe devolver algo parecido a lo siguiente:

-- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 87
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-mote6W
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: PROXYSQUID$
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: pdc1.empresa.midominio.cu
SASL/GSSAPI authentication started
SASL username: HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
SASL SSF: 256
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=EMPRESA,dc=MIDOMINIO,dc=CU
 -- ldap_check_account: Checking that a computer account for PROXYSQUID$ exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x11000
 -- ldap_check_account: Found supportedEncryptionTypes = 28
 -- ldap_check_account: Found dNSHostName = proxysquid.ecasa.avianet.cu
 -- ldap_check_account: Found Principal: host/proxysquid.ecasa.avianet.cu
 -- ldap_check_account: Found Principal: HTTP/proxysquid.ecasa.avianet.cu
 -- ldap_check_account:   Found User Principal: HTTP/proxysquid.ecasa.avianet.cu
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000
 -- ldap_get_kvno: KVNO is 1
 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache
 -- ldap_get_pwdLastSet: pwdLastSet is 132355895442940306
 -- execute: Password last set 0 days ago.
 -- execute: Exiting because password was changed recently.
 -- ~KRB5Context: Destroying Kerberos Context

-- init_password: Wiping the computer password structure

-- generate_new_password: Generating a new, random password for the computer account

-- generate_new_password: Characters read from /dev/urandom = 87

-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-mote6W

-- reload: Reloading Kerberos Context

-- finalize_exec: SAM Account Name is: PROXYSQUID$

-- try_user_creds: Checking if default ticket cache has tickets...

-- finalize_exec: Authenticated using method 5

-- LDAPConnection: Connecting to LDAP server: pdc1.empresa.midominio.cu

SASL/GSSAPI authentication started

SASL username: HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

SASL SSF: 256

SASL data security layer installed.

-- ldap_get_base_dn: Determining default LDAP base: dc=EMPRESA,dc=MIDOMINIO,dc=CU

-- ldap_check_account: Checking that a computer account for PROXYSQUID$ exists

-- ldap_check_account: Checking computer account - found

-- ldap_check_account: Found userAccountControl = 0x11000

-- ldap_check_account: Found supportedEncryptionTypes = 28

-- ldap_check_account: Found dNSHostName = proxysquid.ecasa.avianet.cu

-- ldap_check_account: Found Principal: host/proxysquid.ecasa.avianet.cu

-- ldap_check_account: Found Principal: HTTP/proxysquid.ecasa.avianet.cu

-- ldap_check_account: Found User Principal: HTTP/proxysquid.ecasa.avianet.cu

-- ldap_check_account_strings: Inspecting (and updating) computer account attributes

-- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0

-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1

-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000

-- ldap_get_kvno: KVNO is 1

-- set_password: Attempting to reset computer's password

-- set_password: Try change password using user's ticket cache

-- ldap_get_pwdLastSet: pwdLastSet is 132355895442940306

-- execute: Password last set 0 days ago.

-- execute: Exiting because password was changed recently.

-- ~KRB5Context: Destroying Kerberos Context

NOTA: En un ADDC Windows Server se obtuvo un error al final:

-- ldap_get_pwdLastSet: pwdLastSet is 132307603480393316
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
Error: set_password failed
 -- ~KRB5Context: Destroying Kerberos Context

-- ldap_get_pwdLastSet: pwdLastSet is 132307603480393316

Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)

Error: set_password failed

-- ~KRB5Context: Destroying Kerberos Context

Simplemente ignorar este error y continuar el procedimiento.

Comprobamos que en la base de datos de LDAP exista la computadora que representa al proxy:

ldapsearch -T -x -Y GSSAPI -b "dc=empresa,dc=midominio,dc=cu" cn=PROXYSQUID -h pdc1.empresa.midominio.cu

1	ldapsearch -T -x -Y GSSAPI -b "dc=empresa,dc=midominio,dc=cu" cn=PROXYSQUID -h pdc1.empresa.midominio.cu

Nos debe devolver algo como esto:

SASL/GSSAPI authentication started
SASL username: admin@EMPRESA.MIDOMINIO.CU
SASL/GSSAPI authentication started
SASL username: HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=empresa,dc=midominio,dc=cu> with scope subtree
# filter: cn=PROXYSQUID
# requesting: ALL
#

# PROXYSQUID, Linux, Servidores, empresa.midominio.cu
dn: CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=empresa,DC=midominio,DC=cu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: PROXYSQUID
distinguishedName: CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=empresa,DC=midominio,DC=cu
instanceType: 4
whenCreated: 20200602163904.0Z
whenChanged: 20200602163943.0Z
uSNCreated: 46923335
uSNChanged: 46923353
name: PROXYSQUID
objectGUID:: nsG44Oq3jkCFDXerJXCEZA==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 132355895839381100
localPolicyFlags: 0
pwdLastSet: 132355895442940306
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJLCcAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: PROXYSQUID$
sAMAccountType: 805306369
dNSHostName: proxysquid.empresa.midominio.cu
userPrincipalName: HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU
servicePrincipalName: host/proxysquid.empresa.midominio.cu
servicePrincipalName: HTTP/proxysquid.empresa.midominio.cu
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=empresa,DC=midominio,DC=cu
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132355895839381100
msDS-SupportedEncryptionTypes: 28

# search reference
ref: ldap://DomainDnsZones.ecasa.avianet.cu/DC=DomainDnsZones,DC=empresa,DC=midominio,DC=cu

# search reference
ref: ldap://ForestDnsZones.midominio.cu/DC=ForestDnsZones,DC=empresa,DC=midominio,DC=cu

# search reference
ref: ldap://empresa.midominio.cu/CN=Configuration,DC=empresa,DC=midominio,DC=cu

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

SASL/GSSAPI authentication started

SASL username: admin@EMPRESA.MIDOMINIO.CU

SASL/GSSAPI authentication started

SASL username: HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

SASL SSF: 256

SASL data security layer installed.

# extended LDIF

# LDAPv3

# base <dc=empresa,dc=midominio,dc=cu> with scope subtree

# filter: cn=PROXYSQUID

# requesting: ALL

# PROXYSQUID, Linux, Servidores, empresa.midominio.cu

dn: CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=empresa,DC=midominio,DC=cu

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

objectClass: computer

cn: PROXYSQUID

distinguishedName: CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=empresa,DC=midominio,DC=cu

instanceType: 4

whenCreated: 20200602163904.0Z

whenChanged: 20200602163943.0Z

uSNCreated: 46923335

uSNChanged: 46923353

name: PROXYSQUID

objectGUID:: nsG44Oq3jkCFDXerJXCEZA==

userAccountControl: 69632

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 132355895839381100

localPolicyFlags: 0

pwdLastSet: 132355895442940306

primaryGroupID: 515

objectSid:: AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJLCcAAA==

accountExpires: 9223372036854775807

logonCount: 2

sAMAccountName: PROXYSQUID$

sAMAccountType: 805306369

dNSHostName: proxysquid.empresa.midominio.cu

userPrincipalName: HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

servicePrincipalName: host/proxysquid.empresa.midominio.cu

servicePrincipalName: HTTP/proxysquid.empresa.midominio.cu

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=empresa,DC=midominio,DC=cu

isCriticalSystemObject: FALSE

dSCorePropagationData: 16010101000000.0Z

lastLogonTimestamp: 132355895839381100

msDS-SupportedEncryptionTypes: 28

# search reference

ref: ldap://DomainDnsZones.ecasa.avianet.cu/DC=DomainDnsZones,DC=empresa,DC=midominio,DC=cu

# search reference

ref: ldap://ForestDnsZones.midominio.cu/DC=ForestDnsZones,DC=empresa,DC=midominio,DC=cu

# search reference

ref: ldap://empresa.midominio.cu/CN=Configuration,DC=empresa,DC=midominio,DC=cu

# search result

search: 4

result: 0 Success

# numResponses: 5

# numEntries: 1

# numReferences: 3

Comprobamos autenticación por LDAP:

NOTA: Debe estar creado el usuario “squid” en el AD.

Primero creamos un fichero que contendrá la contraseña para autenticar al usuario “squid”.

touch /etc/squid/ldappass.txt

1	touch /etc/squid/ldappass.txt

Agregamos el password del usuario:

echo "Proxyadmin*123" > /etc/squid/ldappass.txt

1	echo "Proxyadmin*123" > /etc/squid/ldappass.txt

Comprobando la autenticación por LDAP básico:

/usr/lib/squid/basic_ldap_auth -R -b "dc=empresa,dc=midominio,dc=cu" -D squid@empresa.midominio.cu -W /etc/squid/ldappass.txt -f "(|(userPrincipalName=%s)(sAMAccountName=%s)(userPasswdac=ACTIVE))" -h pdc1.empresa.midominio.cu

1	/usr/lib/squid/basic_ldap_auth -R -b "dc=empresa,dc=midominio,dc=cu" -D squid@empresa.midominio.cu -W /etc/squid/ldappass.txt -f "(\|(userPrincipalName=%s)(sAMAccountName=%s)(userPasswdac=ACTIVE))" -h pdc1.empresa.midominio.cu

Ahora tecleamos un usuario que pertenezca al dominio y su contraseña:

usuario1.apellido Prueba2020*

1	usuario1.apellido Prueba2020*

Si el usuario existe y su contraseña es correcta, deberá devolver lo siguiente:

OK

Comprobamos la autenticación por Kerberos:

/usr/lib/squid/negotiate_kerberos_auth_test proxysquid.empresa.midominio.cu | awk \
'{sub(/Token:/,"YR"); print $0}END{print"QQ"}'| \
/usr/lib/squid/negotiate_kerberos_auth -d -r -s HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

/usr/lib/squid/negotiate_kerberos_auth_test proxysquid.empresa.midominio.cu | awk \

'{sub(/Token:/,"YR"); print $0}END{print"QQ"}'| \

/usr/lib/squid/negotiate_kerberos_auth -d -r -s HTTP/proxysquid.empresa.midominio.cu@EMPRESA.MIDOMINIO.CU

Debe devolver algo como esto:

negotiate_kerberos_auth.cc(489): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxysquid.keytab
negotiate_kerberos_auth.cc(572): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_29506
negotiate_kerberos_auth.cc(612): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Got 'YR YIIF8gYGKwYBBQUCoIIF5jCCBeKgDTALBgkqhkiG9xIBAgKiggXPBIIFy2CCBccGCSqGSIb3EgECAgEAboIFtjCCBbKgAwIBBaEDAgEOogcDBQAAAAAAo4IEqWGCBKUwggShoAMCAQWhEhsQRUNBU0EuQVZJQU5FVC5DVaIuMCygAwIBA6ElMCMbBEhUVFAbG3Byb3h5c3F1aWQuZWNhc2EuYXZpYW5ldC5jdaOCBFQwggRQoAMCARKhAwIBAaKCBEIEggQ+LqPiulPdQuHVcW90hxDFzkTEtLSBxfoBCaUGuRwhdqXDMB/I33B81RUc/tXUDqpO7AAKfculDH7N2ie0pY2BfItMOfRTVRqB/qAzHkLNFHTFbQFWyiLVy7KKX/SrGXMf8g3d8o03bSgbCPsHlqBlAoCcMbccpoIk1gvzNdz5E9QiHqQRn/9MJcRn81zi4VZG3pCtTA+1o61zYL6fBmTCwEpRawZpyBAO7kh9Rx6x5wJ3EGFCxfaGrtBgj7VG0tTiay1I0TzlvNtXZF1xadqImhGiv1fw33zKG5KZV7rR5LNi8sFiFP3TpBrO1F5EHHZUpNb9q7yAkVqyMCT1EhuD96/IMhL4mI/E9xDAZjlkSzVI/0OyYCoL6OS4bVvCo+iGFsfq0Z9PM4bcR6dePqSbsmrw0YnImKr1KjUN4ROPjXg+fp6n4PuAcutfYFaEkbO9/1UY8Oi9DFIwqsV9lXbvmOtHDbexJkoLzbpgQal/GmAJswvEWYcWUQvC2/RkLivZJ5mK0lYhQE/YfkRcdUQcNKD+AoUQFlXRtgEbWrJbtRbBpKlDk11q+PYJ8Fqk/fgc5rWqezb/TmQBgHu4vTYQ+M5eRL6G2d9jcYqAW7+VgtjTq7TrfRUJmipaCF4gypDJzzqai6OIZMM0/wf8cvBgxve5tJRZpqv0XX915KBUWqB0m4jgwj/bPxmVa2ibNAq1uOJ7jwWBTUQ80NuxOZDUmhn2ICrzPRsa0c6IW8O3+BxE1xNds16rMEF7qhFMVE8QSgxBBMnsUOAX6xM8nDyFqnmsAQl7Qqxpq11ggAyxZCzzsE3fTF4LV/fU9T0fSu68gJCelmbT3mWbE3LjrPIHy4FMDFQcTYahPOUFLQLdh2zcFV/U76tAgYdSUtgaJHgeJ7lsVMOiBQkGLazEBb3Sop/of00ZhFB/8MLo7DtVx21X3fxsSSu5fB8SjG1Z7NvkqGd0P8bf3o4CtTkkVyojtlyrRAo9JXbVSb+2ZKU1DK/JnlQXZ1teLXyPKGB5m0WnzoeaEKhzk6l9NTcae2SvEci1iLawzQzEWxMHoE3Pd/4g6k1vG1Zf4wUWH9sN4hrQL6i2qzT7xwtbaUDG0VsOZBBAsgGXYehkTaJIObKjLg3+LbDSTDvzm5Z9JDQVqFTq7/OK4XafQWMUEbflXWrLpXsYaGAAPIpEADr+Ld58wdHv5iajmwPhGphV1sC26jf7lL0sRr8S1pRwfHqLUs3yOMvcdZJksxVXj2tjwY281dH8xIpHubPbN8Yt58O9qhMKMiCKK72E9jimrBMX4AeD9LP6AhbT/jwuOoIR5+xoodOO762fHmooHicGOD+TPRkvZYfVPo1ZKIcc4VEh39ApNyGGyDCoAdebdxErVwRA0rIYi7m2YwWVf9Djy2S4y5I1ZTwf7RWDtl6MzoUhwaOIe2JW67OhykR+E8YcAAH9pIHvMIHsoAMCARKigeQEgeEVBw2wep15J795akl2JhvXcROkjLr9tZNU03X/F8ujgMgp17OpNL834IPiOT3UzztbPGznudLQMN9NAYepDSGScCKQXdFAU2MoTmAN6uo6s1Sf6xNirlIdeE6gTQ+a9Dyd8jA1YKgOxB4s6YZatlmZIasBGepeGcxfmwpATym2o3dwWLH6ts9Kf+utek0HXPiOX2/wR2JgWAUx3SMC9b1M2cQbV3YW6dw3knlI5cRZaANjxqG0a9GUVonC3ILA3yygxXbROvPOzxfZ0bWhzhIDsXyIbVcuszLbgjHWV/kyYIM=' from squid (length: 2039).
negotiate_kerberos_auth.cc(679): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Decode 'YIIF8gYGKwYBBQUCoIIF5jCCBeKgDTALBgkqhkiG9xIBAgKiggXPBIIFy2CCBccGCSqGSIb3EgECAgEAboIFtjCCBbKgAwIBBaEDAgEOogcDBQAAAAAAo4IEqWGCBKUwggShoAMCAQWhEhsQRUNBU0EuQVZJQU5FVC5DVaIuMCygAwIBA6ElMCMbBEhUVFAbG3Byb3h5c3F1aWQuZWNhc2EuYXZpYW5ldC5jdaOCBFQwggRQoAMCARKhAwIBAaKCBEIEggQ+LqPiulPdQuHVcW90hxDFzkTEtLSBxfoBCaUGuRwhdqXDMB/I33B81RUc/tXUDqpO7AAKfculDH7N2ie0pY2BfItMOfRTVRqB/qAzHkLNFHTFbQFWyiLVy7KKX/SrGXMf8g3d8o03bSgbCPsHlqBlAoCcMbccpoIk1gvzNdz5E9QiHqQRn/9MJcRn81zi4VZG3pCtTA+1o61zYL6fBmTCwEpRawZpyBAO7kh9Rx6x5wJ3EGFCxfaGrtBgj7VG0tTiay1I0TzlvNtXZF1xadqImhGiv1fw33zKG5KZV7rR5LNi8sFiFP3TpBrO1F5EHHZUpNb9q7yAkVqyMCT1EhuD96/IMhL4mI/E9xDAZjlkSzVI/0OyYCoL6OS4bVvCo+iGFsfq0Z9PM4bcR6dePqSbsmrw0YnImKr1KjUN4ROPjXg+fp6n4PuAcutfYFaEkbO9/1UY8Oi9DFIwqsV9lXbvmOtHDbexJkoLzbpgQal/GmAJswvEWYcWUQvC2/RkLivZJ5mK0lYhQE/YfkRcdUQcNKD+AoUQFlXRtgEbWrJbtRbBpKlDk11q+PYJ8Fqk/fgc5rWqezb/TmQBgHu4vTYQ+M5eRL6G2d9jcYqAW7+VgtjTq7TrfRUJmipaCF4gypDJzzqai6OIZMM0/wf8cvBgxve5tJRZpqv0XX915KBUWqB0m4jgwj/bPxmVa2ibNAq1uOJ7jwWBTUQ80NuxOZDUmhn2ICrzPRsa0c6IW8O3+BxE1xNds16rMEF7qhFMVE8QSgxBBMnsUOAX6xM8nDyFqnmsAQl7Qqxpq11ggAyxZCzzsE3fTF4LV/fU9T0fSu68gJCelmbT3mWbE3LjrPIHy4FMDFQcTYahPOUFLQLdh2zcFV/U76tAgYdSUtgaJHgeJ7lsVMOiBQkGLazEBb3Sop/of00ZhFB/8MLo7DtVx21X3fxsSSu5fB8SjG1Z7NvkqGd0P8bf3o4CtTkkVyojtlyrRAo9JXbVSb+2ZKU1DK/JnlQXZ1teLXyPKGB5m0WnzoeaEKhzk6l9NTcae2SvEci1iLawzQzEWxMHoE3Pd/4g6k1vG1Zf4wUWH9sN4hrQL6i2qzT7xwtbaUDG0VsOZBBAsgGXYehkTaJIObKjLg3+LbDSTDvzm5Z9JDQVqFTq7/OK4XafQWMUEbflXWrLpXsYaGAAPIpEADr+Ld58wdHv5iajmwPhGphV1sC26jf7lL0sRr8S1pRwfHqLUs3yOMvcdZJksxVXj2tjwY281dH8xIpHubPbN8Yt58O9qhMKMiCKK72E9jimrBMX4AeD9LP6AhbT/jwuOoIR5+xoodOO762fHmooHicGOD+TPRkvZYfVPo1ZKIcc4VEh39ApNyGGyDCoAdebdxErVwRA0rIYi7m2YwWVf9Djy2S4y5I1ZTwf7RWDtl6MzoUhwaOIe2JW67OhykR+E8YcAAH9pIHvMIHsoAMCARKigeQEgeEVBw2wep15J795akl2JhvXcROkjLr9tZNU03X/F8ujgMgp17OpNL834IPiOT3UzztbPGznudLQMN9NAYepDSGScCKQXdFAU2MoTmAN6uo6s1Sf6xNirlIdeE6gTQ+a9Dyd8jA1YKgOxB4s6YZatlmZIasBGepeGcxfmwpATym2o3dwWLH6ts9Kf+utek0HXPiOX2/wR2JgWAUx3SMC9b1M2cQbV3YW6dw3knlI5cRZaANjxqG0a9GUVonC3ILA3yygxXbROvPOzxfZ0bWhzhIDsXyIbVcuszLbgjHWV/kyYIM=' (decoded length estimate: 1527).
negotiate_kerberos_pac.cc(406): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Got PAC data of length 432
negotiate_kerberos_pac.cc(180): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Found 1 rids
negotiate_kerberos_pac.cc(188): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: Info: Got rid: 515
negotiate_kerberos_pac.cc(270): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-2701354736-835243039-2314636293
negotiate_kerberos_pac.cc(486): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Read 428 of 432 bytes 
negotiate_kerberos_auth.cc(806): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJAwIAAA==
OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=HTTP/proxysquid.empresa.midominio.cu group=AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJAwIAAA==
negotiate_kerberos_auth.cc(815): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=HTTP/proxysquid.empresa.midominio.cu
negotiate_kerberos_auth.cc(612): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command

negotiate_kerberos_auth.cc(489): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq

negotiate_kerberos_auth.cc(548): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxysquid.keytab

negotiate_kerberos_auth.cc(572): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_29506

negotiate_kerberos_auth.cc(612): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Got 'YR YIIF8gYGKwYBBQUCoIIF5jCCBeKgDTALBgkqhkiG9xIBAgKiggXPBIIFy2CCBccGCSqGSIb3EgECAgEAboIFtjCCBbKgAwIBBaEDAgEOogcDBQAAAAAAo4IEqWGCBKUwggShoAMCAQWhEhsQRUNBU0EuQVZJQU5FVC5DVaIuMCygAwIBA6ElMCMbBEhUVFAbG3Byb3h5c3F1aWQuZWNhc2EuYXZpYW5ldC5jdaOCBFQwggRQoAMCARKhAwIBAaKCBEIEggQ+LqPiulPdQuHVcW90hxDFzkTEtLSBxfoBCaUGuRwhdqXDMB/I33B81RUc/tXUDqpO7AAKfculDH7N2ie0pY2BfItMOfRTVRqB/qAzHkLNFHTFbQFWyiLVy7KKX/SrGXMf8g3d8o03bSgbCPsHlqBlAoCcMbccpoIk1gvzNdz5E9QiHqQRn/9MJcRn81zi4VZG3pCtTA+1o61zYL6fBmTCwEpRawZpyBAO7kh9Rx6x5wJ3EGFCxfaGrtBgj7VG0tTiay1I0TzlvNtXZF1xadqImhGiv1fw33zKG5KZV7rR5LNi8sFiFP3TpBrO1F5EHHZUpNb9q7yAkVqyMCT1EhuD96/IMhL4mI/E9xDAZjlkSzVI/0OyYCoL6OS4bVvCo+iGFsfq0Z9PM4bcR6dePqSbsmrw0YnImKr1KjUN4ROPjXg+fp6n4PuAcutfYFaEkbO9/1UY8Oi9DFIwqsV9lXbvmOtHDbexJkoLzbpgQal/GmAJswvEWYcWUQvC2/RkLivZJ5mK0lYhQE/YfkRcdUQcNKD+AoUQFlXRtgEbWrJbtRbBpKlDk11q+PYJ8Fqk/fgc5rWqezb/TmQBgHu4vTYQ+M5eRL6G2d9jcYqAW7+VgtjTq7TrfRUJmipaCF4gypDJzzqai6OIZMM0/wf8cvBgxve5tJRZpqv0XX915KBUWqB0m4jgwj/bPxmVa2ibNAq1uOJ7jwWBTUQ80NuxOZDUmhn2ICrzPRsa0c6IW8O3+BxE1xNds16rMEF7qhFMVE8QSgxBBMnsUOAX6xM8nDyFqnmsAQl7Qqxpq11ggAyxZCzzsE3fTF4LV/fU9T0fSu68gJCelmbT3mWbE3LjrPIHy4FMDFQcTYahPOUFLQLdh2zcFV/U76tAgYdSUtgaJHgeJ7lsVMOiBQkGLazEBb3Sop/of00ZhFB/8MLo7DtVx21X3fxsSSu5fB8SjG1Z7NvkqGd0P8bf3o4CtTkkVyojtlyrRAo9JXbVSb+2ZKU1DK/JnlQXZ1teLXyPKGB5m0WnzoeaEKhzk6l9NTcae2SvEci1iLawzQzEWxMHoE3Pd/4g6k1vG1Zf4wUWH9sN4hrQL6i2qzT7xwtbaUDG0VsOZBBAsgGXYehkTaJIObKjLg3+LbDSTDvzm5Z9JDQVqFTq7/OK4XafQWMUEbflXWrLpXsYaGAAPIpEADr+Ld58wdHv5iajmwPhGphV1sC26jf7lL0sRr8S1pRwfHqLUs3yOMvcdZJksxVXj2tjwY281dH8xIpHubPbN8Yt58O9qhMKMiCKK72E9jimrBMX4AeD9LP6AhbT/jwuOoIR5+xoodOO762fHmooHicGOD+TPRkvZYfVPo1ZKIcc4VEh39ApNyGGyDCoAdebdxErVwRA0rIYi7m2YwWVf9Djy2S4y5I1ZTwf7RWDtl6MzoUhwaOIe2JW67OhykR+E8YcAAH9pIHvMIHsoAMCARKigeQEgeEVBw2wep15J795akl2JhvXcROkjLr9tZNU03X/F8ujgMgp17OpNL834IPiOT3UzztbPGznudLQMN9NAYepDSGScCKQXdFAU2MoTmAN6uo6s1Sf6xNirlIdeE6gTQ+a9Dyd8jA1YKgOxB4s6YZatlmZIasBGepeGcxfmwpATym2o3dwWLH6ts9Kf+utek0HXPiOX2/wR2JgWAUx3SMC9b1M2cQbV3YW6dw3knlI5cRZaANjxqG0a9GUVonC3ILA3yygxXbROvPOzxfZ0bWhzhIDsXyIbVcuszLbgjHWV/kyYIM=' from squid (length: 2039).

negotiate_kerberos_auth.cc(679): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Decode 'YIIF8gYGKwYBBQUCoIIF5jCCBeKgDTALBgkqhkiG9xIBAgKiggXPBIIFy2CCBccGCSqGSIb3EgECAgEAboIFtjCCBbKgAwIBBaEDAgEOogcDBQAAAAAAo4IEqWGCBKUwggShoAMCAQWhEhsQRUNBU0EuQVZJQU5FVC5DVaIuMCygAwIBA6ElMCMbBEhUVFAbG3Byb3h5c3F1aWQuZWNhc2EuYXZpYW5ldC5jdaOCBFQwggRQoAMCARKhAwIBAaKCBEIEggQ+LqPiulPdQuHVcW90hxDFzkTEtLSBxfoBCaUGuRwhdqXDMB/I33B81RUc/tXUDqpO7AAKfculDH7N2ie0pY2BfItMOfRTVRqB/qAzHkLNFHTFbQFWyiLVy7KKX/SrGXMf8g3d8o03bSgbCPsHlqBlAoCcMbccpoIk1gvzNdz5E9QiHqQRn/9MJcRn81zi4VZG3pCtTA+1o61zYL6fBmTCwEpRawZpyBAO7kh9Rx6x5wJ3EGFCxfaGrtBgj7VG0tTiay1I0TzlvNtXZF1xadqImhGiv1fw33zKG5KZV7rR5LNi8sFiFP3TpBrO1F5EHHZUpNb9q7yAkVqyMCT1EhuD96/IMhL4mI/E9xDAZjlkSzVI/0OyYCoL6OS4bVvCo+iGFsfq0Z9PM4bcR6dePqSbsmrw0YnImKr1KjUN4ROPjXg+fp6n4PuAcutfYFaEkbO9/1UY8Oi9DFIwqsV9lXbvmOtHDbexJkoLzbpgQal/GmAJswvEWYcWUQvC2/RkLivZJ5mK0lYhQE/YfkRcdUQcNKD+AoUQFlXRtgEbWrJbtRbBpKlDk11q+PYJ8Fqk/fgc5rWqezb/TmQBgHu4vTYQ+M5eRL6G2d9jcYqAW7+VgtjTq7TrfRUJmipaCF4gypDJzzqai6OIZMM0/wf8cvBgxve5tJRZpqv0XX915KBUWqB0m4jgwj/bPxmVa2ibNAq1uOJ7jwWBTUQ80NuxOZDUmhn2ICrzPRsa0c6IW8O3+BxE1xNds16rMEF7qhFMVE8QSgxBBMnsUOAX6xM8nDyFqnmsAQl7Qqxpq11ggAyxZCzzsE3fTF4LV/fU9T0fSu68gJCelmbT3mWbE3LjrPIHy4FMDFQcTYahPOUFLQLdh2zcFV/U76tAgYdSUtgaJHgeJ7lsVMOiBQkGLazEBb3Sop/of00ZhFB/8MLo7DtVx21X3fxsSSu5fB8SjG1Z7NvkqGd0P8bf3o4CtTkkVyojtlyrRAo9JXbVSb+2ZKU1DK/JnlQXZ1teLXyPKGB5m0WnzoeaEKhzk6l9NTcae2SvEci1iLawzQzEWxMHoE3Pd/4g6k1vG1Zf4wUWH9sN4hrQL6i2qzT7xwtbaUDG0VsOZBBAsgGXYehkTaJIObKjLg3+LbDSTDvzm5Z9JDQVqFTq7/OK4XafQWMUEbflXWrLpXsYaGAAPIpEADr+Ld58wdHv5iajmwPhGphV1sC26jf7lL0sRr8S1pRwfHqLUs3yOMvcdZJksxVXj2tjwY281dH8xIpHubPbN8Yt58O9qhMKMiCKK72E9jimrBMX4AeD9LP6AhbT/jwuOoIR5+xoodOO762fHmooHicGOD+TPRkvZYfVPo1ZKIcc4VEh39ApNyGGyDCoAdebdxErVwRA0rIYi7m2YwWVf9Djy2S4y5I1ZTwf7RWDtl6MzoUhwaOIe2JW67OhykR+E8YcAAH9pIHvMIHsoAMCARKigeQEgeEVBw2wep15J795akl2JhvXcROkjLr9tZNU03X/F8ujgMgp17OpNL834IPiOT3UzztbPGznudLQMN9NAYepDSGScCKQXdFAU2MoTmAN6uo6s1Sf6xNirlIdeE6gTQ+a9Dyd8jA1YKgOxB4s6YZatlmZIasBGepeGcxfmwpATym2o3dwWLH6ts9Kf+utek0HXPiOX2/wR2JgWAUx3SMC9b1M2cQbV3YW6dw3knlI5cRZaANjxqG0a9GUVonC3ILA3yygxXbROvPOzxfZ0bWhzhIDsXyIbVcuszLbgjHWV/kyYIM=' (decoded length estimate: 1527).

negotiate_kerberos_pac.cc(406): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Got PAC data of length 432

negotiate_kerberos_pac.cc(180): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Found 1 rids

negotiate_kerberos_pac.cc(188): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: Info: Got rid: 515

negotiate_kerberos_pac.cc(270): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-2701354736-835243039-2314636293

negotiate_kerberos_pac.cc(486): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Read 428 of 432 bytes

negotiate_kerberos_auth.cc(806): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJAwIAAA==

OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=HTTP/proxysquid.empresa.midominio.cu group=AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJAwIAAA==

negotiate_kerberos_auth.cc(815): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=HTTP/proxysquid.empresa.midominio.cu

negotiate_kerberos_auth.cc(612): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).

BH quit command

NOTA: A partir de la versión de 3.4 se desprecia esa respuesta en favor de OK. Si devuelve este resultado, entonces funciona la autenticación de Squid con el ADDC mediante Kerberos.

Probamos los grupos de Kerberos con alto nivel de debugg, para ver todo el procedimiento de negociación con Kerberos:

/usr/lib/squid/ext_kerberos_ldap_group_acl -a -d -g Inter_F_Redes -D EMPRESA.MIDOMINIO.CU

1	/usr/lib/squid/ext_kerberos_ldap_group_acl -a -d -g Inter_F_Redes -D EMPRESA.MIDOMINIO.CU

Nos debe devolver algo como esto:

kerberos_ldap_group.cc(311): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Starting version 1.4.0sq
support_group.cc(382): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Group list Inter_F_Redes
support_group.cc(447): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Group Inter_F_Redes  Domain NULL
support_netbios.cc(83): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: No ldap servers defined.

kerberos_ldap_group.cc(311): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Starting version 1.4.0sq

support_group.cc(382): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Group list Inter_F_Redes

support_group.cc(447): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Group Inter_F_Redes Domain NULL

support_netbios.cc(83): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: Netbios list NULL

support_netbios.cc(87): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: No netbios names defined.

support_lserver.cc(82): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: ldap server list NULL

support_lserver.cc(86): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: No ldap servers defined.

Ahora tecleamos un usuario que pertenezca al grupo indicado en el comando anterior:

usuario1.apellido

1	usuario1.apellido

Tras introducir el usuario, la opción de debugg, nos permitirá ver más información en el proceso de búsqueda:

kerberos_ldap_group.cc(430): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: INFO: Got User: usuario1.apellido set default domain: EMPRESA.MIDOMINIO.CU
kerberos_ldap_group.cc(435): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: INFO: Got User: usuario1.apellido Domain: ECASA.AVIANET.CU
support_member.cc(63): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: User domain loop: group@domain Inter_F_Redes@NULL
support_member.cc(91): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Default domain loop: group@domain Inter_F_Redes@NULL
support_member.cc(119): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Default group loop: group@domain Inter_F_Redes@NULL
support_member.cc(121): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Found group@domain Inter_F_Redes@NULL
support_ldap.cc(1007): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(131): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_EMPRESA.MIDOMINIO.CU_29507
support_krb5.cc(78): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: No default principal found in ccache : No credentials cache found
support_krb5.cc(263): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(269): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/proxysquid.keytab
support_krb5.cc(283): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/proxysquid.keytab
support_krb5.cc(294): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EMPRESA.MIDOMINIO.CU
support_krb5.cc(306): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Found principal name: PROXYSQUID$@EMPRESA.MIDOMINIO.CU
support_krb5.cc(326): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Got principal name PROXYSQUID$@EMPRESA.MIDOMINIO.CU
support_krb5.cc(390): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(1048): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(1057): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EMPRESA.MIDOMINIO.CU
support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to pdc1.empresa.midominio.cu
support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to PDC1.empresa.midominio.cu
support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to PDC2.empresa.midominio.cu
support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to pdc2.empresa.midominio.cu
support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 1 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu
support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 2 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu
support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 3 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu
support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 4 of EMPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu
support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 5 of EMPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu
support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 6 of EPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu
support_resolv.cc(407): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Adding EMPRESA.MIDOMINIO.CU to list
support_resolv.cc(443): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain EMPRESA.MIDOMINIO.CU:
support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: PDC2.empresa.midominio.cu Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: pdc1.empresa.midominio.cu Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: EMPRESA.MIDOMINIO.CU Port: -1 Priority: -2 Weight: -2
support_ldap.cc(1068): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Setting up connection to ldap server PDC2.empresa.midominio.cu:389
support_ldap.cc(1081): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_ldap.cc(1100): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server PDC2.empresa.midominio.cu:389
support_ldap.cc(316): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(665): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(719): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(327): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=empresa,DC=midominio,DC=cu and filter: (ldapdisplayname=samaccountname)
support_ldap.cc(332): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Found 1 ldap entry
support_ldap.cc(341): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Determined ldap server as an Active Directory server
support_ldap.cc(1232): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=EMPRESA,dc=MIDOMINIO,dc=CU and filter : (samaccountname=usuario1.apellido)
support_ldap.cc(1247): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Found 1 ldap entry
support_ldap.cc(665): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof
support_ldap.cc(719): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: 5 ldap entries found with attribute : memberof
support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 1 "Inter_F_Redes" in hex UTF-8 is 496e7465725f465f5265646573
support_ldap.cc(1285): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 1 "Inter_F_Redes" matches group name "Inter_F_Redes"
support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 3 "Administradores del dominio" in hex UTF-8 is 41646d696e6973747261646f7265732064656c20646f6d696e696f
support_ldap.cc(1291): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 3 "Administradores del dominio" does not match group name "Inter_F_Redes"
support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 5 "Domain Admins" in hex UTF-8 is 446f6d61696e2041646d696e73
support_ldap.cc(1291): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 5 "Domain Admins" does not match group name "Inter_F_Redes"
support_ldap.cc(1588): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Unbind ldap server
support_member.cc(125): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: INFO: User usuario1.apellido is member of group@domain Inter_F_Redes@NULL

kerberos_ldap_group.cc(430): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: INFO: Got User: usuario1.apellido set default domain: EMPRESA.MIDOMINIO.CU

kerberos_ldap_group.cc(435): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: INFO: Got User: usuario1.apellido Domain: ECASA.AVIANET.CU

support_member.cc(63): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: User domain loop: group@domain Inter_F_Redes@NULL

support_member.cc(91): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Default domain loop: group@domain Inter_F_Redes@NULL

support_member.cc(119): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Default group loop: group@domain Inter_F_Redes@NULL

support_member.cc(121): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Found group@domain Inter_F_Redes@NULL

support_ldap.cc(1007): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache

support_krb5.cc(131): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_EMPRESA.MIDOMINIO.CU_29507

support_krb5.cc(78): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: No default principal found in ccache : No credentials cache found

support_krb5.cc(263): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Get default keytab file name

support_krb5.cc(269): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/proxysquid.keytab

support_krb5.cc(283): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/proxysquid.keytab

support_krb5.cc(294): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EMPRESA.MIDOMINIO.CU

support_krb5.cc(306): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Found principal name: PROXYSQUID$@EMPRESA.MIDOMINIO.CU

support_krb5.cc(326): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Got principal name PROXYSQUID$@EMPRESA.MIDOMINIO.CU

support_krb5.cc(390): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Stored credentials

support_ldap.cc(1048): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Initialise ldap connection

support_ldap.cc(1057): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EMPRESA.MIDOMINIO.CU

support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to pdc1.empresa.midominio.cu

support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to PDC1.empresa.midominio.cu

support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to PDC2.empresa.midominio.cu

support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to pdc2.empresa.midominio.cu

support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 1 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu

support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 2 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu

support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 3 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu

support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 4 of EMPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu

support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 5 of EMPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu

support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 6 of EPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu

support_resolv.cc(407): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Adding EMPRESA.MIDOMINIO.CU to list

support_resolv.cc(443): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain EMPRESA.MIDOMINIO.CU:

support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: PDC2.empresa.midominio.cu Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: pdc1.empresa.midominio.cu Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: EMPRESA.MIDOMINIO.CU Port: -1 Priority: -2 Weight: -2

support_ldap.cc(1068): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Setting up connection to ldap server PDC2.empresa.midominio.cu:389

support_ldap.cc(1081): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_ldap.cc(1100): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server PDC2.empresa.midominio.cu:389

support_ldap.cc(316): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)

support_ldap.cc(665): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext

support_ldap.cc(719): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext

support_ldap.cc(327): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=empresa,DC=midominio,DC=cu and filter: (ldapdisplayname=samaccountname)

support_ldap.cc(332): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Found 1 ldap entry

support_ldap.cc(341): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Determined ldap server as an Active Directory server

support_ldap.cc(1232): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=EMPRESA,dc=MIDOMINIO,dc=CU and filter : (samaccountname=usuario1.apellido)

support_ldap.cc(1247): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Found 1 ldap entry

support_ldap.cc(665): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof

support_ldap.cc(719): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: 5 ldap entries found with attribute : memberof

support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 1 "Inter_F_Redes" in hex UTF-8 is 496e7465725f465f5265646573

support_ldap.cc(1285): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 1 "Inter_F_Redes" matches group name "Inter_F_Redes"

support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 3 "Administradores del dominio" in hex UTF-8 is 41646d696e6973747261646f7265732064656c20646f6d696e696f

support_ldap.cc(1291): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 3 "Administradores del dominio" does not match group name "Inter_F_Redes"

support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 5 "Domain Admins" in hex UTF-8 is 446f6d61696e2041646d696e73

support_ldap.cc(1291): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 5 "Domain Admins" does not match group name "Inter_F_Redes"

support_ldap.cc(1588): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Unbind ldap server

support_member.cc(125): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: INFO: User usuario1.apellido is member of group@domain Inter_F_Redes@NULL

Si el usuario existe, deberá devolver “OK”:

OK 
kerberos_ldap_group.cc(471): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: OK

1 2	OK kerberos_ldap_group.cc(471): pid=29507 :2020/06/02 11:52:07\| kerberos_ldap_group: DEBUG: OK

Si tecleamos un usuario que no pertenece al grupo, respuesta será un error en su lugar:

ERR

ERR

Terminamos el “kinit” con el usuario “administrator”:

kdestroy

kdestroy

Verificamos que se haya cerrado la conexión:

klist

klist

Debe devolver lo siguiente:

klist: No credentials cache found (filename: /tmp/krb5cc_0)

1	klist: No credentials cache found (filename: /tmp/krb5cc_0)

Relacionado

Jesús Sanz
21 septiembre, 2020 a las 3:16 pm
Firefox 80.0 Windows 10 x64 Edition
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Alexander en la línea de código de Comprobando la autenticación por LDAP básico hay un error de signo de puntuación en squid@empresa,midominio.cu
(sustituir , por .). Felicidades por el parto…. buen trabajo de todos.

MEGATUTORIAL Squid 5. Quinta Parte.

ÍNDICE

3.5 Integración Squid-ADDC por Kerberos, mediante Ticket.

Relacionado

1 comentario

Dejar una contestacion