Всем привет!
Никак не получается подружить Squid с Kerberos (Active Directory).
Система: CentOS 7.5.
Имя домена «DOMAIN.local». Два контроллера на Windows 2012 и 2003.
keytab делаю на контроллере (2012).
ktpass.exe /princ HTTP/server-proxy.domain.local@DOMAIN.LOCAL /mapuser squid@DOMAIN.LOCAL /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass password /out C:\squid.keytabkrb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = no
dns_lookup_realm = no
[realms]
DOMAIN.LOCAL = {
kdc = 192.168.0.10
kdc = 192.168.0.11
admin_server = 192.168.0.10
}
;[domain_realm]
; domain.local = DOMAIN.LOCAL
; .domain.local = DOMAIN.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
squid.conf (дефолтный конфиг)
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/server-proxy-domain.local
auth_param negotiate children 20
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
Ошибка:
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2018/08/30 15:15:15 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
Время синхронизировано, в DNS все прописано, прокси в браузере FQDN.
kinit -k HTTP/server-proxy.domain.local ; klist
Default principal: HTTP/server-proxy.DOMAIN.local@DOMAIN.LOCAL
Valid starting Expires Service principal
08/30/2018 15:23:38 08/31/2018 01:23:38 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 08/31/2018 15:23:38
