Configuring the client side of Kerberos

To configure the client side of Kerberos:

  1. Rename the squid.keytab file to krb5.keytab and place it into the etc folder. To do so, execute the command:

    mv /tmp/squid.keytab /etc/krb5.keytab

  2. Change the owner of the krb5.keytab file and the group ID to squid. To do so, run the following command depending on the operating system:
    • CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:

      chown squid:squid krb5.keytab

    • Ubuntu or Debian:

      chown proxy:proxy krb5.keytab

    By default, the owner of the krb5.keytab file is superuser.

  3. Add the following parameters into the beginning of the /etc/squid/squid.conf file, depending on the operating system:
    • CentOS or Red Hat Enterprise Linux:

      auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory>

      auth_param negotiate children 10

      auth_param negotiate keep_alive on

      acl lan proxy_auth REQUIRED

      icap_send_client_username on

      http_access allow lan

    • SUSE Linux Enterprise Server:

      auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory>

      auth_param negotiate children 10

      auth_param negotiate keep_alive on

      acl lan proxy_auth REQUIRED

      icap_send_client_username on

      http_access allow lan

    • Ubuntu or Debian:

      auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory>

      auth_param negotiate children 10

      auth_param negotiate keep_alive on

      acl lan proxy_auth REQUIRED

      icap_send_client_username on

      http_access allow lan

  4. If you want to enable logging of events in debug mode, in the /etc/squid/squid.conf file add the -d parameter to the first string:
    • CentOS or Red Hat Enterprise Linux:

      auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory>

    • SUSE Linux Enterprise Server:

      auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -d -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory>

    • Ubuntu or Debian:

      auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory>

    Debug events will be written to the file /var/log/squid/cache.log.

  5. Restart the Squid service. To do so, execute the command:

    service squid restart

  6. On enterprise LAN computers, in the browser settings, specify the FQDN address of the server hosting the Squid service as the proxy server.

The client side of Kerberos will be configured.

Page top