homedownloadordersupportcontact
     
  In this sample configuration tutorial, we use 2 "clean" VMware virtual machines - one running CentOS 7 and another running Windows 7. The VMs are interconnected via a VMware NAT virtual network.
   
 
   
  Set up MIT Kerberos and Squid on CentOS 7
   
  Start the CentOS 7 VM.
   
   
  Install MIT Kerberos:

[root@localhost ~]# yum install krb5-server krb5-libs krb5-workstation

The version of MIT Kerberos in this sample is 1.15.1-37.
   
   
  Install Squid:

[root@localhost ~]# yum install squid

The version of Squid in this sample is 3.5.20.
   
   
  Edit /etc/hosts, add the following entries (replace the IP addresses with your IP addresses):

192.168.241.146 vm-centos7
192.168.241.146 kerberos.vm-centos7
192.168.241.107 vm-win7.vm-centos
   
   
  Modify the default /etc/krb5.conf as follows:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = VM-CENTOS7
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 VM-CENTOS7 = {
   kdc = kerberos.VM-CENTOS7
   admin_server = kerberos.VM-CENTOS7
 }

[domain_realm]
 .vm-centos7 = VM-CENTOS7
 vm-centos7 = VM-CENTOS7
   
   
  Modify the default /var/kerberos/krb5kdc/kadm5.acl as follows:

*/admin@VM-CENTOS7      *
   
   
  Modify the default /var/kerberos/krb5kdc/kdc.conf as follows:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 VM-CENTOS7 = {
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
   supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal \
     camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
   
   
  Create the database and set a password (you don't need to enter the password each time you start the KDC):

[root@localhost ~]# kdb5_util create -r VM-CENTOS7 -s
   
   
  Create an admin principal "root":

[root@localhost ~]# kadmin.local
kadmin.local: addprinc root/admin
kadmin.local: exit
   
   
  Start the Kerberos KDC and kadmin daemons and configure Linux to run them on system startup:

[root@localhost ~]# systemctl start krb5kdc.service
[root@localhost ~]# systemctl enable krb5kdc.service
[root@localhost ~]# systemctl start kadmin.service
[root@localhost ~]# systemctl enable kadmin.service
   
   
  Create a test Kerberos user "user1", the password must match the one of your test Windows user account on the Windows 7 VM;
create a host principle for Windows 7 VM "host/vm-win7.vm-centos7", remember the password - you will need it when setting up the Wndows Kerberos client;
create a service principle for Squid "HTTP/VM-CENTOS7";
extract a keytab file for Squid:

kadmin -p root/admin@VM-CENTOS7
kadmin: addprinc -e rc4-hmac:normal user1
kadmin: addprinc -e rc4-hmac:normal host/vm-win7.vm-centos7
kadmin: addprinc -e rc4-hmac:normal HTTP/VM-CENTOS7
kadmin: ktadd -k /etc/squid/HTTP.keytab -e rc4-hmac:normal HTTP/VM-CENTOS7
kadmin: exit
   
   
  Squid will run as a non-privileged user. So make the keytab file, created in the previous step, readable by users other than root:

[root@localhost ~]# chmod a+r /etc/squid/HTTP.keytab
   
   
  Open /etc/squid/squid.conf in a text editor, find the line "http_access allow localnet", comment it out, and then, after the next line "http_access allow localhost", add the following lines (if your CentOS is 32-bit replace "lib64" with "lib"):

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth \
   -s HTTP/VM-CENTOS7 \
   -k /etc/squid/HTTP.keytab \
   -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth

Note: "-d" makes the authentication helper write debug messages to /var/log/squid/cache.log

The whole squid.conf after changes:

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

#http_access allow localnet

http_access allow localhost

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth \
   -s HTTP/VM-CENTOS7 \
   -k /etc/squid/HTTP.keytab \
   -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth

http_access deny all

http_port 3128

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
   
   
  Finally, start and enable the Squid server:

[root@localhost ~]# systemctl start squid.service
[root@localhost ~]# systemctl enable squid.service
   
   
  Set up the native Kerberos client and ProxyCap on Windows 7
   
   
  Start the Windows 7 VM.
   
   
  Edit %SystemRoot%\system32\drivers\etc\host, add the following entries (replace the IP addresses with your IP addresses):

192.168.241.146   vm-centos7
192.168.241.146   kerberos.vm-centos7
192.168.241.107   vm-win7.vm-centos7
   
   
  Open the Command Prompt as Administrator.
   
   
  Configure the Kerberos client (replace "Administrator" with the name of your test Windows user account if needed; replace "password" with the password of the Kerberos principal "host/vm-win7.vm-centos7"):

c:\Windows\System32>ksetup /setrealm VM-CENTOS7
c:\Windows\System32>ksetup /addkdc VM-CENTOS7 kerberos.vm-centos7
c:\Windows\System32>ksetup /SetComputerPassword password
c:\Windows\System32>ksetup /mapuser user1@VM-CENTOS7 Administrator
   
   
  Install ProxyCap.
   
   
  Restart the Windows 7 VM.
   
   
  Log into Windows as "VM-CENTOS7\user1".
   
   
  Open ProxyCap Configuration.
   
   
  Add a new HTTP proxy server:

Type: HTTP
Hostname: VM-CENTOS7
Port: 3128

Check the "Proxy requires authentication" and "Use integrated Windows authentication" checkboxes.

Note that the value of "Hostname" above is used by ProxyCap to format the Kerberos service principle (in this sample "HTTP/VM-CENTOS7"). So don't specify the IP address. Here the name also must be in uppercase letters else the Linux KDC won't recognize it.
   
   
  Add a new HTTPS proxy server:

Type: HTTPS
Hostname: VM-CENTOS7
Port: 3128

Check the "Proxy requires authentication" and "Use integrated Windows authentication" checkboxes.
   
   
  Finally create a pair of "redirect" routing rules in ProxyCap, one for the destination port 80 specifying the HTTP proxy server, and the other for the port 443 specifying the HTTPS proxy.
   
   
© 2019, Proxy Labs. All rights reserved.