msktutils

• apt-get install msktutil

create computeraccount and a local keytab

• kinit administrator

PROXY="lang.linuggs.lan"
DN="douglas.linuggs.lan"

• msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N

chown proxy.proxy /etc/squid3/PROXY.keytab

/etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME

on the top of /etc/squid/squid.conf add

auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -i -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow all auth

restart

service squid3 start

client Machine

Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.

debugging

• http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-kerb-auth-received-type-1-NTLM-token-td2131613.html

sources

• http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
• http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
• http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
• http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
• http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp