This article describes how to make transparent squid authentication against active directory.
Prerequisite: your linux box has joined the domaine, see article: Debian active directory authentication
Just remember to check your DNS config in resolv.conf:
Make a reverse check with
Ensute time is correct
Generate keytab file:
# msktutil -c -b "CN=COMPUTERS" -s HTTP/serverproxy.unknown.local -k /etc/the.keytab --computer-name serverproxy --upn HTTP/serverproxy.unknown.local --server dc.unknown.local --enctypes 28
keytab file must be readable from processes that will use it, for example squid.
In case of errors you can check if you got a ticket after kinit:
You can also check if the keytab was successfully generated with servers
Ensure keytab is renewed, put in cron:
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/serverproxy.unknown.local@UNKNOWN.LOCAL
auth_param negotiate children 20 startup=30
auth_param negotiate keep_alive off
Include variables before starting squid, you can put it in /etc/profile
In the browser you must configure the proxy with it’s FQDN: