Category Archives: Linux (debian)

Squid transparent AD authentication

This article describes how to make transparent squid authentication against active directory.
Prerequisite: your linux box has joined the domaine, see article: Debian active directory authentication

Just remember to check your DNS config in resolv.conf:

domain unknown.local
search unknown.local

Make a reverse check with

# dig -x <nameserver ip>

Ensute time is correct

# ntpdate <windows DC>

Generate keytab file:

# kinint administrateur
# msktutil -c -b "CN=COMPUTERS" -s HTTP/serverproxy.unknown.local -k /etc/the.keytab --computer-name serverproxy --upn HTTP/serverproxy.unknown.local --server dc.unknown.local --enctypes 28

keytab file must be readable from processes that will use it, for example squid.
In case of errors you can check if you got a ticket after kinit:

# klist

You can also check if the keytab was successfully generated with servers

# klist -k /etc/the.keytab

Ensure keytab is renewed, put in cron:

00 4  *   *   *     msktutil --auto-update --verbose --computer-name serverproxy | logger -t msktutil

Squid configuration:

### Authentification automatique via Kerberos
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/serverproxy.unknown.local@UNKNOWN.LOCAL
auth_param negotiate children 20 startup=30
auth_param negotiate keep_alive off

Include variables before starting squid, you can put it in /etc/profile

export KRB5_KTNAME

In the browser you must configure the proxy with it’s FQDN:


iproute2 multiple gateway

Workstation has ip and gateway

Linux router has 4 nics with the following IP: eth1 eth2 eth3 eth0
The default gw to reach internet is
Internet can also be reache through

All the traffic coming to the linux router uses the default gw eth0 to reach internet.

Now we want to make an exception for workstation
Instead of using eth0 to go on internet we want to use now eth3.

Add routing table 4G with priority 200:

echo 200 4G >> /etc/iproute2/rt_tables

Specify routes in this table, next hop of interface wich is

ip route add dev eth1 table 4G
ip route add dev eth2 table 4G
ip route add default via table 4G

Now specify the client (here that will use these settings:

ip rule add from table 4G

Debian java 8 setup

Java 8 setup (for ELK for example):

echo "deb trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp:// --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

Activate this java version:

# show all java version installed
update-java-alternatives -l
# use one of the installation by default :
update-java-alternatives -s java-8-oracle