Help Linux - до свидания! См. Новости проекта

You are here: start » en » kb » squid-kerberos-ldap-ad



 Creative Commons

Squid with Kerberos and LDAP authentication in Active Directory (quick start)


  • Make users authenticate on Squid proxy
    • Using Kerberos (single sing-on)
    • Fall back to LDAP if Kerberos fails (plain text)


  • Active Directory on Windows Server 2003 R2 SP2
  • Ubuntu Server 10.04 LTS + Squid 3.0 + Kerberos 5


Here is our example environment

Parameter nameValue

Let's configure

  1. Ubuntu: install Squid and Kerberos
    sudo apt-get install squid3 krb5-user
  2. Ubuntu: replace /etc/krb5.conf with the following config
            default_realm = COMPANY.LAN
  3. Windows: create user “squid” in Active Directory
  4. Windows: create keytab and map it to the user “squid” with password “squid_password” using ktpass (you can find ktpass in Windows Server 2003 Service Pack 1 Support Tools)
    ktpass -princ HTTP/ -mapuser squid -pass squid_password -ptype KRB5_NT_PRINCIPAL -out HTTP.keytab
  5. Ubuntu: move just created HTTP.keytab to /etc/squid3/HTTP.keytab
  6. Ubuntu: put the password to a separate file (it's going to be used for binding in LDAP)
    echo "squid_password" | sudo tee /etc/squid3/LDAP.pass
  7. Ubuntu: fix permissions for security reasons
    sudo chown proxy:proxy /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
    sudo chmod 400 /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
  8. Ubuntu: point Squid to the keytab file
    echo "export KRB5_KTNAME=/etc/squid3/HTTP.keytab" | sudo tee /etc/default/squid3
  9. Ubuntu: add authentication parameters to the squid.conf
    1. Create /etc/squid3/suid.auth.conf with the following text
      # Enable Kerberos authentication first
      auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/
      auth_param negotiate children 10
      auth_param negotiate keep_alive on
      # Fallback to LDAP if Kerberos fails
      auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h -D "cn=squid,ou=users_special,dc=company,dc=lan" -W /etc/squid3/LDAP.pass
      auth_param basic children 5
      auth_param basic realm Squid proxy-caching web server
      auth_param basic credentialsttl 2 hours
      # Force authentication requirement
      acl auth proxy_auth REQUIRED
      http_access allow auth
    2. Patch /etc/squid3/squid.conf
      --- squid.conf.orig	2011-02-18 22:43:47.000000000 +0300
      +++ squid.conf	2011-11-23 20:36:10.348219178 +0400
      @@ -646,6 +646,9 @@
       #http_access allow localnet
       http_access allow localhost
      +# Include Kerberos and LDAP configuration
      +include /etc/squid3/squid.auth.conf
       # And finally deny all other access to this proxy
       http_access deny all
  10. Ubuntu: restart squid
    sudo /etc/init.d/squid3 restart


  1. You can check if your keytab works
    kinit -V -kt /etc/squid3/HTTP.keytab HTTP/

Some notes

  1. Kerberos needs DNS to be configured properly (in that case you don't even need to configure /etc/krb5.conf)
  2. DNS needs to have a host DNS-records (A-record and reverse-record) for the proxy server ( is in our example)
  3. To use Kerberos in Ubuntu you just need to install “krb5-user” and run “kinit username@COMPANY.LAN”
  4. Internet Explorer doesn't fall back to LDAP authentication if Kerberos fails. So if you can't use Kerberos (for example when PC isn't joined to the domain) you need to uncheck “Enable Integrated Windows Authentication” in Internet Options → Advanced → Security or use alternative browser.
  5. You need to use proxy by full DNS-name ( is in our example) or by CNAME to this DNS-name to make Kerberos works. Overwise only LDAP plain text authentication will work.