[squid-users] Re: Kerberos auth with Active Directory.

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 3 Nov 2010 06:40:30 -0000

Are you sure Safari supports proxy authentication with Negotiate or only Web
authentication with Negotiate?

Markus

----- Original Message -----
From: "Rolf Loudon" <rolf_at_ses.tas.gov.au>
To: "Markus Moeller" <huaraz_at_moeller.plus.com>
Sent: Wednesday, November 03, 2010 5:07 AM
Subject: [Partly solved] Re: [squid-users] Re: Kerberos auth with Active
Directory.

hello

Thank you again for your advice. Researching the SASL support requirements
I discovered from the output of configure for squid_kerb_ldap that the check
for sasl.h returned no. So I identified the debian package libsasl2-dev and
installed that, recompiled and it works.

My issue now is that Mac OS X Safari (version 5.0.2), despite all the
information saying it supports Kerberos, appears not to. No authentication
information appears at the proxy using it as a browser. I need to research
this further, but do you by chance have any ideas?

Thanks and regards

rolf.

On 03/11/2010, at 9:08 AM, Markus Moeller wrote:

>
>> "Rolf Loudon" <rolf_at_SES.TAS.GOV.AU> wrote in message
>> news:EA4139A9-AF4D-4E0D-8A05-C7B0C3EF46C2_at_SES.TAS.GOV.AU...
>> hello
>
> Hi Rolf
>
>>
>> I am trying to setup kerberos auth against Active Directory - Windows
>> 2000 - in squid, 2.7. This is primarily so that the username is captured
>> in the access log. But also user based access control will occasionally
>> be used.
>>
>> I've installed the squid_kerb_auth software from
>> http://squidkerbauth.sourceforge.net/
>>
>> The relevant squid config looks like this:
>>
>> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>>
>> external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/local/squid/squid_kerb_ldap -d -g active-directory-group_at_my.domain
>>
>> acl ldap_group_check external squid_kerb_ldap
>>
>> acl k_test src [some.test.host.address]
>> http_access allow k_test ldap_group_check
>> http_access deny k_test
>>
>>
>> Initially I used the msktutil package to create the AD account keytab,
>> thus:
>>
>> msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k
>> /etc/squid/HTTP.keytab --computer-name squidhost --upn
>> HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose
>>
>> This produced the desired keytab but in the verbose output noted that the
>> ticket version number was not returned ("must be Windows 2000" - it is)
>> and so set the kvno to zero. This is reflected in the output of kvno
>> HTTP/squidhost.my.domain
>>
>
> I think you should set it to 1 for windows 2000 and I recall msktutil has
> some code to deal with win 2000
>
>> When the client connected (Mac OS X 10.6) using the Chrome browser,
>> squid's cache.log reported that the ticket version number didn't match:
>>
>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
>> failure. Minor code may provide more information. Key version number for
>> principal in key table is incorrect.
>>
>> Using kvno HTTP/squidhost.my.domain on this client the version number was
>> 3 while doing the same on the proxy the version was zero. So that made
>> sense.
>>
>
> I am surprised. Plain win 2000 does not support kvno
>
>> I fixed this by not using msktutil and using ktpass on the Active
>> DIrectory server and specifying -kvno 3. Installed this on the proxy
>> host and that error went away.
>>
>> Reading about ktpass and kerberos auth in Microsoft's KB, it said that
>> the (squid) host needs have an account created for it as a user in the
>> domain. Weird but I did this, using the host name as the user shortname.
>> I used this hostname in ktpass with -mapuser
>>
>
> The difference here is that MS uses a user account in AD and associates
> the key with it, whereas msktutil uses a computer account. Using a user
> account means you have to disable password expiry otherwise the keytab
> gets invalid after the expiry time. This is the reason I prefer nsktutil.
>
>> Now in squid's cache.log the logs show, in part,
>>
>> 2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with
>> rc=102
>> 2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf_at_MY.DOMAIN
>> 2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
>> 2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group_at_domain
>> actiive-directory-group_at_my.domain
>> 2010/11/02 12:01:55| squid_kerb_ldap: Found group_at_domain
>> active-directory-group_at_my.domain
>> 2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
>> 2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
>> 2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name
>> /etc/squid/HTTP.keytab
>> 2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab
>> /etc/squid/HTTP.keytab
>> 2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name:
>> MY.DOMAIN
>> 2010/11/02 12:01:55| squid_kerb_ldap: Found principal name:
>> HTTP/squidhost.my.domain_at_MY.DOMAIN
>> 2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to
>> MEMORY:squid_ldap_20411
>> 2010/11/02 12:01:55| squid_kerb_ldap: Got principal name
>> HTTP/squidhost.my.domain_at_MY.DOMAIN
>> 2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
>> 2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
>> 2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for
>> domain MY.DOMAIN
>>
>> Apart from the first line ... "failed with rc=102" this looks ok.
>>
>
> That only happens only if your kerberos implementation does not support
> SPNEGO and is a warning only.
>
>> Then there are many (from debugging I presume) instances of:
>>
>> squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to
>> ad-domain-controller.my.domain
>> for various domain controllers on the network.
>>
>> Then lots of
>>
>> 2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap
>> server various-domain-servers-and-workstations_at_my.domain:389
>> 2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system
>>
>
> You need SASL support to authenticate to AD.
>
>> Finally these log entries which show the deny reason - that I'm not a
>> member of the group. But I confirm that I am a member of the group:
>>
>> 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap
>> connection: Success
>> 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap
>> connection: Success
>> 2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of
>> group_at_domain active-directory-group_at_my.domain
>> 2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group_at_domain
>> active-directory-group_at_my.domain
>> 2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group_at_domain
>> active-directory-group_at_my.domain
>> 2010/11/02 12:02:09| squid_kerb_ldap: ERR
>>
>
> This is because the ldap connection failed.
>
>> I have tried many combinations of service keytab creation and so on, but
>> I cannot get any further than this. Any help most appreciated.
>>
>> thanks
>>
>> rolf.
>>
>
> Markus
>
>
Received on Wed Nov 03 2010 - 06:42:19 MDT

This archive was generated by hypermail 2.2.0 : Wed Nov 03 2010 - 12:00:02 MDT