Re: [squid-users] Windows group authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 01 Feb 2011 00:04:50 +0000

On Sun, 30 Jan 2011 15:25:56 -1000, Jean-Denis Girard
<jd.girard_at_sysnux.pf>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
>
> I have an old installation using squid-2.6.STABLE23 with ntlm_auth for
> Windows XP users belonging to a group; it works like a charm, but I want
> to upgrade it for various reasons (security, need to support Win7, ...).
>
> So I made a fresh Linux install (Mandriva-2010.2). It has
> squid-3.1-14.1mdv2010.1 (but the log says Squid Cache version 3.1.4).
>

If you can get a hold of a 3.1.10 you may enjoy it more.
We had a small audit of the NTLM and Kerberos handling with performance
bug fixes leading up to that release.

> Now I'm a bit confused about what is needed to achieve Windows
> authentication (XP, then 7). From the documentation, I understood that
> squid_kerb_auth should be enough, so I have this in squid.conf:
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
>
> The new server has joined the windows domain using mskutil (I'd like to
> avoid samba if possible). The DSN is OK, ntp is working so no clock
> problem. But authentication doesn't work, see log below. How should I
> configure the Windows group?
>
> So my question is simple: do I need anything else besides
> squid_kerb_auth for Windows group authentication? Are samba, ntlm_auth
> still needed?

Lets get the terminology right to start with then the answer may become
clear to you...

 * groups CANNOT be authenticated. Because they do not have a password or
key.

 * User CAN be authenticated, because they do have password or keys.

 * machines can have special user accounts with a key to identify them.

 * groups have users.

 * groups can only determine where a user is authorized to go or not to
go.

So back to your question, "what is needed to achieve Windows
authentication".

auth_param validates a users login. REQUIRED.
 squid_kerb_auth is how to authenticate Negotiate protocol users.
 ntlm_auth from Samba is how to authenticate NTLM protocol users.

NOTE: these helpers ONLY check the one protocol each and have different
sets of auth_param which can be used simultaneously. So it is entirely up
to you whether you use only one or both.
 I suggest using both to start with so that software which has not been
adapted to Kerberos yet may still be able to login via NTLM. Keep a watch
on this and the main administrative task later will be fixing up these NTLM
software to use Kerberos.

ON TOP of this user authentication you can usually retain whatever group
authorization you had for NTLM. Kerberos is effectively NTLM v3 or v4.
Though it may require some extra parameters on the group checking helpers
to make them accept the Kerberos username format.

> 2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Got 'YR YIIGJgYGKwYBBQU
> [snip]
> bkIUQRH' from squid (length: 2107).
> 2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Decode
> 'YIIGJgYGKwYBBQUCoIIGGjCCBhagJDAiB
> [snip]
> 2011/01/07 10:10:43| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
> Unspecified GSS failure. Minor code may provide more information. Key
> table entry not found

This is the problem. The security key passed to Squid by the client is not
known.

There are some hints here:
http://fixunix.com/kerberos/60700-kinit-key-table-entry-not-found-while-getting-initial-credentials.html

Amos
Received on Tue Feb 01 2011 - 00:05:14 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST