Hello,
I am setting up Kerberos auth on squid (3.1.15), but it won't work.
Browser (IE 8) keeps on poping up the username/password window, but
authentication is never successful. Yet, I don't see any logging of
failed authentication attempts in kerberos logs at all! It's as if squid
is not communicating with kerberos server. Yet, kinit from the command
line works fine (see details below).
What am I doing wrong? Am I missing something?
I need your help.
Thanks,
Nick
Details of the setup follow (true names/IP addresses have been changed):
I have a working Kerberos Server (MIT Kerberos 5 on CentOS 5.6) on
kerb.example.com and I am setting up squid on squid.example.com; it's
Squid 3.1.15.x86_64 as RPM on CentOS 5.6 (from here:
ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/squid3-3.1.15-1.el5.pp.x86_64.rpm).
Host squid.example.com is also setup as a kerberos client.
So, I have added to kerberos a host:
host/squid.example.com_at_EXAMPLE.COM
and a service:
HTTP/squid.example.com_at_EXAMPLE.COM
Then, I created a keytab file (httpsquid.keytab) for the latter:
[root_at_squid]# kadmin.local
Authenticating as principal userx/admin_at_EXAMPLE.COM with password.
kadmin.local: addprinc HTTP/squid.example.com_at_EXAMPLE.COM
WARNING: no policy specified for HTTP/squid.example.com_at_EXAMPLE.COM;
defaulting to no policy
Enter password for principal "HTTP/squid.example.com_at_EXAMPLE.COM":
Re-enter password for principal "HTTP/squid.example.com_at_EXAMPLE.COM":
Principal "HTTP/squid.example.com_at_EXAMPLE.COM" created.
kadmin.local: ktadd -k /etc/krb5kdc/httpsquid.keytab HTTP/squid.example.com
Entry for principal HTTP/squid.example.com with kvno 2, encryption type
AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
DES cbc mode with RSA-MD5 added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
...moved it to /etc/squid and changed ownership to root:squid and
permissions: 640.
I have checked that the keytab file works:
[root_at_squid]# kinit -V -k -t httpsquid.keytab HTTP/squid.example.com
Authenticated to Kerberos v5
I also added to the start of /etc/init.d/squid the lines:
KRB5_KTNAME=/etc/squid/httpsquid.keytab
export KRB5_KTNAME
Then, I checked that kerberos authentication is enabled (as explained
e.g. here:
http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html),
then I specified (in IE, Internet Options / Connections / LAN Settings)
squid.example.com as a Proxy on port 3128 and I have tried to visit any
page. As I explained, browser (IE 8) keeps on poping up the
username/password window, but authentication is never successful. I have
tried the following as username, without success:
userx
EXAMPLE.COM\userx
userx_at_example.com
userx_at_EXAMPLE.COM
On the other hand, Firefox 6 (with similar settings) doesn't show any
pop up window; it just fails.
I have tried the three following configuration alternatives, but it
didn't make any difference:
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth-d -s
HTTP/squid.example.com
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
Here is /etc/squid/squid.conf:
---------------------------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.10.10.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localhost
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
#http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Disable caching
cache deny all
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
debug_options ALL, 9
---------------------------------------------------------------
And below is /etc/krb5.conf (on squid.example.com):
---------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerb.example.com:88
admin_server = kerb.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------------------------------------------
This archive was generated by hypermail 2.2.0 : Thu Sep 22 2011 - 12:00:03 MDT