[squid-users] Re: squid_kerb_auth for AD auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 7 Sep 2012 17:10:42 +0100

Hi Sean,

   If you see NTLM tokens in squid_kerb_auth then either you have not
created a keytab for squid or the client can not get a HTTP/<squid> ticket
from AD. Please capture traffic on port 88 for kerberos traffic on the
client and 3128 for squid traffic.

Markus

"Sean Boran" <sean_at_boran.com> wrote in message
news:CAOnghjunh71a43eomdSR5UH-rnLXjx2iLWLFKGoR49FP_83ADQ_at_mail.gmail.com...
> For windows system in a domain, what is the typicaly strategy, would
> one usually
> A. Authenticate via Kerberos (only IE browsers, or also chrome/FF?)
> B. else authenticate via ntlkm (IE only?)
> C. else use ldap (all other browsers and Linux, or Windows PCs not in
> the domain).
>
> It is right to say that if kerberos is enabled, but not basic/ldap,
> then non IE browsers cannot login?
> Or will kerberos work for all browsers in a Windows system in the domain?
>
> Or have I completely misunderstood? :-)
>
> Starting off with C) squid_ldap_auth, which works fine, the next step
> is kerberos.
>
> For kerberos, my main reading references are:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
> http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
>
> Runing squid/3.HEAD-20120814-r12282.
>
> On the linux level kerberos and samba are installed,/configured the
> system is in the domain (wbinfo -t) and "kinit -V username" works
> fine. Ntml auth on the command line looks ok too (/usr/bin/ntlm_auth
> --domain=MYDOMAIN --username=myuser)
>
> In squid , kerberos configured as follows:
> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
> -d -i -s GSS_C_NO_NAME
> auth_param negotiate children 10 startup=1 idle=5
> auth_param negotiate keep_alive on
> acl restricted proxy_auth REQUIRED
>
>
> After restart squid, log entries look good:
> Sep 7 09:10:31 proxy squid[26997]: helperOpenServers: Starting 1/10
> 'squid_kerb_auth' processes
>
> Trying to connect with IE causes a login box to popup on the bowser
> and squid to log:
> ERROR: Negotiate Authentication validating user. Error returned 'BH
> received type 1 NTLM token'
>
> in cache.log:
> 2012/09/07 09:22:53.421| ACL::checklistMatches: checking 'restricted'
> 2012/09/07 09:22:53.421| Acl.cc(65) AuthenticateAcl: returning 3
> sending authentication challenge.
>
> I can give in a valid or invalid username/password to the popup, box
> but no access is granted and I dont see any usernames or
> squid_kerb_auth lines in the cache.log.
>
> Question: how can one debug in detail what squid_kerb_auth is doing?
> The "-d" option does not seem to show much? (debug_options ALL,1 83,5
> 23,2 26,9 28,9 33,4 84,3: any better suggestions?)
>
> Doing some "tcpdumnp -A" tracing:
> - browser sends: GET http://google.com/ HTTP/1.1
> -proxy answers
> HTTP/1.1 407 Proxy Authentication Required
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Negotiate
> - browser send back:
> Proxy-Authorization: Negotiate
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> -proxy answers
> HTTP/1.1 407 Proxy Authentication Required
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Negotiate
>
> Also tried kerberos with NTLM, in this case access is always denied,
> no popup. Tcpdump show similar handshaking.
> auth_param negotiate program
> /usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --domain=MYDOMAIN --kerberos /usr/local/squid/libexec/squid_kerb_auth
> -d -i -s GSS_C_NO_NAME
> -
>
> Thanks in advance for any tips :-)
>
Received on Fri Sep 07 2012 - 16:11:03 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 08 2012 - 12:00:04 MDT