Re: [squid-users] squid_kerb_auth for AD auth

From: Sean Boran <sean_at_boran.com>
Date: Wed, 12 Sep 2012 13:19:34 +0200

Hi,

Thanks. Actually spend time yesterday building a new machine from
scratch and build build and associated components, because the
kerberos behavior (keytab) did not seem right. My test box had been
used for several squid test versions, and thus may have had a mixture
of binaries.,,,

Anyway, after the fresh install, kerberos "just worked"!

- The logging to cache.log by the auth processes is as expected too.
- tested with IE and Chrome on a Windows machine in the domain,
kerberos did its job. Usernames are visible in the access log for
example.

Both of the following worked (for those who search this thread later.-)

   auth_param negotiate program
/usr/local/squid/libexec/negotiate_wrapper_auth -i --kerberos
/usr/local/squid/libexec/negotiate_kerberos_auth -s GSS_C_NO_NAME
--ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=MYDOMAIN

  auth_param negotiate program
/usr/local/squid/libexec/negotiate_kerberos_auth -s GSS_C_NO_NAME

On a windown machine *not* in the domain, access is denied (as
expected), but the user is not prompted for a password.
So I think ldap is needed too?

Tested ldap alone, as follows. Works
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -d
-R -b "dc=mydomain,dc=net" -D myaccount_at_mydomain.net -W
/etc/squid/ldappass.txt -f sAMAccountName=%s -h ldap.mydomain.net -p
3268

Then re-enabled the kerberos with ldap after it.
Kerberos works as before, but on the testPC not in the domain,
entering the username/pw in the browser pop never allows access. I
think kerberos is causing the popup (the ldap realm, for example), is
not shown

All the doc I found online just indicated adding one after the other.
he auth_param doc (http://www.squid-cache.org/Doc/config/auth_param/)
does not explain how the hand off between the authentication methods
woorks.

Any suggestions please?

Sean

-----------------------
Sep 11, 2012; 12:14am Markus Moeller wrote:
Hi Sean,

  When I said client I meant the Windows client ( or do you have also Unix
clients ?) On Windows you can install a tool called kerbtay which shows you
the ticket you have. If you dont' see any ticket for HTTP/<squid-fqdn> you
need to use a capture tool like wireshark and loot at the traffic on port 88
( the kerberos authentictaion port). You should see TGS request from the
client to AD and a TGS reply from AD with either the ticket or an error
message. Let me know what error message you get as I assume you will have
one.

Markus
Received on Wed Sep 12 2012 - 11:19:42 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 12 2012 - 12:00:03 MDT