Re: [squid-users] Re: kerberos authentication with load balancers
Hello Markus Thank you very much, everything works now. Only two question left 1) Is it necessary to run commands specified below every 30 day? msktutil --auto-update --verbose --computer-name proxy1-k msktutil --auto-update --verbose --computer-name proxy2-k msktutil --auto-update --verbose --computer-name proxy-k As I understand I should run them on one proxy1 and then copy updated keytab file to proxy2 every month. 2) Can I use kerberos somehow to authenticate skype? All internet browsers work but skype doesn't, only works by specifying user/pass in configuration and as I think it uses basic ldap auth. When there was NTLM auth, it worked, but now I removed all NTLM from squid, only kerberos negotiate and basic is left. George On 26/07/14 15:55, Markus Moeller wrote: > Hi Giorgi, > > It would be > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K > --upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose > --enctypes 28 > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h > proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K > --upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose > --enctypes 28 > > and one for DNS RR record > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K > --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > > The -h value is not really used. So for the DNS RR you can use either > name. > > Regards > Markus > > > "Giorgi Tepnadze" wrote in message news:53d219ea.1010...@mia.gov.ge... > > Hi Markus > > Excuse me for posting in old list, but I have a small question: > > So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and > one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how > should I create keytab file. > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K > --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h > proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K > --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > > and one for DNS RR record > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K > --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > > But there is problem with last one, which server name should I put in > -s, -h, --upn and --computer-name? > > Many Thanks > > George > > > > On 07/02/14 01:26, Markus Moeller wrote: >> Hi Joseph, >> >> it is all possible :-) >> >> Firstly I suggest not to use samba tools to create the squid keytab, >> but use msktutil (see >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). >> Then create a keytab for the loadbalancer name ( that is the one >> configured in IE or Firefox). use this keytab on both proxy servers >> and use negotiate_kerberos_auth with -s GSS_C_NO_NAME >> >> When you say multiple realms, do you have trust between the AD >> domains or are they separate ? If the domains do not have trust do >> you intend to use the same loadbalancer name for the users of both >> domains ? >> >> Markus >> >> >> >> "Joseph Spadavecchia" wrote in message >> news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... >> >> Hi there, >> >> What is the recommended way to configure Kerberos authentication >> behind two load balancers? >> >> AFAIK, based on the mailing lists, I should >> >> 1) Create a user account KrbUser on the AD server and add an SPN >> HTTP/loadbalancer.example.com for the load balancer >> 2) Join the domain with Kerberos and kinit >> 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser >> 4) update squid.conf with an auth helper like negotiate_kerberos_auth >> -s HTTP/loadbalancer.example.com@REALM >> >> Unfortunately, when I try this it fails. >> >> The only way I could get it to work at all was by removing the SPN >> from the KrbUser and associating the SPN with the machine trust >> account (of the proxy behind the loadbalancer) However, this is not a >> viable solution since there are two machines behind the load balancer >> and AD only allows you to associate a SPN with one account. >> >> Furthermore, given that I needed step (4) above, is it possible to >> have load balanced Kerberos authentication working with multiple >> realms? If so, then how? >> >> Many thanks. >> > >
Re: [squid-users] Re: kerberos authentication with load balancers
Hi Markus Excuse me for posting in old list, but I have a small question: So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how should I create keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 But there is problem with last one, which server name should I put in -s, -h, --upn and --computer-name? Many Thanks George On 07/02/14 01:26, Markus Moeller wrote: > Hi Joseph, > > it is all possible :-) > > Firstly I suggest not to use samba tools to create the squid keytab, > but use msktutil (see > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). > Then create a keytab for the loadbalancer name ( that is the one > configured in IE or Firefox). use this keytab on both proxy servers > and use negotiate_kerberos_auth with -s GSS_C_NO_NAME > > When you say multiple realms, do you have trust between the AD > domains or are they separate ? If the domains do not have trust do > you intend to use the same loadbalancer name for the users of both > domains ? > > Markus > > > > "Joseph Spadavecchia" wrote in message > news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... > > Hi there, > > What is the recommended way to configure Kerberos authentication > behind two load balancers? > > AFAIK, based on the mailing lists, I should > > 1) Create a user account KrbUser on the AD server and add an SPN > HTTP/loadbalancer.example.com for the load balancer > 2) Join the domain with Kerberos and kinit > 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser > 4) update squid.conf with an auth helper like negotiate_kerberos_auth > -s HTTP/loadbalancer.example.com@REALM > > Unfortunately, when I try this it fails. > > The only way I could get it to work at all was by removing the SPN > from the KrbUser and associating the SPN with the machine trust > account (of the proxy behind the loadbalancer) However, this is not a > viable solution since there are two machines behind the load balancer > and AD only allows you to associate a SPN with one account. > > Furthermore, given that I needed step (4) above, is it possible to > have load balanced Kerberos authentication working with multiple > realms? If so, then how? > > Many thanks. >
Re: [squid-users] Re: kerberos annoyances [solved]
On 16/10/2013 4:36 p.m., Eliezer Croitoru wrote: On 10/15/2013 02:12 PM, Marko Cupać wrote: Thank you for your will to help me. It was my mistake, as I recompiled the port in order to get LDAP authentication helpers which I had previously turned off. This of course reinstalled rc script which overwrote line crucial for kerberos to work (export KRB5_KTNAME). I even wrote about this on freebsd-ports list, anticipating problems: http://lists.freebsd.org/pipermail/freebsd-ports/2013-October/086799.html After re-adding the line I am authenticated again. Now I need to figure out other aspects how to simulate other aspects of dansguardian/NTLM (such as more informative error pages) but that will be another thread perhaps. Hey, I am a bit curios about something. why NTLM now? I am asking since I am not sure since when Kerberos is like the basic auth service for MS and many other IT infrastructures.. Since 2006 officially. Which kind of answers your question. We are still inside the 5-10 year period where Kerberos is being picked up by Enterprise admin but not yet having reached the 10+ year period where the slowest refresh cycles take place. So Kerberos is not quite universally usable on some networks. Which for a critical security update is quite disappointing. Amos
Re: [squid-users] Re: kerberos annoyances [solved]
On 10/15/2013 02:12 PM, Marko Cupać wrote: Thank you for your will to help me. It was my mistake, as I recompiled the port in order to get LDAP authentication helpers which I had previously turned off. This of course reinstalled rc script which overwrote line crucial for kerberos to work (export KRB5_KTNAME). I even wrote about this on freebsd-ports list, anticipating problems: http://lists.freebsd.org/pipermail/freebsd-ports/2013-October/086799.html After re-adding the line I am authenticated again. Now I need to figure out other aspects how to simulate other aspects of dansguardian/NTLM (such as more informative error pages) but that will be another thread perhaps. Hey, I am a bit curios about something. why NTLM now? I am asking since I am not sure since when Kerberos is like the basic auth service for MS and many other IT infrastructures.. Eliezer
Re: [squid-users] Re: kerberos annoyances [solved]
Thank you for your will to help me. It was my mistake, as I recompiled the port in order to get LDAP authentication helpers which I had previously turned off. This of course reinstalled rc script which overwrote line crucial for kerberos to work (export KRB5_KTNAME). I even wrote about this on freebsd-ports list, anticipating problems: http://lists.freebsd.org/pipermail/freebsd-ports/2013-October/086799.html After re-adding the line I am authenticated again. Now I need to figure out other aspects how to simulate other aspects of dansguardian/NTLM (such as more informative error pages) but that will be another thread perhaps. -- Marko Cupać
Re: [squid-users] Re: Kerberos load balancer and AD
Referencing that "Kerberos-load-balancer-and-AD" thread, yes it does work :-). A user is created in AD, and an SPN with the lB FQDN points to that user. That user is then used to create the keytab on each proxy. Sean On 22 May 2013 22:41, SPG wrote: > Hi, > > then, with this option you don't need create an account for all squids > servers and duplicate spn in each account of squid. Only need a account for > load balancer service. I question it, because I read this post in the > morning and I have doubts . Is it true? > > http://squid-web-proxy-cache.1019090.n4.nabble.com/kerberos-auth-failing-behind-a-load-balancer-td4658773.html > > A lot of thanks Markus. > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-load-balancer-and-AD-tp4660187p4660207.html > Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Kerberos with 2008/2003 DC
I didn't see your email with the error and solution. Can you please post it to the list for future reference? On Thu, May 9, 2013 at 5:20 AM, SPG wrote: > Thanks Markus. I posted my error and the solution. Perhaps you didn't receive > the mail > > A lot of thanks. > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-with-2008-2003-DC-tp4659198p4659861.html > Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: Kerberos Auth
Ah! That makes sense! Thanks! On Thu, May 2, 2013 at 9:23 PM, Markus Moeller wrote: > Could it be that a Windows application uses its system key to authenticate > against squid ? This could happen if now user is logged in and the > application runs as a service. > > Markus > > > "JC Putter" wrote in message > news:CAKKrXOmNaDJvR2wH=c63s0ojn3ioefmrdrkkar3iudxf7sm...@mail.gmail.com... > >> Hi, >> >> I have squid 3.2.8 with Kerberos auth. >> >> Everything seems to work but why do some logs show the computer name >> (user-pc$) instead of the username? >> >> Thanks >> > >
Re: [squid-users] Re: kerberos auth failing behind a load balancer
(sorry for the slow answer, an over-eager spam filter swallowed this msg). In wireshark, the server name sent in the ticket is correct (proxy.example.com) , encryption is rc4-hmac and knvo=5. This is the same kvno as seen in "klist -ekt /etc/krb5.keytab" (with des-cbc-crc, des-cbc-md5, arcfour-hmac). Now there are two squids behind the balancer; one of them will behave correctly and accept kerberos authentication to the balanced proxy name. (I had not realised the second one worked before). Comparing the quid and kerb config does not explain the difference. However on a windows client, querying SPN for the balanced name only lists the squid proxy that works(proxy2) and no mention of proxy3. C:\temp>cscript spn_query.vbs http/proxy.example.com example.net CN=proxy2,OU=Ubuntu,OU=Server,.. O,DC=example,DC=net Class: computer Computer DNS: proxy2.example.com -- http/proxy.example.com -- HTTP/proxy.example.com/proxy2 -- HTTP/proxy.example.com/proxy2.example.com -- HTTP/proxy2 -- HTTP/proxy2.example.com -- HOST/proxy2.example.com -- HOST/PROXY2 Next, tried to use the windows tool setspn to add an spn for proxy3: setspn -S http/proxy.example.com proxy3 but it says "Duplicate SPN found, aborting operation!" which makes me think I'm misunderstanding. Its is not possible to assign the same SPN to real names of both the squids behind the balancer? Thanks, Sean On 1 March 2013 21:06, Markus Moeller wrote: > That should work. What do you see in Wireshark when you look at the traffic > to the proxy ? If you exand the Negotiate header you should see what is the > principal name and kvno. Both must match what is in your keytab ( check with > klist -ekt /etc/keytab) > > Markus > > > "Sean Boran" wrote in message > news:caonghjuye0oyoomkquwl5frmnyozfrvuekslbnxyao0kel_...@mail.gmail.com... > > Hi, > > I’ve received (kemp) load balancers to put in front of squids to > provide failover. > The failover / balancing works fine until I enable Kerberos auth on the > squid. > > Test setup: > Browser ==> Kemp balancer ==> Squid ==> > Internet > proxy.example.com proxy3.example.com > > The client in Windows7 in an Active Directory domain. > If the browser proxy is set to proxy3.example.com (bypassing the LB), > Kerberos auth works just fine, but via the kemp (proxy.example.com) > the browser prompts for a username/password which is not accepted > anyway > > Googling on Squid+LBs, the key is apparently to add a principal for the LB, > e.g. > net ads keytab add HTTP/proxy.example.com > > In the logs (below), one can see the client sending back a Krb ticket > to squid, but it rejects it: > "negotiate_wrapper: Return 'BH gss_accept_sec_context() failed: > Unspecified GSS failure. " > When I searched on that. one user suggested changing the encryption in > /etc/krb5.conf . In /etc/krb5.conf I tried with the recommended > squid settings (see below), and also with none at all. The results > were the same. Anyway, if encryption was the issue, it would not work, > via LB or directly. > > > Analysis: > - > When the client sent a request, squid replies with: > > HTTP/1.1 407 Proxy Authentication Required > Server: squid > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > X-Cache: MISS from gsiproxy3.vptt.ch > Via: 1.1 gsiproxy3.vptt.ch (squid) > > ok so far. the client answer with a kerberos ticket: > > Proxy-Authorization: Negotiate YIIWpgYGKwYBXXX > > UserRequest.cc(338) authenticate: header Negotiate > YIIWpgYGKwYBXXX > UserRequest.cc(360) authenticate: No connection authentication type > Config.cc(52) CreateAuthUser: header = 'Negotiate YIIWpgYGKwYBBQUC > auth_negotiate.cc(303) decode: decode Negotiate authentication > UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x20d68d0'. > UserRequest.cc(51) authenticated: user not fully authenticated. > UserRequest.cc(198) authenticate: auth state negotiate none. Received > blob: 'Negotiate > YIIWpgYGKwYBBQUCoIIWmjCCFpagMDAuBgkqhkiC9xIBAXX > .. > UserRequest.cc(101) module_start: credentials state is '2' > helper.cc(1407) helperStatefulDispatch: helperStatefulDispatch: > Request sent to negotiateauthenticator #1, 7740 bytes > negotiate_wrapper: Got 'YR YIIWpgYGKwYBBQXXX > negotiate_wrapper: received Kerberos token > negotiate_wrapper: Return 'BH gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. > > > Logs for a (successful) auth without LB: > .. as above > negotiate_wrapper: received Kerberos token > negotiate_wrapper: Return 'AF oYGXXA== > u...@example.net > > > - configuration --- > Ubuntu 12.04 + std kerberod. Squid 3.2 bzr head from lat Jan. > - squid.conf: > - debug_options ALL,2 29,9 (to catch auth) > auth_param negotiate program > /usr/local/squid/libexec/negotiate_wrapper_auth -d --kerberos > /usr/local/squid/libexec/negotia
Re: [squid-users] Re: Kerberos with AD
On Mon, Apr 16, 2012 at 07:05:23AM +0100, Markus Moeller wrote: > > BTW I would not recommend using ktpass and a user account. ktpass uses DES > as a default which is not anymore supported by newer MS systems and > secondly user accounts in AD have usually (depending on your AD setting) a > password expiry which would make you keytab invalid. > You can choose the encryption that ktpass uses: ktpass -princ HTTP/proxy.domain@domain.com -mapuser proxyu...@domain.com -crypto rc4-hmac-nt -pass secret -ptype KRB5_NT_SRV_HST -out file.keytab This works fine on Win 2008 R2 servers - no problems with Win 7 machines authenticating. What you say about using an user account is valid but sometimes you are wedged if you want to use samba on the same machine. For us regenerating the keytab is not onerous. -- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."
Re: [squid-users] Re: Kerberos with LDAP authentication failover and iTunes auth problems
On Wed, Dec 28, 2011 at 05:23:55PM +1100, James Robertson wrote: > > Because I implemented Kerberos first I already had a machine account > in Active Directory that was created by the msktutil utility. > When I researched implementing ntlm_auth the documentation mentions > joining the computer to AD using "net ads join". This was an issue > because I already had the computer account and didn't want to hose > anything that the Negotiate/Kerberos might use and researched how to > use a pre-existing computer account in AD but could not find anything, > so in the end I just ran it (which worked). However after I did this > Negotiate/Kerberos was broken. I fixed it by resetting the computer > account and running "msktutil --auto-update" to update the computer > accounts password. NTLM still worked after this. > Don't use the machine account for the kerberos SPN if you also want to use NTLM. Create a new user account and use that for generating the kerberos keytab, this allows you to use NTLM as well without the creds getting stomped. -- Brett Lymn "Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer."
Re: [squid-users] Re: Kerberos with LDAP authentication failover and iTunes auth problems
> The best is to configure Negotiate with the wrapper to cover Negotiate/NTLM > and Negotiate/Kerberos and NTLM as "pure" NTLM for applications/clients > which do not support Negotiate but NTLM ( like some chat tools). Thank you both for the feedback and help with my understanding on authentication. I installed negotiate_wrapper (running squid 3.1) and after some initial problems trying to implement the use of ntlm_auth post kerberos configuration I have it working now. I have a concern that can hopefully be cleared up... Because I implemented Kerberos first I already had a machine account in Active Directory that was created by the msktutil utility. When I researched implementing ntlm_auth the documentation mentions joining the computer to AD using "net ads join". This was an issue because I already had the computer account and didn't want to hose anything that the Negotiate/Kerberos might use and researched how to use a pre-existing computer account in AD but could not find anything, so in the end I just ran it (which worked). However after I did this Negotiate/Kerberos was broken. I fixed it by resetting the computer account and running "msktutil --auto-update" to update the computer accounts password. NTLM still worked after this. I have a cron job setup to run "msktutil --auto-update" each day to update the computer account's password when required. Will these two mechanisms interfere with each other in future? i.e. is there anything that the msktutil --auto-update might break for the winbind ntlm_auth and visa versa - if this is a dumb question I apologise but my knowledge on this is limited. Also iTunes still prompts for a password but after input of the username and password it works - I presume this is the expected behaviour and that it shouldn't be seamless - is this the difference between Negotiate/NTLM and pure NTLM? Thanks James
Re: [squid-users] Re: Kerberos auth and users in another AD domain
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote: > Did you try my negotiate wrapper ? It is part of squid 3.2, but > right now only works with 3.1 ( I have an open bug for 3.2) > Can you give me hints on how to build it for 3.1 ?
Re: [squid-users] Re: Kerberos auth and users in another AD domain
On Fri, Dec 09, 2011 at 06:31:07PM -, Markus Moeller wrote: > Did you try my negotiate wrapper ? It is part of squid 3.2, but > right now only works with 3.1 ( I have an open bug for 3.2) > looks interesting, I'm going to grab it from last 3.2 sources and compile it for 3.1. I'll let you know if it fixes one/all of my authentications problems ;)
Re: [squid-users] Re: Kerberos setup with RR DNS
On Fri, Sep 09, 2011 at 03:42:21PM +0100, Markus Moeller wrote: > You need to create one AD entry for proxy.domain.tld and copy the > same keytab to both squid servers and use the -s GSS_C_NO_NAME > option for squid_kerb_auth or negotiate_kerberos_auth. > at a first glance, it seems to works like a charm, many thanks :)
Re: [squid-users] Re: Kerberos Authentication with AD Win 2008
yeah Markus I even thought its becuz of that -d option. Is it completely safe to ignore this. Thanks for your help. On 21 July 2011 23:26, Markus Moeller wrote: > Hi Syed, > > -d option is for debug output. > > The message > > squid_kerb_auth: parseNegTokenInit failed with rc=102 comes from old modules > which use check first for a gssapi token and then for an spngeo token. > > > Regards > Markus > > > "Syed Hussaini" wrote in message > news:CAGj7XbmB5eZTsuWgd9Q9AkE9UeKgG5YV=t0tq7udsa3ejn+...@mail.gmail.com... >> >> Hi, >> >> I'm using squid version - 2.7 Stable9. My Kerberos authentication is >> working good as well. I'm receiving this info in my cache.log and just >> want to confirm that its not worry some. >> >> squid_kerb_auth: parseNegTokenInit failed with rc=102 >> 2011/07/21 10:54:50| squid_kerb_auth: AF >> >> oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWobQXIUTVLEfPspj7ZpRThBLZzVgpamXrYmsjvHrxTIgQUWJ8eH1fQESDD2Zn4hsH2uNucFM2u4aJW10mIZTmLkwcNn0Ufj+QsdeP6XsPtqw7HZDZy4v/vV3lA== >> kit...@redgroup.com >> >> I get this info for all users who access squid. If someone is using >> IE 6 then this log doesnt comes up. >> >> I have passed -s -d options to squid_kerb_auth in squid.conf, is it >> becuz of this that I receive above info? >> >> >> Thanks for your help, as always you guys are great helping us. >> > > >
Re: [squid-users] Re: kerberos authentication - performance tuning
ok, does not sound good, but I expected something like that, even though in theory more CPUs should be able to handle more work/authentication processes We don't really care about caching, we are basically only interested in antivirus and category blocking based on username/group (achieved with an ICAP server) which does only work with any kind of authentication (IP based policy assignment cannot be handled properly). At the moment, we have 30 kerberos helpers responsible for approx 2000 users (66 users per helper) and not all of them will be used extensively. Maybe there is something wrong in our setup, does any of you have experience or even have numbers of how many kerberos authentications a recent squid version can handle on todays hardware (let's say multi core cpu and lots of RAM) and average user behavior? How big are the biggest squid deployments (as forward proxy with authentication)? btw, I see following messages in my log files, but in my opinion, they are NTLM-related. - samba Begin **Unmatched Entries** libads/cldap.c:recv_cldap_netlogon(219) no reply received to cldap netlogon : 3771 Time(s) libads/ldap_utils.c:ads_do_search_retry_internal(115) ads reopen failed after error Referral : 1 Time(s) libsmb/clientgen.c:cli_rpc_pipe_close(386) cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x4008 to machine DC1. Error was SUCCESS - 0 : 609 Time(s) libsmb/clientgen.c:cli_rpc_pipe_close(386) cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x400b to machine dc1.fqdn. Error was SUCCESS - 0 : 36 Time(s) libsmb/clientgen.c:cli_rpc_pipe_close(386) cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x4009 to machine DC1. Error was SUCCESS - 0 : 609 Time(s) libsmb/credentials.c:creds_client_check(324) creds_client_check: credentials check failed. : 3923 Time(s) nsswitch/winbindd_group.c:winbindd_getgrnam(519) group prod360 in domain OUR_DOMAIN_HERE does not exist : 27 Time(s) rpc_client/cli_netlogon.c:rpccli_netlogon_sam_network_logon(1030) rpccli_netlogon_sam_network_logon: credentials chain check failed : 3923 Time(s) -- samba End - On Wed, Feb 16, 2011 at 10:32 PM, Amos Jeffries wrote: > On Wed, 16 Feb 2011 13:28:29 +0100, guest01 wrote: >> >> Hi, >> >> We had to bypass the kerberos authentication for now (most of the >> users will be authenticated by IP (there are already more than 1 >> unique IPs in my Squid logs). iirc, disabling the replay cache did not >> help much. There is a load avg of 0.4 right now (authenticating about >> 9000 users per IP and 1000 with Kerberos) with approx 450 RPS (2 >> strong servers), which looks pretty good. >> >> What do you think? Can SMP functionality of Squid 3.2 reduce our load >> problem significantly? At the moment, we have multiple independent >> squid processes per server (4 squid instances, 16 cpus), but I don't >> see any way (except adding more hardware) to authenticate >1 with >> Kerberos. > > SMP will help with the management of those 4 instances on each machine, > dropping it to one config file they all work from and one SNMP contact port > one cachemgr contact port etc. > But I think total load, helper process count and cache duplication problems > will remain unchanged with the current SMP capabilities. > > Amos > >
Re: [squid-users] Re: kerberos authentication - performance tuning
On Wed, 16 Feb 2011 13:28:29 +0100, guest01 wrote: Hi, We had to bypass the kerberos authentication for now (most of the users will be authenticated by IP (there are already more than 1 unique IPs in my Squid logs). iirc, disabling the replay cache did not help much. There is a load avg of 0.4 right now (authenticating about 9000 users per IP and 1000 with Kerberos) with approx 450 RPS (2 strong servers), which looks pretty good. What do you think? Can SMP functionality of Squid 3.2 reduce our load problem significantly? At the moment, we have multiple independent squid processes per server (4 squid instances, 16 cpus), but I don't see any way (except adding more hardware) to authenticate >1 with Kerberos. SMP will help with the management of those 4 instances on each machine, dropping it to one config file they all work from and one SNMP contact port one cachemgr contact port etc. But I think total load, helper process count and cache duplication problems will remain unchanged with the current SMP capabilities. Amos
Re: [squid-users] Re: kerberos authentication - performance tuning
Hi, We had to bypass the kerberos authentication for now (most of the users will be authenticated by IP (there are already more than 1 unique IPs in my Squid logs). iirc, disabling the replay cache did not help much. There is a load avg of 0.4 right now (authenticating about 9000 users per IP and 1000 with Kerberos) with approx 450 RPS (2 strong servers), which looks pretty good. What do you think? Can SMP functionality of Squid 3.2 reduce our load problem significantly? At the moment, we have multiple independent squid processes per server (4 squid instances, 16 cpus), but I don't see any way (except adding more hardware) to authenticate >1 with Kerberos. regards On Sat, Feb 12, 2011 at 2:09 PM, Markus Moeller wrote: > Hi Peter > >> "Nick Cairncross" wrote in message >> news:c9782338.5940f%nick.cairncr...@condenast.co.uk... >> On 09/02/2011 09:34, "guest01" wrote: >> >>> Hi, >>> >>> We are currently using Squid 3.1.10 on RHEL5.5 and Kerberos >>> authentication for most of our clients (authorization with an icap >>> server). At the moment, we are serving approx 8000 users with two >>> servers. Unfortunately, we have performance troubles with our Kerberos >>> authentication. Load values are way to high ... >>> >>> 10:19:58 up 16:14, 2 users, load average: 23.03, 32.37, 25.01 >>> 10:19:59 up 15:37, 2 users, load average: 58.97, 57.92, 47.73 >>> >>> Peak values have been >70 for the 5min interval. At the moment, there >>> are approx 400 hits/second (200 per server). We already disabled >>> caching on harddisk. Avg service time for Kerberos is up to 2500ms >>> (which is quite long). >>> >>> Our kerberos configuration looks pretty simple: >>> #KERBEROS >>> auth_param negotiate program >>> /opt/squid/libexec/negotiate_kerberos_auth -s HTTP/fqdn -r >>> auth_param negotiate children 30 >>> auth_param negotiate keep_alive on >>> >>> Is there anyway for further caching or something like that? >>> >>> For testing purposes, we authenticated a certain subnet by IP and load >>> values decreased to <1. (Unfortunately, this is not possible because >>> every user gets a policy assigned by its username) >>> >>> Any ideas anyone? Are there any kerberos related benchmarks available >>> (could not find any), maybe this issue is not a problem, just a >>> limitation and we have to add more servers? >>> >>> Thanks! >>> >>> best regards >>> Peter >> >> Peter, >> >> I have pretty much the same setup as you - just 3.1.8, though only 700 >> users. >> >> Have you disabled the replay cache: >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >> But beware of a memory leak (depending on your libs of course): >> >> http://squid-web-proxy-cache.1019090.n4.nabble.com/Intermittent-SquidKerbAu >> th-Cannot-allocate-memory-td3179036.html. I have a call outstanding with >> RH at the moment. >> > > Could you try disabling the replay cache ? Did it improve the load ? > >> Are your rules repeating requesting authentication unnecessarily when it's >> already been done? Amos was very helpful when advising on this (search for >> the post..) >> >> 8000 users.. Only 30 helpers? What does cachemgr say about used negotiate >> helper stats, timings/sec etc. >> Is your krb5.conf using the nearest kdc in it's own site etc? >> > > The kdc is only important for the client. The server (squid) never talks to > the kdc. > >> Some load testers out there incorporate Kerberos load testing. >> >> Just my thoughts.. >> >> Nick >> >> >>> >> >> >> The information contained in this e-mail is of a confidential nature and >> is intended only for the addressee. If you are not the intended addressee, >> any disclosure, copying or distribution by you is prohibited and may be >> unlawful. Disclosure to any party other than the addressee, whether >> inadvertent or otherwise, is not intended to waive privilege or >> confidentiality. Internet communications are not secure and therefore Conde >> Nast does not accept legal responsibility for the contents of this message. >> Any views or opinions expressed are those of the author. >> >> The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, >> London W1S 1JU >> > > >
Re: [squid-users] Re: Kerberos AD authentication suddenly stopped working
Hello list, Markus, thanks for your hint; this is also described in the Wiki entry - I only have used Samba to create the keytab. It is not running as a daemon here. However I think I've found the (fairly trivial) problem... There was an issue with the ESX host/Storage the Linux Squid was running on, stalling the machines for like half an hour. So the clock skew was to great for Kerberos authentication to work properly. I found this out while trying to generate a new keytab: r...@lxsv05:~# kinit administra...@xxx Password for administra...@xxx: kinit: Clock skew too great while getting initial credentials Kind regards, -sd 2010/12/22 Markus Moeller : > Is it possible that you run a samba daemon like winbindd ? If samba is > fully configured it will emulate a Windows desktop/server and changes on a > regular basis the machine password which is used for the Kerberos key. So > if the machine password is changed ther key in hye keytab will be invalid. > > Markus > > "Stefan Dengscherz" wrote in message > news:aanlktinigrqmf-sup6yjshkvh3lcw2hj3xwwg9yhx...@mail.gmail.com... >> >> Hello list, >> >> >> I'm currently running 3.0.STABLE19 on Ubuntu 10 LTS. I have configured >> Kerberos AD authentication as in the config examples at >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (the >> "Samba method"). It successfully worked for over half a year but >> suddenly the SSO authentication stopped working yesterday and fall >> back to my LDAP authentication schema. >> >> Here is my authentication section from the squid configuration: >> >> ---8<--- >> # Authentifizierung - SSO via Kerberos & AD >> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> >> # Authentifizierung - LDAP Benutzerabfrage AD, wenn SSO nicht klappt >> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b >> "OU=xxx" -D "CN=LDAP Lesebenutzer,OU=Sonderbenutzer,OU=System,OU=xxx" >> -w "xxx" -f sAMAccountName=%s -h 10.xxx >> auth_param basic children 5 >> auth_param basic realm Automatische Anmeldung fehlgeschlagen - Geben >> Sie bitte Ihren Windows-Benutzer und -Passwort ein! >> auth_param basic credentialsttl 5 minutes >> ---8<--- >> >> After the SSO failing i set squid_kerb_auth to debug mode via the -d >> parameter and got the following log entries in cache.log: >> >> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information. >> 2010/12/21 06:49:29| squid_kerb_auth: gss_accept_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information. >> 2010/12/21 06:49:29| squid_kerb_auth: Got 'YR YIIF9... >> >> After recreating the keytab with >> >> kinit administra...@xxx >> export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab >> net ads keytab CREATE >> net ads keytab ADD HTTP >> unset KRB5_KTNAME >> >> and restarting Squid everything works fine again. >> >> I think it might be an expired computer account, but FindExpAcc.exe >> found nothing. Any hints on where to go further in debugging this >> issue here, or any hints on how to solve this problem? >> >> >> Kind regards, >> >> -sd >> > > >
Re: [squid-users] Re: kerberos-authentication, msktutil, w2k8-domain-controllers and the old encryption-type "rc4-hmac"?
Hi Markus In the meantime, the klist -etk /etc/krb5.keytab have AES entries: AES-128 CTS mode with 96-bit SHA-1 HMAC AES-256 CTS mode with 96-bit SHA-1 HMAC But they were made by the nightly "msktutil --auto-update" job (after 30 days were passed). And during this step, that msDS-SupportedEncryption-Type-Attribut was also created on the computer-object in the active-directory. That was also the reason, why squid stopped authenticating the users, because the necessary lines (aes) for w2k8 in the krb5.conf for w2k8, didn't exists yet. During the first (initial) msktutil (which creates a computer-object in the ad-domain), I didn't use the option "--enctypes 28", because on this time, we just had w2k3-domain-controllers. I don't exactly understand, why squid stops authenticating, when I change the krb5.conf-file back to "default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5" (without aes). On my client, I see also session-tickets for the http-service with only rc4-hmac (instead of aes) and this works fine (when the krb5.conf is already configured with aes). Could it be, that msktutil realizes, that it has to authenticate to a w2k8-dc and therefore add the msDS-SupportedEncryption-Type-attribut to the computer-object and use the "aes"-algorithm as its preferred one? Is the aes stronger than the rc4-hmac and that could be the reason, why I'm not able to talk to squid with "rc4-hmac"? So the stronger wins? Thanks in advance. Tom 2010/12/9 Markus Moeller : > Hi Tom, > > What does klist -ekt squid.keytab show ? Does it have an entry for AES ? > Did you use --enctypes 28 with msktutil as described here > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab > ? > > Markus > > > "Tom Tux" wrote in message > news:aanlktimuyh9msqcte5shmmoqdjpvdyhfqpotf+ajt...@mail.gmail.com... > I recognized, that the values in the AD-computer-object (attribut > msDS-SupportedEncryption-Type) has to match the client-kerberos-ticket > (session-key) and the settings made in /etc/krb5.conf. On all three > parts, the aes-256value must be set. > If not, there's not authentication possible. > > Is it true, that always the strongest key (in this case probably aes-256) > wins? > Tom > > > > 2010/12/9 Amos Jeffries : >> >> On 09/12/10 19:43, Tom Tux wrote: >>> >>> Hi >>> >>> We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory >>> operational mode is still 2003. >>> >>> We're using kerberos-authentication against the active-directory. >>> Nightly runs the "msktutil --auto-update" on the squid-proxy. One day, >>> this updated the computer-account and added the new >>> msDS-SupportedEncryption-Type = 28. >>> >>> On one morning, nobody could be authenticated against the >>> active-directory. On the cache.log, I saw the following error: >>> >>> authenticateNegotiateHandleReply: Error validating user via Negotiate. >>> Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS >>> failure. Minor code may provide more information. Encryption type not >>> permitted' >>> >>> >>> So, I added the "aes256-cts-hmac-sha1-96" encryption-type in the >>> /etc/krb5.conf-file. Now, everything is working fine. On the >>> computer-object in the active-directory, I see a value of 28 on the >>> attribut "msDS-SupportedEncryption Types" (updated through msktutil). >>> >>> When I trace the kerberos-traffic between the proxy and the new >>> w2k8-domain-controller, I still see the old encryption-type "rc4-hmac" >>> is being used. >>> >>> Why is there not the new encryption-type "aes" used? Why is still the >>> "old" one used? Before I updated the krb5.conf with the "aes"-part, >>> nobody was able to authenticate. And now, squid "talks" still with the >>> old one? >> >> Squid uses whatever support is available in the libraries, which may be >> version-specific from when it was built. It is likely that they and/or >> squid >> need to be upgraded to support that algorithm. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.9 >> Beta testers wanted for 3.2.0.3 >> > > >
Re: [squid-users] Re: Kerberos authentication with MIT KDC
Markus, I do get a password prompt although I don't remember setting a password for it. xserve:~ root# kinit HTTP/proxyserver.paragould.psd Please enter the password for HTTP/proxyserver.paragould@xserve.paragould.psd: Kerberos Login Failed: Password incorrect In Open Directory, I just added a new machine(what I assumed was a host principal) named proxyserver but adding a machine via OD's workgroup manager doesn't ask for a password that I can remember. I didn't add an actual user named proxyserver because that didn't make sense to me for a host. Thanks, Rob Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 >>> "Markus Moeller" 12/08/10 5:44 PM >>> Hi Rob, What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc server ? Do you get a password prompt ? Markus >"Rob Asher" wrote in message >news:4cffadf6.0172.003...@paragould.k12.ar.us... >Hi Markus, > >I created the service principal with kadmin on the apple server. The >actual command was kadmin.local -q "add_principal >HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab. >Here's exactly what I did: > >xserve:~ root# kadmin.local >Authenticating as principal root/ad...@xserve.paragould.psd with password. >kadmin.local: xst -k proxyserver.keytab >HTTP/proxyserver.paragould@xserve.paragould.psd >Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd >with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to >keytab WRFILE:proxyserver.keytab. >Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd >with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab >WRFILE:proxyserver.keytab. >Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd >with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added >to keytab WRFILE:proxyserver.keytab. >Entry for principal HTTP/proxyserver.paragould@xserve.paragould.psd >with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added >to keytab WRFILE:proxyserver.keytab. >kadmin.local: q > >xserve:~ root# klist -k proxyserver.keytab >Keytab name: WRFILE:proxyserver.keytab >KVNO Principal > -- > 5 HTTP/proxyserver.paragould@xserve.paragould.psd > 5 HTTP/proxyserver.paragould@xserve.paragould.psd > 5 HTTP/proxyserver.paragould@xserve.paragould.psd > 5 HTTP/proxyserver.paragould@xserve.paragould.psd > >xserve:~ root# kadmin.local -q "list_principals" | grep -i http >HTTP/proxyserver.paragould@xserve.paragould.psd >HTTP/xserve.paragould@xserve.paragould.psd >http/xserve.paragould@xserve.paragould.psd > >That last command to list the http principals confused me and I'm not >familiar with kerberos at all really. Is it showing there are http service >principals for both proxyserver.paragould.psd and xserve.paragould.psd or >does the KDC automatically add a http service principal for itself too? In >this case, xserve.paragould.psd is the KDC server running on OS X Server >10.6.2 and proxserver.paragould.psd is the squid server running on CentOS >5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host >proxyserver.paragould.psd and made sure the squid user had read access to >it. Running kinit squidserver and giving it's password works I think. >klist after that shows: > >[r...@proxyserver squid]# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: squidser...@xserve.paragould.psd > >Valid starting ExpiresService principal >12/08/10 15:38:42 12/09/10 01:38:42 >krbtgt/xserve.paragould@xserve.paragould.psd >renew until 12/09/10 15:38:42 > > >Kerberos 4 ticket cache: /tmp/tkt0 >klist: You have no tickets cached > >I'm sure I've missed something or messed something up but I'm at a loss as >what it is or where to even start looking. Thanks for any help! > >Regards, >Rob > > > > > >Rob Asher >Network Systems Technician >Paragould School District >870-236-7744 x169 > > > "Markus Moeller" 12/08/10 2:39 PM >>> >Hi Rob, > > It looks like your kdc does not know about the service principal >HTTP/proxyserver.paragould@xserve.paragould.psd > How did you create the entry and keytab ? > >Markus > > > > -- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
Re: [squid-users] Re: Kerberos authentication against AD 2003 server
Hi Marcus and all. It turned out that I just needed a restart of the proxy server. I read on a post who was having the same problem and a restart worked for him. I tried that and all worked for me too. Kerberos auth is not working as expected. I only had to follow the wiki example line by line. Thank you very much. On Sun, Aug 29, 2010 at 4:49 PM, Markus Moeller wrote: > Hi Manoj, > > It looks like the client PC does not get the TGS for HTTP/proxy.domain. Did > you configure in IE the proxy with the name proxy.domain or as IP ? IE > requires the name. BTW IE 6 does not support Kerberos proxy authentication. > > Can you capture the traffic on port 88 from your client with wireshark ? > You should see on a newly started PC AS REQ/REP and TGS REQ/REP and any > failure message which could give hints about the problem. > > Markus > > > "Manoj Rajkarnikar" wrote in message > news:aanlktikfzcbvq8otzmwfbdq+ld+-bpy4vehhnj+fk...@mail.gmail.com... >> >> Hi all, >> >> I've been trying to get my squid 2.7 S9 to work with kerberos >> authentication against AD 2003 server for a couple weeks now but still >> failed. I've read through lots of posts in the list and different >> tutorials following them 1 at a time but still no go. I've been >> following tuts by Klaubert >>
Re: [squid-users] Re: Kerberos: HTTP/ and not HTTP/@FQDN
Hi Markus, I admit that it could be preferable to do it for each one if the KVNO was to change, but the AD account I use is a dummy computer account and has no physical host so doesn't change. That said, I have tried to do it with a separate account and I get the same result: 2 work one fails. I have even tried renaming the squid server, disjoining from domain, regenerating the keytab etc. The server is now called squid4 (was squid3) I have just pcapped port 88 from the client and I have noticed the following: KRB5KRB Error: KRB5KDC ERR S PRINCIPAL UNKNOWN The S principal mentioned is the old server (squid3). Obviously that won't work... HOWEVER, If I do it from another machine I see everything working ok! Kerberos capture, ticket etc are all fine with the right name - I don't understand! How can it work for one and not the other? I have destroyed the tickets on both, rebooted etc. Could it be something more specific on my clients? It just doesn't make sense that it is so hit and miss.. Thanks, Nick On 17/07/2010 12:09, "Markus Moeller" wrote: Hi Nick, This is a unusual setup. I wonder how you could get it to work as a keytab extraction changes usually the AD entry and therefore the key for your 2nd/3rd squid server. I suggest to create three separate AD entries and remove any SPN for HTTP/. Regards Markus "Nick Cairncross" wrote in message news:c8665961.b8ac%nick.cairncr...@condenast.co.uk... Hi list, I think I have a problem with one of my SPNs/keytab - wondered if someone could confirm this: 3 x squid boxes on different sites, squid1, squid2 and squid3 are their hostnames. I have one AD account with the SPNs of all on it. Using fqdn for the proxy address to 2 of them results in Kerberos tickets: HTTP/.f...@fqdn and HTTP/.f...@fqdn and everything is fine. However on the third one I get a ticket: HTTP/squid3@ i.e. No fqdn or @FQDN I have both 'squidx' and 'squidx.fqdn' in my AD SPN for all boxes. I'm thinking the working two are using the squid.fqdn and the non-working one is using just 'squid3' hence the issue. Does this sound feasible. I think the answer is drop the 'squidx' from my SPNs and stick with the 'squidx.fqdn', regenerate my keytab and that's it. I have cloned one of the working squid boxes and replaced the non-working one, so this leads me to believe it is the SPN/keytab and not the server. Thoughts welcome! Nickcx The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback with AD-group-membership-checking
Hi Markus I'm using squid_kerb_ldap-1.2.1a. I will try it with the "-D"-Option. Is it possible to have a Single-Sign-On-solution with IE6 without winbind? Can I take "squid_kerb_ldap" for this purpose? Thank you. Regards, Tom 2010/7/9 Markus Moeller : > Hi Tom, > > Which version do you use ? The latest squid_kerb_ldap version has a -D > option to define a default Kerberos domain for usernames without domain > info. > > /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" -D > Kerberos-Domain > > Regards > Markus > > - Original Message - From: "Tom Tux" > To: "Markus Moeller" > Sent: Thursday, July 08, 2010 1:54 PM > Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback > with AD-group-membership-checking > > >> Hi Markus >> >> I think, that the output from the log with just the username instead >> of "netbios-name\username" is because of the setting "winbind use >> default domain = yes" in the smb.conf. >> >> The debug-output is this: >> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL >> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: gr...@domain >> Internet us...@null >> 2010/07/08 07:13:39| squid_kerb_ldap: Found gr...@domain Internet >> us...@null >> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of >> gr...@domain Internet us...@null >> 2010/07/08 07:13:39| squid_kerb_ldap: ERR >> >> >> >> For my question: >> Is it necessary to have winbindd runnning for authentication our >> IE6-clients with ntlm? Or can I handle this without a >> winbind-domain-join? Just with squid_kerb_ldap? >> >> Thank you. >> Regards >> Tom >> >> >> 2010/7/8 Markus Moeller : >>> >>> Hi Tom, >>> >>> Squid_kerb_ldap with -d will give more debug output. Could you send it to >>> me. What suprises me is that your username is only user1 not >>> NETBIOSNAME\user1 >>> >>> Markus >>> >>> - Original Message - From: "Tom Tux" >>> To: "Markus Moeller" >>> Sent: Thursday, July 08, 2010 6:30 AM >>> Subject: Re: [squid-users] Re: Kerberos-authentication and ntlm-fallback >>> with AD-group-membership-checking >>> >>> >>> Hi Markus >>> >>> Thank you. I have tried it out, but this didn't worked. In my >>> squid.conf I have the following entry: >>> >>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN >>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g "Internet Users" >>> -N netbiosn...@xx.yy >>> acl inetAccess external SQUID_KERB_LDAP >>> >>> For the "NETBIOSNAME", I've entered this one, which I have defined in >>> the smb.conf in the string "workgroup". >>> >>> The cache.log-output looks like this: >>> 2010/07/08 07:13:39| squid_kerb_ldap: Got User: user1 Domain: NULL >>> 2010/07/08 07:13:39| squid_kerb_ldap: Default group loop: gr...@domain >>> Internet us...@null >>> 2010/07/08 07:13:39| squid_kerb_ldap: Found gr...@domain Internet >>> us...@null >>> 2010/07/08 07:13:39| squid_kerb_ldap: User user1 is not member of >>> gr...@domain Internet us...@null >>> 2010/07/08 07:13:39| squid_kerb_ldap: ERR >>> >>> Without the "-N"-Parameter, all clients >IE6 are successfully able to >>> authenticate with kerberos and squid_kerb_ldap. >>> >>> In the smb.conf, I have set "winbind use default domain = yes". So the >>> "wbinfo -u" gives me back just the username without any domain-suffix. >>> >>> For my understanding: Is it necessary to have winbindd runnning for >>> authentication our IE6-clients with ntlm? Or can I handle this without >>> a winbind-domain-join? Just with squid_kerb_ldap? >>> >>> Thank you. >>> >>> Regards, >>> Tom >>> >>> 2010/7/7 Markus Moeller : >>>> >>>> Hi Tom >>>> >>>> It should work if squid sends Negotiate and NTLM authentication requests >>>> to >>>> the client. IE6 will ignore the Negotiate request and reply to NTLM, >>>> whereas >>>> IE7 and IE8 will respond to Negotiate. With NTLM you will get a username >>>> like Netbios-Domain\user in contrast to u...@kerberos-realm. >>>> squid_kerb_ldap >>>
Re: [squid-users] Re: Kerberos
tis 2010-05-18 klockan 20:00 +0100 skrev Markus Moeller: > BTW Would you be interested to include squid_kerb_ldap - my ldap > authorisation module with Kerberos authentication to an ldap server ? Yes. Submissions are always welcome. Just post the merge request to squid-dev. Regards Henrik
Re: [squid-users] Re: Kerberos
mån 2010-05-17 klockan 06:30 +0100 skrev Markus Moeller: > OpenDirecttory or eDirectory is just ldap and has nothing to do with > Kerberos (as far as I know). eDirectory can trust Kerberos for authentication. But does not in itself provide Kerberos KDC. Novell also have a Kerberos KDC product which integrates with eDirectory. Appears to be MIT based. Regards Henrik
Re: [squid-users] Re: Kerberos
Hi Markus, Thanks for the info. If squid can use MIT kerberos, then hopefully I should be ok to get it working with Mac OS X Server (and OpenDirectory), based off http://developer.apple.com/opensource/kerberosintro.html On the Novell front, it's harder to find info on it's kerberos integration, but it looks like it's available. I guess I'll just have to experiment, and see how I go. Thanks heaps for the help. Matt On 17/05/2010, at 3:30 PM, Markus Moeller wrote: > Hi Matthew, > > I think you are a bit confused. AD offers a Kerberos and ldap service. > OpenDirecttory or eDirectory is just ldap and has nothing to do with Kerberos > (as far as I know). You can use AD, MIT Kerberos, Heimdal Kerberos or any > other Implementation (e.g. Solaris based) for authentication with squid. > > Regards > Markus > > "Matthew Smith" wrote in message > news:ab612d11-33b4-442c-8779-3ea2ef75a...@utas.edu.au... > Hi Amos, > > Thanks for the reply, you have left me very confused, though. We are talking > about MIT's kerberos, right? > > http://en.wikipedia.org/wiki/Kerberos_(protocol) > > My understanding is that kerberos is a protocol for authentication, and other > directory services (like Mac OS X's OpenDirectory) support it as well as AD. > > Thanks for the link to the wiki, I had a quick look through, and I'll see if > I can get it going with AD as a test. Does anyone know if any other directory > services that implement Kerberos are supported? I'd like to see if I can get > it to work with OpenDirectory or maybe Novell eDirectory. > > Thanks for the help! > > Matt Smith > > On 17/05/2010, at 1:57 PM, Amos Jeffries wrote: > >> On Mon, 17 May 2010 11:15:06 +1000, Matthew Smith wrote: >>> Hi! >>> >>> I have been trying to find out some info on kerberos auth and squid, but >>> most of my searching points to setting up kerberos for single signon >> with >>> windows AD. Are other directory services supported? If so, which? Also >> does >>> anyone know of some good beginner style resources for setting up kerb >> auth >>> with squid? >> >> That would be because the protocol is a proprietary one by Microsoft. >> Non-microsoft software would tend to lean towards other free alternatives. >> >> Have you seen the wiki Kerberos pages? >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >> >> Amos > > >
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Long over-due but I finally got past my error with this. Thanks to all who responded, basically you were dead on, I just had to download the SDK CD (Disk 1) and install a few packages: -installing libcom_err-devel for krb5-devel (from SDK CD 1) /mnt/cdrom/suse/x86_64/libcom_err-devel-1.41.1-13.9.x86_64.rpm /mnt/cdrom/suse/x86_64/libcom_err-devel-32bit-1.41.1-13.9.x86_64.rpm -installing keyutils-devel for krb5-devl (from SDK CD 1) /mnt/cdrom/suse/x86_64/keyutils-devel-1.2-107.22.x86_64.rpm -installing krb5-devel (from SDK CD 1) /mnt/cdrom/suse/x86_64/krb5-devel-1.6.3-133.10.x86_64.rpm /mnt/cdrom/suse/x86_64/krb5-devel-32bit-1.6.3-133.10.x86_64.rpm Thanks all. Now that I have the EASY part out of the way, time to dig into the authentication /wrist! =D -Original Message- From: Daniel [mailto:sq...@zoomemail.com] Sent: Friday, August 14, 2009 4:22 PM To: 'Markus Moeller'; squid-users@squid-cache.org Subject: RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 Markus, First, please correct me if I'm wrong but I looked for 'gssapi.h' in config.log and I'm assuming that config.log contains all the log information from doing a /configure? Assuming that I am correct, I couldn't find 'gssapi' anywhere inside the log file so I'm not sure if that's a good thing or a bad thing. I went ahead and dumped the output of the ./configure to a file and these are the only lines that I could find for gssapi.h: checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no If there's anything else that I could try, I'd greatly appreciate it. Thanks! -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Markus Moeller Sent: Tuesday, August 11, 2009 3:25 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 Hi Daniel, Did you see any configure errors for gssapi.h ? Markus "Daniel" wrote in message news:001301ca19fe$9f450a50$ddcf1e...@com... Good afternoon, In my attempt to get Squid on our SLES 11 box authenticating with Kerberos (negotiate), I used the following to re-configure: ./configure --prefix=/usr/local/squid --enable-cachemgr-hostname=sclthdq01w --enable-auth="negotiate" --enable-negotiate-auth-helpers="squid_kerb_auth" The "configure" appears to run without any issues. However, upon running "make all" I receive the following errors: squid_kerb_auth.c:507: error: implicit declaration of function âgss_display_nameâ make[5]: *** [squid_kerb_auth.o] Error 1 make[5]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/squid-3.1.0.13/helpers' make: *** [all-recursive] Error 1 Any ideas?? As always, T.I.A. -Daniel
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
On Wed, Aug 26, 2009 at 12:35 AM, Jeremy Monnet wrote: >> >> This will create 200 authentication requests for testing. > That will help me a lot ! Thank you very much for your answers ! > > I'll post comments as soon as it works (or I get new questions). Ok, I am making progress (I guess). Though I am not really sure, I think I chose a different option when re-installing my AD controller. I think the AD should be made compatible with every version of windows, not only with windows 2000 and 2003. I should make more tests to be sure that was on of the problems. Now, I see the negotiate, and the ticket received seems far better (logs below). I believe the remaining error is "authenticateNegotiateHandleReply: helper: '0x9c8cd20' sent us 'NA gss_accept_sec_context() failed: An unsupported mechanism was requested. unknown mech-code 0 for mech unknown'" If I play with squid_kerb_auth, I get squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown NA gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown If anyone has any idea about what that means ? I've read stuff about a file /etc/gss/mech, which doesn't exists on my linux box, and is trying to be read by squid_kerb_auth (I saw it using strace) ? Thanks, Regards, Jeremy ## 2009/08/26 17:42:44.144| authenticateValidateUser: Validating Auth_user request '0'. 2009/08/26 17:42:44.145| authenticateValidateUser: Auth_user_request was NULL! 2009/08/26 17:42:44.146| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2009/08/26 17:42:44.147| authenticateFixHeader: headertype:36 authuser:0 2009/08/26 17:42:44.147| AuthNegotiateConfig::fixHeader: Sending type:36 header: 'Negotiate' 2009/08/26 17:42:44.175| authenticateAuthenticate: header Negotiate YIIEyQYGKwYBBQUCoIIEvTCCBLmgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBI8EggSLYIIEhwYJKoZIhvcSAQICAQBuggR2MIIEcqADAgEFoQMCAQ6iBwMFACCjggOhYYIDnTCCA5mgAwIBBaENGwtBRC5TSU1JQS5GUqIpMCegAwIBAqEgMB4bBEhUVFAbFnNxdWlkcHJveHkuYWQuc2ltaWEuZnKjggNWMIIDUqADAgEXoQMCAQOiggNEBIIDQOIvxmTUEcVcJJncqXCQjLF1gpeTeV4Kte2NWFKreEjHFClFSaAe1s/68/g7wMHv+omNNahYsw8AK/+ctwjYMPINjyWO5tErHds5fj+cx5T5Xnm0go39xoJsJu+3ne2eGrZSWJkt7wiHeg0iZ2+2EOzxqJsXpP8qkNYnU/uaQtT9HlQaMA07pf4TrveFWNh/+2dXYdQV9ad99+//0YRBjg3MaINqLNiGK6iepBrzEFcdLeUqtQbpvsibAXh79N1aXtmQP+PFeOO5B4VeVVpXjoQpkQ5VcyQQyhPvB0ZKRToSiLISy2yHuu/iOMnMAHmJDRYPN63Dd6QgRkv0Ol7sfI9c6h29hU7nWteIZRv/gZ6ySlAJraGcgRfAxamh+EhYpLmms4Df1bG/YZ9r94mlfGKi/vp/hhVNA+SYyfKhpGGQv7JMKTwQHrrXrnKcIQ66DuOrLozZzX8VLofczFIJToX0QZBJwaxlR13bYZJvjQ948qwnYriekV7WusBXGUOJCBh3llWa3nMf8Od26Tyn033OTk9azobufAECDJIk+Jkle/hS+3bk7ojaTs05hkeQiY/1fegJ1foOA1xdGZm4c+pvMUpr3bKIX70eucdmeKS8qj9XE9x7KdgcRYDylfqBr7poHvmwNLhxmyhQIH9omFoCHvNuJLwBBX+lZncEQXHjRpyMIzA1QA8idRQWDoFXJwuISRkA/DkLmRfTMOrtIpw1B3VeLtzasRiHeo8aU4P54F4W3SrZMXZiTmeTmkmsf0tPm4QgAEJXTem7lcCICzBrjCCoQGI9bdGhwhRd2iBTe/yGbt6mQrffDx8tsmneJfdu0nw4553b2DmeCD/q3DDJ4lcL9XmthyY8pIjIX/p2uVbLNA5X+Ogdn/4G/vpFAT44icIz9Djx95O3bwwYId4Y6SmVkV5BqyPapw5q3IOogsv00LeK0FhLNdh30NIbxOSLAI4auNlFTwQs+ORQJ/sHvle0EmS5szuwL4jxMno7855Ujbma5Y0E64ef00YnThzGBuj1nDDoN9NmO4FFtPUoDFIdpaCIrVg5qqw6CjM/paOWY4oYPdGd9Gdz6b3zqu/IFvbITLzMU61Co2UcrGmkgbcwgbSgAwIBF6KBrASBqaYQ+2qnoLP4/3pVQNFps8vV9l5qzj/vfs5+7kEOPZa4TV/KkFj1srNkmyZtlsHxcTgUhH/ZI0iw/ISQmkghSxnmPSEoPce874Ijd7XmnHIwsrOysAI6rtfD31itlxasHrqCx7oCnhlrQ4mEfB2thEJy+Apyuhlo2i/uttu2IZqoUN5U58S0m0KpBk3h9+sWGetYgoI6o22o2haaur5Z/SoSd/rpq6BCYII=. 2009/08/26 17:42:44.179| authenticateAuthenticate: This is a new checklist test on FD:23 2009/08/26 17:42:44.180| authenticateAuthenticate: no connection authentication type 2009/08/26 17:42:44.181| AuthConfig::CreateAuthUser: header = 'Negotiate YIIEyQYGKwYBBQUCoIIEvTCCBLmgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBI8EggSLYIIEhwYJKoZIhvcSAQICAQBuggR2MIIEcqADAgEFoQMCAQ6iBwMFACCjggOhYYIDnTCCA5mgAwIBBaENGwtBRC5TSU1JQS5GUqIpMCegAwIBAqEgMB4bBEhUVFAbFnNxdWlkcHJveHkuYWQuc2ltaWEuZnKjggNWMIIDUqADAgEXoQMCAQOiggNEBIIDQOIvxmTUEcVcJJncqXCQjLF1gpeTeV4Kte2NWFKreEjHFClFSaAe1s/68/g7wMHv+omNNahYsw8AK/+ctwjYMPINjyWO5tErHds5fj+cx5T5Xnm0go39xoJsJu+3ne2eGrZSWJkt7wiHeg0iZ2+2EOzxqJsXpP8qkNYnU/uaQtT9HlQaMA07pf4TrveFWNh/+2dXYdQV9ad99+//0YRBjg3MaINqLNiGK6iepBrzEFcdLeUqtQbpvsibAXh79N1aXtmQP+PFeOO5B4VeVVpXjoQpkQ5VcyQQyhPvB0ZKRToSiLISy2yHuu/iOMnMAHmJDRYPN63Dd6QgRkv0Ol7sfI9c6h29hU7nWteIZRv/gZ6ySlAJraGcgRfAxamh+EhYpLmms4Df1bG/YZ9r94mlfGKi/vp/hhVNA+SYyfKhpGGQv7JMKTwQHrrXrnKcIQ66DuOrLozZzX8VLofczFIJToX0QZBJwaxlR13bYZJvjQ948qwnYriekV7WusBXGUOJCBh3llWa3nMf8Od26Tyn033OTk9azobufAECDJIk+Jkle/hS+3bk7ojaTs05hkeQiY/1fegJ1foOA1xdGZm4c+pvMUpr3bKIX70eucdmeKS8qj9XE9x7KdgcRYDylfqBr7poHvmwNLhxmyhQIH9omFoCHvNuJLwBBX+lZncEQXHjRpyMIzA1QA8idRQWDoFXJwuISRkA/DkLmRfTMOrtIpw1B3VeLtzasRiHeo8aU4P54F4W3SrZMXZiTmeTmkmsf0tPm4QgAEJXTem7lcCICzBrjCCoQGI9bdGhwhRd2iBTe/yGbt6mQrffDx8tsmneJfdu0nw4553b2DmeCD/q3DDJ4lcL9XmthyY8pIjIX/p2uVbLNA5X+Ogdn/4G/vpFAT44icIz9Djx95O3bwwYId4Y6SmVkV5BqyPapw5q3IOogs
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
hm... i can tell you what I did. first I tried ktpass too as you describe. But nevertheless to use exactly the same as in the wiki I finally used msktutil to proceed. I run an SLES 11 Server and had to download SLES 11 SDK iso to compile msktutil successfully. My way was: - configure /etc/krb5.conf correctly (realm, ad-server, etc.) - join AD domain with an user with permissions - kinit thisadu...@mydomain.com - ./msktutil -c -s HTTP/squidproxy.mydomain.com -h squidproxy.mydomain.com -k /usr/local/squid-3.1/etc/HTTP.keytab --computer-name squidproxy --upn HTTP/squidproxy.mydomain.com --server DC.mydomain.com --verbose --delegation --description "Proxy Server" - configure squid.conf to use auth_param negotiate path_to_squidkerbauth And it worked. I never used squid_kerb_auth_test as I didn't know how to use it :-) Bye Andrew Am Mittwoch, 26. August 2009 12:28:15 schrieben Sie: > On Wed, Aug 26, 2009 at 11:06 AM, Mrvka Andreas wrote: > > hi, > > > > if you have made the wiki[...]/Kerberos guide through then you are close > > to the goal. > > I hope so anyway :-) > > > it seems that your problem is only configuration error on client side. > > I am not so sure anymore. I tried to use the squid_kerb_auth_test > utility, but it still gives me errors on the tokens (see below for > listings). I may add that I compiled both squid3.0 and squid_kerb_auth > 1.0.5. I used squid_kerb_auth_test with both squid_kerb_auth from the > squid_kerb_auth1.0.5 package and the squid3.0 package. I get errors in > both cases (though not the same, but that may simply be that one is > older). > > I am using a windows server 2003 R2 corporate with SP2, in case there > may be an issue with a SP or something. > > Last thing I can think of is the way I created the keytab (but > kerberos seems to like it this way) : > ktpass -out squidproxy.krb5.keytab -pass Password1 -princ > HTTP/squidproxy.ad.simia...@ad.simia.fr -mapuser host_squid -ptype > KRB5_NT_SRV_HST -crypto DES-CBC-MD5 (could have used RC4-HMAC, but I > had problems before when I put in place unix authentication on > AD/kerberos). > > > since squid_kerb_auth is a MUST to configure the fqdn name of squid in > > the IE settings. > > I did it this way ... :-/ > > > at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth. > > Hope I can make it work also. > > > Thanks, > > Jeremy > > Squid_kerb_auth_test : > > squidproxy:~/squid/squid_kerb_auth-1.0.5# kdestroy > squidproxy:~/squid/squid_kerb_auth-1.0.5# kinit j...@ad.simia.fr > j...@ad.simia.fr's Password: > squidproxy:~/squid/squid_kerb_auth-1.0.5# > /root/squid/squid_kerb_auth-1.0.5/squid_kerb_auth_test > squidproxy.ad.simia.fr | /usr/local/libexec/squid_kerb_auth -d -s > HTTP/squidproxy.ad.simia.fr > 2009/08/26 12:17:10| squid_kerb_auth: Got 'Token: > YIIE8QYGKwYBBQUCoIIE5TCCBOGgDTALBgkqhkiG9xIBAgKiggTOBIIEymCCBMYGCSqGSIb3EgE > CAgEAboIEtTCCBLGgAwIBBaEDAgEOogcDBQAAo4IDqWGCA6UwggOhoAMCAQWhDRsLQUQuU0 > lNSUEuRlKiKTAnoAMCAQGhIDAeGwRIVFRQGxZzcXVpZHByb3h5LmFkLnNpbWlhLmZyo4IDXjCCA > 1qgAwIBA6EDAgEKooIDTASCA0jVFrJW9Hmfkrhd3LmVf3ZLpeqR/87YM7hkqbk75EMhcX+Mb/ci > G5h6kuFl7fBKzW/prfmOPmYzAPVc4HdnLchdkXCQNsxe/IrCT/DwkB1pSopcr7N9zqnJ6xN8UR/ > Zd8vfUnhmoNI4/lQ2pg04GJTv8UFXi3UKVmH7aHENQGB6pLaeoFe6inhK+/c7/9O1m5GHsmNbua > wNH3N48gEiFYkfOHVqyAQukuGWLpJHyvVUBS3XTuAj2LhqxqZJzuiyOkUIReb7NU4ZuWVO7oZvp > 7+AIbCcaikdxU2nsnVrM9EypGpcUzdy3SBd+eqdGIuctW/+pZ0gAtu7/JCmgNpoaJGZH90dnp33 > 9/LUIg3nGI8+MoPPhTaE4iWLp6smi/rB/tzpiKYDz8Rr0MIdB5rs0jRr3Kjeg0gcaLsMIaKA2t8 > ZmFAWUXPq8GQaX57e8DGBTKNut9lzhCsDEV8zhzAIdKmrs6XJm5Vq1GjCbchTUSoRaZhd663S47 > kjTpxKA9eyTWYkWdExGrvz9fUYRq6QPIv6wmbU9HwkZZTsJ2YH5JrJPAPK2icuQkSCTXiMKBHc4 > KLMgZ3MFciWAKPBXETwVhDtEy2jeIYfkR4+Imzg9l8qC8qIUOYVQx0PYywS2gcn53FT5JgA6N7C > I5jk6jOu7/lf5QrGR33cwk01Qh9AnGQ4pZw3beWZKN1ezZsJlHr6Ucrn63XiDhv8UAsBDdNeuT8 > pN0RjXpmt7S0xRmi7Ql4SMyljSiCplhQkOPRnM+VOqPvMcfLP/et7f6xCVMY+9mxLcR9dvl19m4 > +24EM0Hk59ndlUJD0+xsEYygp3sB6obAhg1IHv6Dn7AwKI56zju3i/H6WyAfGx6lqiDX1sv+oqd > Djf0slTAlYpm9DNtTx2KSWmGbRlbKx4/DfxtXCjte5ltbttYOiGBcFtePQK2Z0PpTvdgXqPPfq0 > 5juN6dDsabDGuz9KyKWyga2RXssxCaIWcU2CDRY75nru6IivHR6HrEUrhj4VLXuMIfzAdw/FPcV > 4qd+XDqhWON9yc+HiqjfXPTUq8JcHYq9+rSk/4IlkmW/WqgJuvFaQHLicev5KWYw7J+Z/sGfCOb > XG/e6OlQMcHNIR0JRvMjukge4wgeugAwIBA6KB4wSB4IcbergiZ7uvt8Z9Y1TM62ZQM0pFTFhi8 > ll0riYdLXVnJI0KHNU1PGg+It5iDIlCJcBJWbAtgDfLfO6N00xEnIpxwZdDo3ZdNF/+eImBHsDp > GWx7ZuEygw9R0kKUQozz+bi6JvjN6MUsvquriLecvTcfvLyViZEXdIcBmgRq1fphwambQaRsGi6 > Ubahd6Q1P6YYNg3Hk2+RzsgaFw/1gOKCoka3VGyLZndVsFv0MS2EXyyb04iXXu37uCkt2py4ou1 > lGaMS2hTpHfqz2TyMUfPM0cHF8O9iHtc9UuAEVsiXk' from squid (length: 1699). > 2009/08/26 12:17:10| squid_kerb_auth: gss_accept_sec_context() failed: > A token was invalid. unknown mech-code 0 for mech unknown > NA gss_accept_sec_context() failed: A token was invalid. unknown > mech-code 0 for mech unknown > ## > > squid log trying from windows box : > ## > 2009/08/26 12:23:30.633| authenticateValidateUser: Auth_user_request w
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
On Wed, Aug 26, 2009 at 11:06 AM, Mrvka Andreas wrote: > hi, > > if you have made the wiki[...]/Kerberos guide through then you are close to > the goal. I hope so anyway :-) > > it seems that your problem is only configuration error on client side. I am not so sure anymore. I tried to use the squid_kerb_auth_test utility, but it still gives me errors on the tokens (see below for listings). I may add that I compiled both squid3.0 and squid_kerb_auth 1.0.5. I used squid_kerb_auth_test with both squid_kerb_auth from the squid_kerb_auth1.0.5 package and the squid3.0 package. I get errors in both cases (though not the same, but that may simply be that one is older). I am using a windows server 2003 R2 corporate with SP2, in case there may be an issue with a SP or something. Last thing I can think of is the way I created the keytab (but kerberos seems to like it this way) : ktpass -out squidproxy.krb5.keytab -pass Password1 -princ HTTP/squidproxy.ad.simia...@ad.simia.fr -mapuser host_squid -ptype KRB5_NT_SRV_HST -crypto DES-CBC-MD5 (could have used RC4-HMAC, but I had problems before when I put in place unix authentication on AD/kerberos). > > since squid_kerb_auth is a MUST to configure the fqdn name of squid in the IE > settings. I did it this way ... :-/ > > at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth. Hope I can make it work also. Thanks, Jeremy Squid_kerb_auth_test : squidproxy:~/squid/squid_kerb_auth-1.0.5# kdestroy squidproxy:~/squid/squid_kerb_auth-1.0.5# kinit j...@ad.simia.fr j...@ad.simia.fr's Password: squidproxy:~/squid/squid_kerb_auth-1.0.5# /root/squid/squid_kerb_auth-1.0.5/squid_kerb_auth_test squidproxy.ad.simia.fr | /usr/local/libexec/squid_kerb_auth -d -s HTTP/squidproxy.ad.simia.fr 2009/08/26 12:17:10| squid_kerb_auth: Got 'Token: YIIE8QYGKwYBBQUCoIIE5TCCBOGgDTALBgkqhkiG9xIBAgKiggTOBIIEymCCBMYGCSqGSIb3EgECAgEAboIEtTCCBLGgAwIBBaEDAgEOogcDBQAAo4IDqWGCA6UwggOhoAMCAQWhDRsLQUQuU0lNSUEuRlKiKTAnoAMCAQGhIDAeGwRIVFRQGxZzcXVpZHByb3h5LmFkLnNpbWlhLmZyo4IDXjCCA1qgAwIBA6EDAgEKooIDTASCA0jVFrJW9Hmfkrhd3LmVf3ZLpeqR/87YM7hkqbk75EMhcX+Mb/ciG5h6kuFl7fBKzW/prfmOPmYzAPVc4HdnLchdkXCQNsxe/IrCT/DwkB1pSopcr7N9zqnJ6xN8UR/Zd8vfUnhmoNI4/lQ2pg04GJTv8UFXi3UKVmH7aHENQGB6pLaeoFe6inhK+/c7/9O1m5GHsmNbuawNH3N48gEiFYkfOHVqyAQukuGWLpJHyvVUBS3XTuAj2LhqxqZJzuiyOkUIReb7NU4ZuWVO7oZvp7+AIbCcaikdxU2nsnVrM9EypGpcUzdy3SBd+eqdGIuctW/+pZ0gAtu7/JCmgNpoaJGZH90dnp339/LUIg3nGI8+MoPPhTaE4iWLp6smi/rB/tzpiKYDz8Rr0MIdB5rs0jRr3Kjeg0gcaLsMIaKA2t8ZmFAWUXPq8GQaX57e8DGBTKNut9lzhCsDEV8zhzAIdKmrs6XJm5Vq1GjCbchTUSoRaZhd663S47kjTpxKA9eyTWYkWdExGrvz9fUYRq6QPIv6wmbU9HwkZZTsJ2YH5JrJPAPK2icuQkSCTXiMKBHc4KLMgZ3MFciWAKPBXETwVhDtEy2jeIYfkR4+Imzg9l8qC8qIUOYVQx0PYywS2gcn53FT5JgA6N7CI5jk6jOu7/lf5QrGR33cwk01Qh9AnGQ4pZw3beWZKN1ezZsJlHr6Ucrn63XiDhv8UAsBDdNeuT8pN0RjXpmt7S0xRmi7Ql4SMyljSiCplhQkOPRnM+VOqPvMcfLP/et7f6xCVMY+9mxLcR9dvl19m4+24EM0Hk59ndlUJD0+xsEYygp3sB6obAhg1IHv6Dn7AwKI56zju3i/H6WyAfGx6lqiDX1sv+oqdDjf0slTAlYpm9DNtTx2KSWmGbRlbKx4/DfxtXCjte5ltbttYOiGBcFtePQK2Z0PpTvdgXqPPfq05juN6dDsabDGuz9KyKWyga2RXssxCaIWcU2CDRY75nru6IivHR6HrEUrhj4VLXuMIfzAdw/FPcV4qd+XDqhWON9yc+HiqjfXPTUq8JcHYq9+rSk/4IlkmW/WqgJuvFaQHLicev5KWYw7J+Z/sGfCObXG/e6OlQMcHNIR0JRvMjukge4wgeugAwIBA6KB4wSB4IcbergiZ7uvt8Z9Y1TM62ZQM0pFTFhi8ll0riYdLXVnJI0KHNU1PGg+It5iDIlCJcBJWbAtgDfLfO6N00xEnIpxwZdDo3ZdNF/+eImBHsDpGWx7ZuEygw9R0kKUQozz+bi6JvjN6MUsvquriLecvTcfvLyViZEXdIcBmgRq1fphwambQaRsGi6Ubahd6Q1P6YYNg3Hk2+RzsgaFw/1gOKCoka3VGyLZndVsFv0MS2EXyyb04iXXu37uCkt2py4ou1lGaMS2hTpHfqz2TyMUfPM0cHF8O9iHtc9UuAEVsiXk' from squid (length: 1699). 2009/08/26 12:17:10| squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown NA gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown ## squid log trying from windows box : ## 2009/08/26 12:23:30.633| authenticateValidateUser: Auth_user_request was NULL! 2009/08/26 12:23:30.633| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2009/08/26 12:23:30.941| authenticateAuthenticate: no connection authentication type 2009/08/26 12:23:30.942| AuthUser::AuthUser: Initialised auth_user '0x9b0e640' with refcount '0'. 2009/08/26 12:23:30.942| AuthUserRequest::AuthUserRequest: initialised request 0x9b12418 2009/08/26 12:23:30.954| authenticateValidateUser: Validated Auth_user request '0x9b12418'. 2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user request '0x9b12418'. 2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user request '0x9b12418'. 2009/08/26 12:23:30.956| authenticateValidateUser: Validated Auth_user request '0x9b12418'. 2009/08/26 12:23:30.957| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token' 2009/08/26 12:23:30.957| authenticateValidateUser: Validated Auth_user request '0x9b12418'. 2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user request '0x9b12418'. 2009/08/
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
hi, if you have made the wiki[...]/Kerberos guide through then you are close to the goal. it seems that your problem is only configuration error on client side. since squid_kerb_auth is a MUST to configure the fqdn name of squid in the IE settings. at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth. regards Andrew Am Mittwoch, 26. August 2009 00:35:01 schrieb Jeremy Monnet: > On Tue, Aug 25, 2009 at 11:23 PM, Markus Moeller wrote: > >> I a m trying to authenticate users through kerberos on a windows 2003 > >> server AD. Basically, I followed the klaubert tutorial [1], part on > >> Negotiate/kerberos authentication. > > > > See also http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > Of course I forgot this one, but I used it also. > > >> reason attempted to use NTLM. ", does this mean the web browser/gssapi > >> or stuff on the client side is the problem ? Is there anything to do > >> on the windows client machine to send just a standard kerberos ticket > >> ? > > > > Possibly. It is important that the proxy you have configured is the fqdn > > and that your web Browser supports negotiate proxy authentication (e.g IE > > > 7 or Firefox) > > Trying on windows 7 with IE 8 and FF 3.5. > > >> And, last but not least, it seems we can start squid_kerb_auth from > >> the command line in standalone (well, that's the way it works with > >> squid), is there a way to use it to debug the situation ? > > > > Yes Just start it onthe command line and input YR where > > is a base64 encoded token. There is a small test program > > squid_kerb_auth_test.c at > > http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerb_ > >auth/ which you can run as follows: > > kinit u...@domain > > ./squid_kerb_auth_test 200 | ./squid_kerb_auth -d -s > > HTTP/ > > > > This will create 200 authentication requests for testing. > > That will help me a lot ! Thank you very much for your answers ! > > I'll post comments as soon as it works (or I get new questions). > > Regards, > > Jeremy >
Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth
On Tue, Aug 25, 2009 at 11:23 PM, Markus Moeller wrote: >> I a m trying to authenticate users through kerberos on a windows 2003 >> server AD. Basically, I followed the klaubert tutorial [1], part on >> Negotiate/kerberos authentication. > See also http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Of course I forgot this one, but I used it also. >> reason attempted to use NTLM. ", does this mean the web browser/gssapi >> or stuff on the client side is the problem ? Is there anything to do >> on the windows client machine to send just a standard kerberos ticket >> ? > Possibly. It is important that the proxy you have configured is the fqdn > and that your web Browser supports negotiate proxy authentication (e.g IE > > 7 or Firefox) Trying on windows 7 with IE 8 and FF 3.5. >> And, last but not least, it seems we can start squid_kerb_auth from >> the command line in standalone (well, that's the way it works with >> squid), is there a way to use it to debug the situation ? > Yes Just start it onthe command line and input YR where is > a base64 encoded token. There is a small test program squid_kerb_auth_test.c > at > http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerb_auth/ > which you can run as follows: > kinit u...@domain > ./squid_kerb_auth_test 200 | ./squid_kerb_auth -d -s > HTTP/ > > This will create 200 authentication requests for testing. That will help me a lot ! Thank you very much for your answers ! I'll post comments as soon as it works (or I get new questions). Regards, Jeremy
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
tis 2009-08-18 klockan 15:42 -0400 skrev Daniel: > Gentlemen, > > I realize that my question has morphed into a general SLES question, > so I won't keep this chain going forever. Here's my last question to > you guys before I start looking for outside help on our SLES 11 > implementation (ie; where in the World are the krb dev libs). In OpenSuSe 11.1 it's krb5-devel and krb5-devel-32bit and should be the same in SLES 11. Make sure you search the network repository, and not just the install cd. The basic install cd most likely do not contain packages needed for development. Regards Henrik
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Gentlemen, I realize that my question has morphed into a general SLES question, so I won't keep this chain going forever. Here's my last question to you guys before I start looking for outside help on our SLES 11 implementation (ie; where in the World are the krb dev libs). I searched for just 'krb', the 'i' stands for installed... You'll notice that there's no devel packages at all. I searched for 'krb devel', 'krb lib', 'dev lib' and a few others... it seems that it's either included in with another package and I just can't find it, or something... any ideas? Thanks ¦-¦--¦-¦ ¦ ¦Name ¦Summary - ¦-¦--¦-¦ ¦ i ¦krb5 ¦MIT Kerberos5 Implementation--Libraries ¦ ¦ i ¦krb5-32bit¦MIT Kerberos5 Implementation--Libraries ¦ ¦ ¦krb5-apps-clients ¦MIT Kerberos5 client applications ¦ ¦ ¦krb5-apps-servers ¦MIT Kerberos5 server applications ¦ ¦ i ¦krb5-client ¦MIT Kerberos5 implementation - client programs ¦ ¦ ¦krb5-doc ¦MIT Kerberos5 Implementation--Documentation ¦ ¦ ¦krb5-plugin-kdb-ldap ¦MIT Kerberos5 Implementation--LDAP Database Plugin ¦ ¦ ¦krb5-plugin-preauth-pkinit¦MIT Kerberos5 Implementation--PKINIT preauth Plugin ¦ ¦ ¦krb5-plugin-preauth-pkinit-nss¦MIT Kerberos5 Implementation--PKINIT preauth Plugin ¦ ¦ ¦krb5-server ¦MIT Kerberos5 implementation - server ¦ ¦ ¦krb5-ticket-watcher ¦A Tray Applet for Watching, Renewing, and Reinitializing Kerberos Tickets¦ ¦ i ¦libidn¦Support for Internationalized Domain Names (IDN) ¦ ¦ i ¦libidn-32bit ¦Support for Internationalized Domain Names (IDN) ¦ ¦ ¦pam_krb5 ¦PAM Module for Kerberos Authentication ¦ ¦ ¦pam_krb5-32bit¦PAM Module for Kerberos Authentication ¦ ¦ i ¦yast2-kerberos-client ¦YaST2 - Kerberos Client Configuration ¦ ¦ i ¦yast2-kerberos-server ¦YaST2 - Kerberos Server Configuration ¦ ¦-¦--¦-- -Original Message- From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Sent: Monday, August 17, 2009 6:04 PM To: Daniel Cc: 'Amos Jeffries'; 'Markus Moeller'; squid-users@squid-cache.org Subject: RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 mån 2009-08-17 klockan 15:41 -0400 skrev Daniel: > Amos, > > Thanks for your response. I have the following already installed: > > gssapi related: > 'cyrus-sasl-gssapi' > 'cyrus-sasl-gssapi-32bit' > 'libgssglue1' > 'librpcsecgss' > > krb related: > 'krb5' > 'krb5-32bit' > 'krb5-client' What you are missing is the development packages to the above. Probably krb5-devel or libkrb5-devel Regards Henrik
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
mån 2009-08-17 klockan 15:41 -0400 skrev Daniel: > Amos, > > Thanks for your response. I have the following already installed: > > gssapi related: > 'cyrus-sasl-gssapi' > 'cyrus-sasl-gssapi-32bit' > 'libgssglue1' > 'librpcsecgss' > > krb related: > 'krb5' > 'krb5-32bit' > 'krb5-client' What you are missing is the development packages to the above. Probably krb5-devel or libkrb5-devel Regards Henrik
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Amos, Thanks for your response. I have the following already installed: gssapi related: 'cyrus-sasl-gssapi' 'cyrus-sasl-gssapi-32bit' 'libgssglue1' 'librpcsecgss' krb related: 'krb5' 'krb5-32bit' 'krb5-client' I also looked through the config.log where Markus indicated and found the following errors in relation to gssapi: configure:4188: checking gssapi.h usability configure:4205: gcc -c -g -O2 conftest.c >&5 conftest.c:54:20: error: gssapi.h: No such file or directory configure:4212: $? = 1 configure: failed program was: | /* confdefs.h. */ configure:4230: checking gssapi.h presence configure:4245: gcc -E conftest.c conftest.c:21:20: error: gssapi.h: No such file or directory configure:4252: $? = 1 configure: failed program was: | /* confdefs.h. */ configure:4299: checking for gssapi.h configure:4308: result: no configure:4188: checking gssapi/gssapi.h usability configure:4205: gcc -c -g -O2 conftest.c >&5 conftest.c:54:27: error: gssapi/gssapi.h: No such file or directory configure:4212: $? = 1 configure: failed program was: | /* confdefs.h. */ Any other ideas? Thanks! -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, August 14, 2009 11:47 PM To: Daniel Cc: 'Markus Moeller'; squid-users@squid-cache.org Subject: Re: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 Daniel wrote: > Markus, > > First, please correct me if I'm wrong but I looked for 'gssapi.h' in > config.log and I'm assuming that config.log contains all the log information > from doing a /configure? Assuming that I am correct, I couldn't find > 'gssapi' anywhere inside the log file so I'm not sure if that's a good thing > or a bad thing. bad. config.log is supposed to contain a full dump of the output of ./configure when it was last run. > > I went ahead and dumped the output of the ./configure to a file and these > are the only lines that I could find for gssapi.h: > > checking gssapi.h usability... no > checking gssapi.h presence... no > checking for gssapi.h... no > checking gssapi/gssapi.h usability... no > checking gssapi/gssapi.h presence... no > checking for gssapi/gssapi.h... no > > If there's anything else that I could try, I'd greatly appreciate it. > Thanks! You could try installing the gssapi development libraries on your build machine. (sometimes called libkrb or libkrb5). Then re-running ./configure Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Daniel wrote: Markus, First, please correct me if I'm wrong but I looked for 'gssapi.h' in config.log and I'm assuming that config.log contains all the log information from doing a /configure? Assuming that I am correct, I couldn't find 'gssapi' anywhere inside the log file so I'm not sure if that's a good thing or a bad thing. bad. config.log is supposed to contain a full dump of the output of ./configure when it was last run. I went ahead and dumped the output of the ./configure to a file and these are the only lines that I could find for gssapi.h: checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no If there's anything else that I could try, I'd greatly appreciate it. Thanks! You could try installing the gssapi development libraries on your build machine. (sometimes called libkrb or libkrb5). Then re-running ./configure Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
RE: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Markus, First, please correct me if I'm wrong but I looked for 'gssapi.h' in config.log and I'm assuming that config.log contains all the log information from doing a /configure? Assuming that I am correct, I couldn't find 'gssapi' anywhere inside the log file so I'm not sure if that's a good thing or a bad thing. I went ahead and dumped the output of the ./configure to a file and these are the only lines that I could find for gssapi.h: checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no If there's anything else that I could try, I'd greatly appreciate it. Thanks! -Original Message- From: news [mailto:n...@ger.gmane.org] On Behalf Of Markus Moeller Sent: Tuesday, August 11, 2009 3:25 PM To: squid-users@squid-cache.org Subject: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13 Hi Daniel, Did you see any configure errors for gssapi.h ? Markus "Daniel" wrote in message news:001301ca19fe$9f450a50$ddcf1e...@com... Good afternoon, In my attempt to get Squid on our SLES 11 box authenticating with Kerberos (negotiate), I used the following to re-configure: ./configure --prefix=/usr/local/squid --enable-cachemgr-hostname=sclthdq01w --enable-auth="negotiate" --enable-negotiate-auth-helpers="squid_kerb_auth" The "configure" appears to run without any issues. However, upon running "make all" I receive the following errors: squid_kerb_auth.c:507: error: implicit declaration of function âgss_display_nameâ make[5]: *** [squid_kerb_auth.o] Error 1 make[5]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[3]: *** [all] Error 2 make[3]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth/squid_kerb_auth' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/tmp/squid-3.1.0.13/helpers/negotiate_auth' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/squid-3.1.0.13/helpers' make: *** [all-recursive] Error 1 Any ideas?? As always, T.I.A. -Daniel
