Re: [squid-users] Re: squid_kerb_ldap issues
Hi Markus, Thanks for your input. I ended up completely removing everything and recreating my key tab and it works great now. One more question for you or the list: Is it possible to do machine based AD auth to squid? We have a use case here where we would want to allow a machine access to a resource but not necessarily specifically allow the users who are logged in to it. Thanks again, -Scott Scott Finlon, CISSP GCIA GCIH --- Information Security Engineer The University of Scranton email : scott.fin...@scranton.edu phone : 570-941-6168 --- On 8/21/14, 3:20 PM, Markus Moeller hua...@moeller.plus.com wrote: Hi Scott, So from what see in your first log you have a user MYSUER with a domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the keytab but does not find any entry for MYDOMAIN in the keytab. Then squid_kerb_ldap tries to find an entry in the keytab of a domain which trusts MYDOMAIN and fails. It seems there is no Kerberos trust between MYDOMAIN and SUBDOMAIN.DOMAIN.COM. The second log looks better, but the password stored in the keytab for SQUIDPROXY-K$ is incorrect (Preauthentication failed). Markus Scott Finlon wrote in message news:d01b8481.36d86%scott.fin...@scranton.edu... Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
[squid-users] Re: squid_kerb_ldap issues
Hi Scott, You mean authentication and authorisation ? I think you can. I would expect you see instead of user@DOMAIN a host/fqdn@DOMAIN and if you add the computer account to the AD group it should authorise. I am very curious to see it :-) Markus Scott Finlon wrote in message news:d01cdf61.36eeb%scott.fin...@scranton.edu... Hi Markus, Thanks for your input. I ended up completely removing everything and recreating my key tab and it works great now. One more question for you or the list: Is it possible to do machine based AD auth to squid? We have a use case here where we would want to allow a machine access to a resource but not necessarily specifically allow the users who are logged in to it. Thanks again, -Scott Scott Finlon, CISSP GCIA GCIH --- Information Security Engineer The University of Scranton email : scott.fin...@scranton.edu phone : 570-941-6168 --- On 8/21/14, 3:20 PM, Markus Moeller hua...@moeller.plus.com wrote: Hi Scott, So from what see in your first log you have a user MYSUER with a domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the keytab but does not find any entry for MYDOMAIN in the keytab. Then squid_kerb_ldap tries to find an entry in the keytab of a domain which trusts MYDOMAIN and fails. It seems there is no Kerberos trust between MYDOMAIN and SUBDOMAIN.DOMAIN.COM. The second log looks better, but the password stored in the keytab for SQUIDPROXY-K$ is incorrect (Preauthentication failed). Markus Scott Finlon wrote in message news:d01b8481.36d86%scott.fin...@scranton.edu... Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
[squid-users] Re: squid_kerb_ldap issues
Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
[squid-users] Re: squid_kerb_ldap issues
Hi Scott, So from what see in your first log you have a user MYSUER with a domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the keytab but does not find any entry for MYDOMAIN in the keytab. Then squid_kerb_ldap tries to find an entry in the keytab of a domain which trusts MYDOMAIN and fails. It seems there is no Kerberos trust between MYDOMAIN and SUBDOMAIN.DOMAIN.COM. The second log looks better, but the password stored in the keytab for SQUIDPROXY-K$ is incorrect (Preauthentication failed). Markus Scott Finlon wrote in message news:d01b8481.36d86%scott.fin...@scranton.edu... Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this ./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott