Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 20.09.2016 15:20, Silamael wrote: > Ok, found one problem. Under OpenBSD I had some hack that the external > helper was linked against libbind (the bind resolver library) instead of > libc (as the helper uses some defines which have different names in the > OpenBSD libc). This caused that the Heimdal libs used also the Bind > resolver library instead of the libc resolver. And this lead to an error > in the getaddrinfo() call due to invalid ai_flags. > After patching the helper to compile with the libc now a new problem > comes up: > When binding to the LDAP server the helper uses SASL/GSSAPI. And then > ldap_sasl_interactive_bind_s failes with "Unknown authentication method". > Is there anything special that must be given on the Windows side? Or > what's wrong now? Just for completness, the problems got solved. Cause for the last issue was that the cyrus-sasl2 package wasn't built with GSSAPI support and after that that the needed .so files were missing in the chroot environment. After fixing this, the external_kerberos_ldap_group_acl helper works like a charm. Many thanks for any hints given! -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 19.09.2016 13:39, Silamael Darkomen wrote: > > > On 16.09.2016 22:11, Markus Moeller wrote: >> Hi Silamael, >> >> Can you perform a kinit u...@example.com ? Does the squid user >> have read access to krb5.conf ? >> >> Markus > > Hello Markus, > > Yes, the permissions are correctly set up so that Squid and it's > processes can read every file needed. > For it seems that the Heimdal library ignores the dns_lookup_kdc and > dns_lookup_realm options in the krb5.conf... > As written in my other response, the helper also crashes at the end. > I'll take a look on the stack trace... Ok, found one problem. Under OpenBSD I had some hack that the external helper was linked against libbind (the bind resolver library) instead of libc (as the helper uses some defines which have different names in the OpenBSD libc). This caused that the Heimdal libs used also the Bind resolver library instead of the libc resolver. And this lead to an error in the getaddrinfo() call due to invalid ai_flags. After patching the helper to compile with the libc now a new problem comes up: When binding to the LDAP server the helper uses SASL/GSSAPI. And then ldap_sasl_interactive_bind_s failes with "Unknown authentication method". Is there anything special that must be given on the Windows side? Or what's wrong now? -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Yes, You can fix that by setting the SPN : HTTP/host.you.domain.tld in UPN I had that too, changed it and it is working perfect now. See subject : Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Greetz, Louis > -Oorspronkelijk bericht- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Silamael Darkomen > Verzonden: maandag 19 september 2016 14:20 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] Problem with Kerberos and > ext_kerberos_ldap_group_acl not being able to reach realm's KDC > > > On 19.09.2016 14:08, L.P.H. van Belle wrote: > > Well thats strange. > > No i cant speak about openBSD, but below is pretty general. > > > > When you test, did you set this before the test. > > KRB5_KTNAME=/etc/squid/proxy.keytab > > And does that keytab contain the HTTP/SPN > > And test/check if you see http/SPN in the UPN, if not try that also. > > After that change the > > I just tested again to make my groups more flexible. > > > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ > > -D YOUR.REALM.TLD \ > > -N ntdom...@your.realm.tld \ > > - S dc1.your.dnsdomain@your.realm.tld \ > > -i -d > > This one is without the -g so we can use more group names, > > but test with -g first. > > > > from this example like. But i change the ldap group to kerberos group > here. > > > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Prox > y > > That's all there, environment is correctly set up. Keytab looks good. > As said before, the negotiate_kerberos_auth part works like a charm. > All I get is a bunch of messages complaining about not being able to > reach any KDC in realm while initializing the credentials of the keytab... > Thought that it might be a DNS issue but even configuring DNS so that > the AD server does all the DNS stuff did not change a bit :( > > -- Matthias > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 19.09.2016 14:08, L.P.H. van Belle wrote: > Well thats strange. > No i cant speak about openBSD, but below is pretty general. > > When you test, did you set this before the test. > KRB5_KTNAME=/etc/squid/proxy.keytab > And does that keytab contain the HTTP/SPN > And test/check if you see http/SPN in the UPN, if not try that also. > After that change the > I just tested again to make my groups more flexible. > > /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ > -D YOUR.REALM.TLD \ > -N ntdom...@your.realm.tld \ > - S dc1.your.dnsdomain@your.realm.tld \ > -i -d > This one is without the -g so we can use more group names, > but test with -g first. > > from this example like. But i change the ldap group to kerberos group here. > http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy That's all there, environment is correctly set up. Keytab looks good. As said before, the negotiate_kerberos_auth part works like a charm. All I get is a bunch of messages complaining about not being able to reach any KDC in realm while initializing the credentials of the keytab... Thought that it might be a DNS issue but even configuring DNS so that the AD server does all the DNS stuff did not change a bit :( -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Well thats strange. No i cant speak about openBSD, but below is pretty general. When you test, did you set this before the test. KRB5_KTNAME=/etc/squid/proxy.keytab And does that keytab contain the HTTP/SPN And test/check if you see http/SPN in the UPN, if not try that also. After that change the I just tested again to make my groups more flexible. /usr/lib/squid3/ext_kerberos_ldap_group_acl -m 4 \ -D YOUR.REALM.TLD \ -N ntdom...@your.realm.tld \ - S dc1.your.dnsdomain@your.realm.tld \ -i -d This one is without the -g so we can use more group names, but test with -g first. from this example like. But i change the ldap group to kerberos group here. http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy When i now put in "username groupname" after staring with the line above to testout im getting. support_member.cc(69): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: INFO: User username is member of group@domain groupn...@your.realm.tld OK kerberos_ldap_group.cc(408): pid=23472 :2016/09/19 13:55:39| kerberos_ldap_group: DEBUG: OK this is all i have in krb5.conf [libdefaults] default_keytab_name = /etc/krb5.keytab default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 forwardable = true and the ad dc lookup works, if you set the SPN in the UPN, at least works for me. I have my systems keytab as default keytab and KRB5_KTNAME=/etc/squid/proxy.keytab export KRB5_KTNAME TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt export TLS_CACERTFILE Is set in the /etc/default/squid3 So im thinking review the keytab setup and the variable. And: >The AD is reachable from the proxy machine but DNS is not done by the AD >but on the proxy machine itself. Same here, but i do have a forward zone in the dns for my ad domain. Hope this helps a bit. Greetz, Louis > -Oorspronkelijk bericht- > Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens > Silamael Darkomen > Verzonden: maandag 19 september 2016 13:35 > Aan: squid-users@lists.squid-cache.org > Onderwerp: Re: [squid-users] Problem with Kerberos and > ext_kerberos_ldap_group_acl not being able to reach realm's KDC > > On 16.09.2016 10:52, L.P.H. van Belle wrote: > > I think you forgot in your test, that you may need to modify the default > > kerberos ticket used. > > > > > > > > > > > > I suggest you change you config a bit to something like > > > > > > > > external_acl_type internet-win-allowed %LOGIN > > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ > > > > -D YOUR.REALM.TLD \ > > > > -g allowed-inter...@your.realm.tld \ > > > > -N ntdom...@your.realm.tld \ > > > > -S > > > dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tl > D > > Hello, > > Tried your suggestions but that doesn't change anything. > Furthermore the ext_kerberos_ldap_group_acl creates a core dump after > iterating over all the entries for the keytab... > Any further ideas? > > -- Matthias > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 16.09.2016 22:11, Markus Moeller wrote: > Hi Silamael, > > Can you perform a kinit u...@example.com ? Does the squid user > have read access to krb5.conf ? > > Markus Hello Markus, Yes, the permissions are correctly set up so that Squid and it's processes can read every file needed. For it seems that the Heimdal library ignores the dns_lookup_kdc and dns_lookup_realm options in the krb5.conf... As written in my other response, the helper also crashes at the end. I'll take a look on the stack trace... -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
On 16.09.2016 10:52, L.P.H. van Belle wrote: > I think you forgot in your test, that you may need to modify the default > kerberos ticket used. > > > > > > I suggest you change you config a bit to something like > > > > external_acl_type internet-win-allowed %LOGIN > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ > > -D YOUR.REALM.TLD \ > > -g allowed-inter...@your.realm.tld \ > > -N ntdom...@your.realm.tld \ > > -S > dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld Hello, Tried your suggestions but that doesn't change anything. Furthermore the ext_kerberos_ldap_group_acl creates a core dump after iterating over all the entries for the keytab... Any further ideas? -- Matthias ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Hi Silamael, Can you perform a kinit u...@example.com ? Does the squid user have read access to krb5.conf ? Markus "Silamael Darkomen" wrote in message news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de... Hello, I'm currently working on setting up our proxy to authenticate the users via Kerberos against a Windows AD. The simple user authentication through negotiate_kerberos_auth is already working. But the second step for checking the group of an authenticated users gives me some headache. Even with Kerberos configured not to search the KDC via DNS, the ext_kerberos_ldap_group_acl tool complains about not being able to find the realms KDC: squid-3.5.20/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc(376): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: INFO: Got User: user Domain: EXAMPLE.COM squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(63): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: User domain loop: group@domain linux@ squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(91): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Default domain loop: group@domain linux@ squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(93): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found group@domain linux@ squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_ldap.cc(898): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(127): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_23191 squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(138): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get default keytab file name squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(144): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/HTTP.keytab squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(158): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/HTTP.keytab squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(167): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.COM squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(181): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found principal name: host/proxy.example@example.com squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(196): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got principal name host/proxy.example@example.com squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(64): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : unable to reach any KDC in realm EXAMPLE.COM ... The last lines of the error messages repeat for every entry in the keytab. All other Kerberos related tools work fine with the given krb5.conf. Some more information about the setup: We're running under OpenBSD with Heimdal version 1.5.3. The AD is reachable from the proxy machine but DNS is not done by the AD but on the proxy machine itself. Below you find the krb5.conf used and the settings from the squid.conf. The limitation to 1 child is just for testing purposes. Would be really great if anyone could shed some light on this issue! Thanks in advance, Matthias - krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [libdefaults] ticket_lifetime = 24000 default_realm = EXAMPLE.COM default_keytab_name = /etc/HTTP.keytab dns_lookup_kdc = no dns_lookup_realm = no [realms] EXAMPLE.COM = { kdc = 1.2.3.4 admin_server = 1.2.3.4 default_domain = example.com } squid.conf: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -di -s HTTP/proxy.example.com auth_param negotiate children 1 auth_param negotiate keep_alive on external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g linux@ acl ldap_group_check external squid_kerb_ldap http_access deny !ldap_group_check ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
I think you forgot in your test, that you may need to modify the default kerberos ticket used. I suggest you change you config a bit to something like external_acl_type internet-win-allowed %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl \ -D YOUR.REALM.TLD \ -g allowed-inter...@your.realm.tld \ -N ntdom...@your.realm.tld \ -S dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld \ Now test it. start like this : /usr/local/libexec/squid/negotiate_kerberos_auth \ -D YOUR.REALM.TLD \ -g allowed-inter...@your.realm.tld \ -N ntdom...@your.realm.tld \ -S dc1.your.dnsdomain@your.realm.tld:dc2.your.dnsdomain@your.realm.tld \ -d (-d = debug ) Test with –S and point to your server, does it work? Test again with –S , does it works, no? Change the default keytab for te test. KRB5_KTNAME=/etc/squid/keytab.SQUID-HTTP export KRB5_KTNAME Type a username belonging to you group your testing with, hit enter. And in the end you should see : support_member.cc(69): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: INFO: User testuser is member of group@domain allowed-inter...@your.realm.tld OK kerberos_ldap_group.cc(408): pid=10396 :2016/09/16 10:39:07| kerberos_ldap_group: DEBUG: OK with search for the kdc in krb5.conf [libdefaults] default_realm = YOUR.REALM.TLD dns_lookup_kdc = true dns_lookup_realm = false and now when it works adjust you parameters to your needs. ( like the : children-max=1 ttl=3600 negative_ttl=3600 ) Greetz, Louis > > squid.conf: > auth_param negotiate program > /usr/local/libexec/squid/negotiate_kerberos_auth -di -s > HTTP/proxy.example.com > auth_param negotiate children 1 > auth_param negotiate keep_alive on > > external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 > %LOGIN > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g > linux@ > acl ldap_group_check external squid_kerb_ldap > http_access deny !ldap_group_check ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users