Hello,I am setting up Kerberos auth on squid (3.1.15), but it won't work. Browser (IE 8) keeps on poping up the username/password window, but authentication is never successful. Yet, I don't see any logging of failed authentication attempts in kerberos logs at all! It's as if squid is not communicating with kerberos server. Yet, kinit from the command line works fine (see details below).
What am I doing wrong? Am I missing something? I need your help. Thanks, Nick Details of the setup follow (true names/IP addresses have been changed):I have a working Kerberos Server (MIT Kerberos 5 on CentOS 5.6) on kerb.example.com and I am setting up squid on squid.example.com; it's Squid 3.1.15.x86_64 as RPM on CentOS 5.6 (from here: ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/squid3-3.1.15-1.el5.pp.x86_64.rpm).
Host squid.example.com is also setup as a kerberos client. So, I have added to kerberos a host: host/[email protected] and a service: HTTP/[email protected] Then, I created a keytab file (httpsquid.keytab) for the latter: [root@squid]# kadmin.local Authenticating as principal userx/[email protected] with password. kadmin.local: addprinc HTTP/[email protected]WARNING: no policy specified for HTTP/[email protected]; defaulting to no policy
Enter password for principal "HTTP/[email protected]": Re-enter password for principal "HTTP/[email protected]": Principal "HTTP/[email protected]" created. kadmin.local: ktadd -k /etc/krb5kdc/httpsquid.keytab HTTP/squid.example.comEntry for principal HTTP/squid.example.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
...moved it to /etc/squid and changed ownership to root:squid and permissions: 640.
I have checked that the keytab file works: [root@squid]# kinit -V -k -t httpsquid.keytab HTTP/squid.example.com Authenticated to Kerberos v5 I also added to the start of /etc/init.d/squid the lines: KRB5_KTNAME=/etc/squid/httpsquid.keytab export KRB5_KTNAMEThen, I checked that kerberos authentication is enabled (as explained e.g. here: http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html), then I specified (in IE, Internet Options / Connections / LAN Settings) squid.example.com as a Proxy on port 3128 and I have tried to visit any page. As I explained, browser (IE 8) keeps on poping up the username/password window, but authentication is never successful. I have tried the following as username, without success:
userx EXAMPLE.COM\userx [email protected] [email protected]On the other hand, Firefox 6 (with similar settings) doesn't show any pop up window; it just fails.
I have tried the three following configuration alternatives, but it didn't make any difference:
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -dauth_param negotiate program /usr/libexec/squid/squid_kerb_auth-d -s HTTP/squid.example.com
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
Here is /etc/squid/squid.conf:
---------------------------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.10.10.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localhost
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access allow auth
#http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Disable caching
cache deny all
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
debug_options ALL, 9
---------------------------------------------------------------
And below is /etc/krb5.conf (on squid.example.com):
---------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerb.example.com:88
admin_server = kerb.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
