Search squid archive

Re: Help configuring Squid with Kerberos authentication to access Skype service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The question is: Does Skype support Negotiate as an authentication scheme ? If not you need something like a local proxy.
I have a POC version here https://sourceforge.net/projects/squidkerbauth/files/squidkerberizer/squid_kerberizer-1.0.1/client_kerb_auth.zip/download or http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/ 

Regards
Markus
"Fryer, Huw" <hfryer@xxxxxxxxxxxxxx> wrote in message news:8428E62680B457449BFA2317024B0A0563D949D6E6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
Hello All

I've setup a Squid proxy server according to the following guidelines
http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp as my previous proxy version (on a completely different hardware platform) used NTLM authentication which does not work "out of the box" with W7 / W2008
The above URL install proceeded fine and authenticated users are able to browse sites with no apparent issues. I should add that Squid also uses Websense to provide filtering according to AD groups which also works. However when we try and authenticate to the Skype service sites we get failures. In my Skype configuration I am manually specifying the proxy server using the fqdn with the port through which access is to go (same as the squid proxy host) 

My squid.conf file is thus
auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d -s HTTP/http-proxy-fqdn 
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS 

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
acl localnet src network1/24
acl localnet src network2/24
acl localnet src network3/24
#
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

acl AUTHENTICATED proxy_auth REQUIRED
acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#http_access allow localnet
http_access allow LDAP_GROUP_CHECK

http_access deny all

icp_access allow localnet
icp_access deny all

htcp_access allow localnet
htcp_access deny all

http_port 8080

hierarchy_stoplist cgi-bin ?

cache_dir ufs /var/cache/squid-3.0 100 16 256

access_log /var/log/squid-3.0/access.log squid

cache_log /var/log/squid-3.0/cache.log

cache_store_log /var/log/squid-3.0/store.log

logfile_rotate 10

pid_filename /var/run/squid-3.0.pid

debug_options ALL,1

url_rewrite_program /opt/Websense/bin/WsRedtor
url_rewrite_children 30
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
cache_effective_user squid

cache_effective_group squid

icp_port 3130

coredump_dir /var/cache/squid-3.0

redirector_bypass off

My krb5.conf file is

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CHILD.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h

# For Windows XP:
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

# For Windows 2007:
# default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 
forwardable = yes

[realms]
CHILD.DOMAIN.COM = {
 kdc = xxx.xxx.xxx.xxx:88
 admin_server = xxx.xxx.xxx.xxx:7491
 default_domain = child.domain.com
}

[domain_realm]
.child.domain.com = CHILD.DOMAIN.COM
child.domain.com = CHILD.DOMAIN.COM

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

When browsing sites the access.log reflects
1275588052.233 419 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 670 GET http://www.mail-archive.com/images/msg-top2.png hfryer@xxxxxxxxxxxxxxxx DIRECT/72.52.77.3 - 1275588052.266 452 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 671 GET http://www.mail-archive.com/images/msg-left.jpg hfryer@xxxxxxxxxxxxxxxx DIRECT/72.52.77.3 - 1275588055.273 1 172.17.192.244 TCP_IMS_HIT/304 276 GET http://www.mail-archive.com/favicon.ico hfryer@xxxxxxxxxxxxxxxx NONE/- image/x-icon 

Now when I start up Skype and watch the access.log I get
1275588304.779 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT 173.168.7.102:443 - NONE/- text/html 1275588304.781 1 172.17.192.244 TCP_DENIED/407 1895 CONNECT 178.34.74.211:443 - NONE/- text/html 1275588304.781 1 172.17.192.244 TCP_DENIED/407 1898 CONNECT 70.253.110.236:443 - NONE/- text/html 1275588304.781 1 172.17.192.244 TCP_DENIED/407 1901 CONNECT 130.132.120.126:443 - NONE/- text/html 1275588304.782 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT 173.168.7.102:443 - NONE/- text/html 1275588304.785 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT 178.34.74.211:443 - NONE/- text/html 1275588304.785 0 172.17.192.244 TCP_DENIED/407 1901 CONNECT 130.132.120.126:443 - NONE/- text/html 1275588304.785 0 172.17.192.244 TCP_DENIED/407 1898 CONNECT 70.253.110.236:443 - NONE/- text/html 1275588307.898 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT 68.196.29.250:443 - NONE/- text/html 1275588308.904 0 172.17.192.244 TCP_DENIED/407 1898 CONNECT 173.16.159.143:443 - NONE/- text/html 1275588308.904 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT 72.55.196.138:443 - NONE/- text/html 1275588308.906 1 172.17.192.244 TCP_DENIED/407 1898 CONNECT 178.82.173.239:443 - NONE/- text/html 1275588308.906 1 172.17.192.244 TCP_DENIED/407 1892 CONNECT 67.244.70.95:443 - NONE/- text/html
I've tried removing the reliance on the external_acl_type command but still get the authentication failure when attempting to sign in to the Skype service.
I'm not sure if the solution is straight forward, I've googled for 2+ days without much success. There may be other such situations that I cannot access, Skype is the first one I've encountered that fails to connect. 

Thanks

Huw Fryer
Email - hfryer@xxxxxxxxxxxxxx
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux