Search squid archive

Kerberos auth with Active Directory.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hello

I am trying to setup kerberos auth against Active Directory - Windows 2000 - in squid, 2.7.  This is primarily so that the username is captured in the access log. But also user based access control will occasionally be used.

I've installed the squid_kerb_auth software from http://squidkerbauth.sourceforge.net/

The relevant squid config looks like this:

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid/squid_kerb_ldap -d -g active-directory-group@xxxxxxxxx

acl ldap_group_check external squid_kerb_ldap

acl k_test src [some.test.host.address]
http_access allow k_test ldap_group_check
http_access deny k_test


Initially I used the msktutil package to create the AD account keytab, thus:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k /etc/squid/HTTP.keytab --computer-name squidhost --upn HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose

This produced the desired keytab but in the verbose output noted that the ticket version number was not returned ("must be Windows 2000" - it is) and so set the kvno to zero.  This is reflected in the output of kvno HTTP/squidhost.my.domain

When the client connected (Mac OS X 10.6) using the Chrome browser, squid's cache.log reported that the ticket version number didn't match:

squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. Key version number for principal in key table is incorrect.

 Using kvno HTTP/squidhost.my.domain on this client the version number was 3  while doing the same on the proxy the version was zero.  So that made sense.

I fixed this by not using msktutil and using ktpass on the Active DIrectory server and specifying  -kvno 3.  Installed this on the proxy host and that error went away.

Reading about ktpass and kerberos auth in Microsoft's KB, it said that the (squid) host needs have an account created for it as a user in the domain.  Weird but I did this, using the host name as the user shortname.  I used this hostname in ktpass with -mapuser

Now in squid's cache.log the logs show, in part,

2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group@domain actiive-directory-group@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Found group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name /etc/squid/HTTP.keytab
2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab /etc/squid/HTTP.keytab
2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name: MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: Found principal name: HTTP/squidhost.my.domain@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_20411
2010/11/02 12:01:55| squid_kerb_ldap: Got principal name HTTP/squidhost.my.domain@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for domain MY.DOMAIN

Apart from the first line ... "failed with rc=102"  this looks ok.

Then there are many (from debugging I presume) instances of:

squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to ad-domain-controller.my.domain
for various domain controllers on the network.

Then lots of 

2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap server various-domain-servers-and-workstations@xxxxxxxxx:389
2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system

Finally these log entries which show the deny reason - that I'm not a member of the group. But I confirm that I am a member of the group:

2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success
2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success
2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: ERR

I have tried many combinations of service keytab creation and so on, but I cannot get any further than this.  Any help most appreciated.

thanks

rolf.









[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux