Search squid archive

Re: Kerberos auth with Active Directory.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




"Rolf Loudon" <rolf@xxxxxxxxxxxxxx> wrote in message news:EA4139A9-AF4D-4E0D-8A05-C7B0C3EF46C2@xxxxxxxxxxxxxxxxx
hello

Hi Rolf


I am trying to setup kerberos auth against Active Directory - Windows 2000 - in squid, 2.7. This is primarily so that the username is captured in the access log. But also user based access control will occasionally be used.

I've installed the squid_kerb_auth software from http://squidkerbauth.sourceforge.net/

The relevant squid config looks like this:

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid/squid_kerb_ldap -d -g active-directory-group@xxxxxxxxx

acl ldap_group_check external squid_kerb_ldap

acl k_test src [some.test.host.address]
http_access allow k_test ldap_group_check
http_access deny k_test


Initially I used the msktutil package to create the AD account keytab, thus:

msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k /etc/squid/HTTP.keytab --computer-name squidhost --upn HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose

This produced the desired keytab but in the verbose output noted that the ticket version number was not returned ("must be Windows 2000" - it is) and so set the kvno to zero. This is reflected in the output of kvno HTTP/squidhost.my.domain


I think you should set it to 1 for windows 2000 and I recall msktutil has some code to deal with win 2000

When the client connected (Mac OS X 10.6) using the Chrome browser, squid's cache.log reported that the ticket version number didn't match:

squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect.

Using kvno HTTP/squidhost.my.domain on this client the version number was 3 while doing the same on the proxy the version was zero. So that made sense.


I am surprised. Plain win 2000 does not support kvno

I fixed this by not using msktutil and using ktpass on the Active DIrectory server and specifying -kvno 3. Installed this on the proxy host and that error went away.

Reading about ktpass and kerberos auth in Microsoft's KB, it said that the (squid) host needs have an account created for it as a user in the domain. Weird but I did this, using the host name as the user shortname. I used this hostname in ktpass with -mapuser


The difference here is that MS uses a user account in AD and associates the key with it, whereas msktutil uses a computer account. Using a user account means you have to disable password expiry otherwise the keytab gets invalid after the expiry time. This is the reason I prefer nsktutil.

Now in squid's cache.log the logs show, in part,

2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group@domain actiive-directory-group@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Found group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name /etc/squid/HTTP.keytab 2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab /etc/squid/HTTP.keytab 2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name: MY.DOMAIN 2010/11/02 12:01:55| squid_kerb_ldap: Found principal name: HTTP/squidhost.my.domain@xxxxxxxxx 2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_20411 2010/11/02 12:01:55| squid_kerb_ldap: Got principal name HTTP/squidhost.my.domain@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for domain MY.DOMAIN

Apart from the first line ... "failed with rc=102"  this looks ok.


That only happens only if your kerberos implementation does not support SPNEGO and is a warning only.

Then there are many (from debugging I presume) instances of:

squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to ad-domain-controller.my.domain
for various domain controllers on the network.

Then lots of

2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap server various-domain-servers-and-workstations@xxxxxxxxx:389
2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system


You need SASL support to authenticate to AD.

Finally these log entries which show the deny reason - that I'm not a member of the group. But I confirm that I am a member of the group:

2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success 2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of group@domain active-directory-group@xxxxxxxxx 2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group@domain active-directory-group@xxxxxxxxx 2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: ERR


This is because the ldap connection failed.

I have tried many combinations of service keytab creation and so on, but I cannot get any further than this. Any help most appreciated.

thanks

rolf.


Markus




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux