"Rolf Loudon" <rolf@xxxxxxxxxxxxxx> wrote in message
news:EA4139A9-AF4D-4E0D-8A05-C7B0C3EF46C2@xxxxxxxxxxxxxxxxx
hello
Hi Rolf
I am trying to setup kerberos auth against Active Directory - Windows
2000 - in squid, 2.7. This is primarily so that the username is captured
in the access log. But also user based access control will occasionally be
used.
I've installed the squid_kerb_auth software from
http://squidkerbauth.sourceforge.net/
The relevant squid config looks like this:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
/usr/local/squid/squid_kerb_ldap -d -g active-directory-group@xxxxxxxxx
acl ldap_group_check external squid_kerb_ldap
acl k_test src [some.test.host.address]
http_access allow k_test ldap_group_check
http_access deny k_test
Initially I used the msktutil package to create the AD account keytab,
thus:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k
/etc/squid/HTTP.keytab --computer-name squidhost --upn
HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose
This produced the desired keytab but in the verbose output noted that the
ticket version number was not returned ("must be Windows 2000" - it is)
and so set the kvno to zero. This is reflected in the output of kvno
HTTP/squidhost.my.domain
I think you should set it to 1 for windows 2000 and I recall msktutil has
some code to deal with win 2000
When the client connected (Mac OS X 10.6) using the Chrome browser,
squid's cache.log reported that the ticket version number didn't match:
squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. Key version number for principal
in key table is incorrect.
Using kvno HTTP/squidhost.my.domain on this client the version number was
3 while doing the same on the proxy the version was zero. So that made
sense.
I am surprised. Plain win 2000 does not support kvno
I fixed this by not using msktutil and using ktpass on the Active
DIrectory server and specifying -kvno 3. Installed this on the proxy
host and that error went away.
Reading about ktpass and kerberos auth in Microsoft's KB, it said that the
(squid) host needs have an account created for it as a user in the domain.
Weird but I did this, using the host name as the user shortname. I used
this hostname in ktpass with -mapuser
The difference here is that MS uses a user account in AD and associates the
key with it, whereas msktutil uses a computer account. Using a user account
means you have to disable password expiry otherwise the keytab gets invalid
after the expiry time. This is the reason I prefer nsktutil.
Now in squid's cache.log the logs show, in part,
2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group@domain
actiive-directory-group@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Found group@domain
active-directory-group@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name
/etc/squid/HTTP.keytab
2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab
/etc/squid/HTTP.keytab
2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name:
MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: Found principal name:
HTTP/squidhost.my.domain@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_20411
2010/11/02 12:01:55| squid_kerb_ldap: Got principal name
HTTP/squidhost.my.domain@xxxxxxxxx
2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for
domain MY.DOMAIN
Apart from the first line ... "failed with rc=102" this looks ok.
That only happens only if your kerberos implementation does not support
SPNEGO and is a warning only.
Then there are many (from debugging I presume) instances of:
squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to
ad-domain-controller.my.domain
for various domain controllers on the network.
Then lots of
2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap server
various-domain-servers-and-workstations@xxxxxxxxx:389
2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system
You need SASL support to authenticate to AD.
Finally these log entries which show the deny reason - that I'm not a
member of the group. But I confirm that I am a member of the group:
2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap
connection: Success
2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap
connection: Success
2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of
group@domain active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group@domain
active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group@domain
active-directory-group@xxxxxxxxx
2010/11/02 12:02:09| squid_kerb_ldap: ERR
This is because the ldap connection failed.
I have tried many combinations of service keytab creation and so on, but I
cannot get any further than this. Any help most appreciated.
thanks
rolf.
Markus