Re: Kerberos auth with Active Directory.

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Are you sure Safari supports proxy authentication with Negotiate or only Web 
authentication with Negotiate?

Markus

----- Original Message ----- 
From: "Rolf Loudon" <rolf@xxxxxxxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Sent: Wednesday, November 03, 2010 5:07 AM
Subject: [Partly solved] Re:  Re: Kerberos auth with Active 
Directory.


hello

Thank you again for your advice.  Researching the SASL support requirements 
I discovered from the output of configure for squid_kerb_ldap that the check 
for sasl.h returned no.  So I identified the debian package libsasl2-dev and 
installed that, recompiled and it works.

My issue now is that Mac OS X Safari (version 5.0.2), despite all the 
information saying it supports Kerberos, appears not to.  No authentication 
information appears at the proxy using it as a browser.  I need to research 
this further, but do you by chance have any ideas?

Thanks and regards

rolf.

On 03/11/2010, at 9:08 AM, Markus Moeller wrote:

> > "Rolf Loudon" <rolf@xxxxxxxxxxxxxx> wrote in message 
> > news:EA4139A9-AF4D-4E0D-8A05-C7B0C3EF46C2@xxxxxxxxxxxxxxxxx
> > hello
>
> Hi Rolf
>
> > I am trying to setup kerberos auth against Active Directory - Windows 
> > 2000 - in squid, 2.7.  This is primarily so that the username is captured 
> > in the access log. But also user based access control will occasionally 
> > be used.
> >
> > I've installed the squid_kerb_auth software from 
> > http://squidkerbauth.sourceforge.net/
> >
> > The relevant squid config looks like this:
> >
> > auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
> > auth_param negotiate children 10
> > auth_param negotiate keep_alive on
> >
> > external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN 
> > /usr/local/squid/squid_kerb_ldap -d -g active-directory-group@xxxxxxxxx
> >
> > acl ldap_group_check external squid_kerb_ldap
> >
> > acl k_test src [some.test.host.address]
> > http_access allow k_test ldap_group_check
> > http_access deny k_test
> >
> >
> > Initially I used the msktutil package to create the AD account keytab, 
> > thus:
> >
> > msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k 
> > /etc/squid/HTTP.keytab --computer-name squidhost --upn 
> > HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose
> >
> > This produced the desired keytab but in the verbose output noted that the 
> > ticket version number was not returned ("must be Windows 2000" - it is) 
> > and so set the kvno to zero.  This is reflected in the output of kvno 
> > HTTP/squidhost.my.domain
>
> I think you should set it to 1 for windows 2000 and I recall msktutil has 
> some code to deal with win 2000
>
> > When the client connected (Mac OS X 10.6) using the Chrome browser, 
> > squid's cache.log reported that the ticket version number didn't match:
> >
> > squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS 
> > failure. Minor code may provide more information. Key version number for 
> > principal in key table is incorrect.
> >
> > Using kvno HTTP/squidhost.my.domain on this client the version number was 
> > 3  while doing the same on the proxy the version was zero.  So that made 
> > sense.
>
> I am surprised. Plain win 2000 does not support kvno
>
> > I fixed this by not using msktutil and using ktpass on the Active 
> > DIrectory server and specifying  -kvno 3.  Installed this on the proxy 
> > host and that error went away.
> >
> > Reading about ktpass and kerberos auth in Microsoft's KB, it said that 
> > the (squid) host needs have an account created for it as a user in the 
> > domain. Weird but I did this, using the host name as the user shortname. 
> > I used this hostname in ktpass with -mapuser
>
> The difference here is that MS uses a user account in AD and associates 
> the key with it, whereas msktutil uses a computer account. Using a user 
> account means you have to disable password expiry otherwise the keytab 
> gets invalid after the expiry time. This is the reason I prefer nsktutil.
>
> > Now in squid's cache.log the logs show, in part,
> >
> > 2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with 
> > rc=102
> > 2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf@xxxxxxxxx
> > 2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
> > 2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group@domain 
> > actiive-directory-group@xxxxxxxxx
> > 2010/11/02 12:01:55| squid_kerb_ldap: Found group@domain 
> > active-directory-group@xxxxxxxxx
> > 2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
> > 2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
> > 2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name 
> > /etc/squid/HTTP.keytab
> > 2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab 
> > /etc/squid/HTTP.keytab
> > 2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name: 
> > MY.DOMAIN
> > 2010/11/02 12:01:55| squid_kerb_ldap: Found principal name: 
> > HTTP/squidhost.my.domain@xxxxxxxxx
> > 2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to 
> > MEMORY:squid_ldap_20411
> > 2010/11/02 12:01:55| squid_kerb_ldap: Got principal name 
> > HTTP/squidhost.my.domain@xxxxxxxxx
> > 2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
> > 2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
> > 2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for 
> > domain MY.DOMAIN
> >
> > Apart from the first line ... "failed with rc=102"  this looks ok.
>
> That only happens only if your kerberos implementation does not support 
> SPNEGO and is a warning only.
>
> > Then there are many (from debugging I presume) instances of:
> >
> > squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to 
> > ad-domain-controller.my.domain
> > for various domain controllers on the network.
> >
> > Then lots of
> >
> > 2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap 
> > server various-domain-servers-and-workstations@xxxxxxxxx:389
> > 2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system
>
> You need SASL support to authenticate to AD.
>
> > Finally these log entries which show the deny reason - that I'm not a 
> > member of the group. But I confirm that I am a member of the group:
> >
> > 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap 
> > connection: Success
> > 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap 
> > connection: Success
> > 2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of 
> > group@domain active-directory-group@xxxxxxxxx
> > 2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group@domain 
> > active-directory-group@xxxxxxxxx
> > 2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group@domain 
> > active-directory-group@xxxxxxxxx
> > 2010/11/02 12:02:09| squid_kerb_ldap: ERR
>
> This is because the ldap connection failed.
>
> > I have tried many combinations of service keytab creation and so on, but 
> > I cannot get any further than this.  Any help most appreciated.
> >
> > thanks
> >
> > rolf.
>
> Markus