On Sun, 30 Jan 2011 15:25:56 -1000, Jean-Denis Girard <jd.girard@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi list, > > I have an old installation using squid-2.6.STABLE23 with ntlm_auth for > Windows XP users belonging to a group; it works like a charm, but I want > to upgrade it for various reasons (security, need to support Win7, ...). > > So I made a fresh Linux install (Mandriva-2010.2). It has > squid-3.1-14.1mdv2010.1 (but the log says Squid Cache version 3.1.4). > If you can get a hold of a 3.1.10 you may enjoy it more. We had a small audit of the NTLM and Kerberos handling with performance bug fixes leading up to that release. > Now I'm a bit confused about what is needed to achieve Windows > authentication (XP, then 7). From the documentation, I understood that > squid_kerb_auth should be enough, so I have this in squid.conf: > auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d > > The new server has joined the windows domain using mskutil (I'd like to > avoid samba if possible). The DSN is OK, ntp is working so no clock > problem. But authentication doesn't work, see log below. How should I > configure the Windows group? > > So my question is simple: do I need anything else besides > squid_kerb_auth for Windows group authentication? Are samba, ntlm_auth > still needed? Lets get the terminology right to start with then the answer may become clear to you... * groups CANNOT be authenticated. Because they do not have a password or key. * User CAN be authenticated, because they do have password or keys. * machines can have special user accounts with a key to identify them. * groups have users. * groups can only determine where a user is authorized to go or not to go. So back to your question, "what is needed to achieve Windows authentication". auth_param validates a users login. REQUIRED. squid_kerb_auth is how to authenticate Negotiate protocol users. ntlm_auth from Samba is how to authenticate NTLM protocol users. NOTE: these helpers ONLY check the one protocol each and have different sets of auth_param which can be used simultaneously. So it is entirely up to you whether you use only one or both. I suggest using both to start with so that software which has not been adapted to Kerberos yet may still be able to login via NTLM. Keep a watch on this and the main administrative task later will be fixing up these NTLM software to use Kerberos. ON TOP of this user authentication you can usually retain whatever group authorization you had for NTLM. Kerberos is effectively NTLM v3 or v4. Though it may require some extra parameters on the group checking helpers to make them accept the Kerberos username format. > 2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Got 'YR YIIGJgYGKwYBBQU > [snip] > bkIUQRH' from squid (length: 2107). > 2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Decode > 'YIIGJgYGKwYBBQUCoIIGGjCCBhagJDAiB > [snip] > 2011/01/07 10:10:43| squid_kerb_auth: ERROR: gss_acquire_cred() failed: > Unspecified GSS failure. Minor code may provide more information. Key > table entry not found This is the problem. The security key passed to Squid by the client is not known. There are some hints here: http://fixunix.com/kerberos/60700-kinit-key-table-entry-not-found-while-getting-initial-credentials.html Amos
