Search squid archive

Problems setting up Kerberos authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I am setting up Kerberos auth on squid (3.1.15), but it won't work. Browser (IE 8) keeps on poping up the username/password window, but authentication is never successful. Yet, I don't see any logging of failed authentication attempts in kerberos logs at all! It's as if squid is not communicating with kerberos server. Yet, kinit from the command line works fine (see details below).

What am I doing wrong? Am I missing something?

I need your help.

Thanks,
Nick

Details of the setup follow (true names/IP addresses have been changed):

I have a working Kerberos Server (MIT Kerberos 5 on CentOS 5.6) on kerb.example.com and I am setting up squid on squid.example.com; it's Squid 3.1.15.x86_64 as RPM on CentOS 5.6 (from here: ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/squid3-3.1.15-1.el5.pp.x86_64.rpm).

Host squid.example.com is also setup as a kerberos client.

So, I have added to kerberos a host:

   host/squid.example.com@xxxxxxxxxxx

and a service:

   HTTP/squid.example.com@xxxxxxxxxxx

Then, I created a keytab file (httpsquid.keytab) for the latter:

[root@squid]# kadmin.local
Authenticating as principal userx/admin@xxxxxxxxxxx with password.
kadmin.local:  addprinc HTTP/squid.example.com@xxxxxxxxxxx
WARNING: no policy specified for HTTP/squid.example.com@xxxxxxxxxxx; defaulting to no policy
Enter password for principal "HTTP/squid.example.com@xxxxxxxxxxx":
Re-enter password for principal "HTTP/squid.example.com@xxxxxxxxxxx":
Principal "HTTP/squid.example.com@xxxxxxxxxxx" created.
kadmin.local:  ktadd -k /etc/krb5kdc/httpsquid.keytab HTTP/squid.example.com
Entry for principal HTTP/squid.example.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.

...moved it to /etc/squid and changed ownership to root:squid and permissions: 640.

I have checked that the keytab file works:

   [root@squid]# kinit -V -k -t httpsquid.keytab HTTP/squid.example.com
   Authenticated to Kerberos v5

I also added to the start of /etc/init.d/squid the lines:

   KRB5_KTNAME=/etc/squid/httpsquid.keytab
   export KRB5_KTNAME

Then, I checked that kerberos authentication is enabled (as explained e.g. here: http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html), then I specified (in IE, Internet Options / Connections / LAN Settings) squid.example.com as a Proxy on port 3128 and I have tried to visit any page. As I explained, browser (IE 8) keeps on poping up the username/password window, but authentication is never successful. I have tried the following as username, without success:
userx
EXAMPLE.COM\userx
userx@xxxxxxxxxxx
userx@xxxxxxxxxxx

On the other hand, Firefox 6 (with similar settings) doesn't show any pop up window; it just fails.

I have tried the three following configuration alternatives, but it didn't make any difference:
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth-d -s HTTP/squid.example.com
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth


Here is /etc/squid/squid.conf:
---------------------------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.10.10.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow localhost

auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth
#http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Disable caching
cache deny all

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

debug_options ALL, 9
---------------------------------------------------------------


And below is /etc/krb5.conf (on squid.example.com):
---------------------------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm =EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = kerb.example.com:88
  admin_server = kerb.example.com:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
---------------------------------------------------------------

<<attachment: smime.p7s>>


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux