Markus"Nikolaos Milas" <nmilas@xxxxxx> wrote in message news:4E7A5B55.5060107@xxxxxx...
Hello, I am setting up Kerberos auth on squid (3.1.15), but it won't work. Browser (IE 8) keeps on poping up the username/password window, but authentication is never successful. Yet, I don't see any logging of failed authentication attempts in kerberos logs at all! It's as if squid is not communicating with kerberos server. Yet, kinit from the command line works fine (see details below). What am I doing wrong? Am I missing something? I need your help. Thanks, Nick Details of the setup follow (true names/IP addresses have been changed): I have a working Kerberos Server (MIT Kerberos 5 on CentOS 5.6) on kerb.example.com and I am setting up squid on squid.example.com; it's Squid 3.1.15.x86_64 as RPM on CentOS 5.6 (from here: ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/squid3-3.1.15-1.el5.pp.x86_64.rpm). Host squid.example.com is also setup as a kerberos client. So, I have added to kerberos a host: host/squid.example.com@xxxxxxxxxxx and a service: HTTP/squid.example.com@xxxxxxxxxxx Then, I created a keytab file (httpsquid.keytab) for the latter: [root@squid]# kadmin.local Authenticating as principal userx/admin@xxxxxxxxxxx with password. kadmin.local: addprinc HTTP/squid.example.com@xxxxxxxxxxx WARNING: no policy specified for HTTP/squid.example.com@xxxxxxxxxxx; defaulting to no policy Enter password for principal "HTTP/squid.example.com@xxxxxxxxxxx": Re-enter password for principal "HTTP/squid.example.com@xxxxxxxxxxx": Principal "HTTP/squid.example.com@xxxxxxxxxxx" created. kadmin.local: ktadd -k /etc/krb5kdc/httpsquid.keytab HTTP/squid.example.com Entry for principal HTTP/squid.example.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. Entry for principal HTTP/squid.example.comwith kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab. ...moved it to /etc/squid and changed ownership to root:squid and permissions: 640. I have checked that the keytab file works: [root@squid]# kinit -V -k -t httpsquid.keytab HTTP/squid.example.com Authenticated to Kerberos v5 I also added to the start of /etc/init.d/squid the lines: KRB5_KTNAME=/etc/squid/httpsquid.keytab export KRB5_KTNAME Then, I checked that kerberos authentication is enabled (as explained e.g. here: http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html), then I specified (in IE, Internet Options / Connections / LAN Settings) squid.example.com as a Proxy on port 3128 and I have tried to visit any page. As I explained, browser (IE 8) keeps on poping up the username/password window, but authentication is never successful. I have tried the following as username, without success: userx EXAMPLE.COM\userx userx@xxxxxxxxxxx userx@xxxxxxxxxxx On the other hand, Firefox 6 (with similar settings) doesn't show any pop up window; it just fails. I have tried the three following configuration alternatives, but it didn't make any difference: auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d auth_param negotiate program /usr/libexec/squid/squid_kerb_auth-d -s HTTP/squid.example.com auth_param negotiate program /usr/libexec/squid/squid_kerb_auth Here is /etc/squid/squid.conf: --------------------------------------------------------------- acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.10.10.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow localhost auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access allow auth #http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Disable caching cache deny all # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 debug_options ALL, 9 --------------------------------------------------------------- And below is /etc/krb5.conf (on squid.example.com): --------------------------------------------------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm =EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = kerb.example.com:88 admin_server = kerb.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ---------------------------------------------------------------
<<attachment: smime.p7s>>