Search squid archive

Re: Kerberos with LDAP authentication failover and iTunes auth problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23/12/2011 12:39 p.m., James Robertson wrote:
We have successfully deployed a squid3 proxy in a Windows AD domain
that authenticates users with the kerberos helper and uses LDAP
queries to allow access based on Security groups in AD.  This works
perfectly for IE, FF and Chrome and no authentication pop-ups occur.
We realised that not all applications use this authentication and that
sometimes non-domain PC's might need internet access so LDAP was to be
used as a backup authentication method.

Please get this straight:  LDAP is *not* an authentication method.
It is one of several interfaces to AD. There are several real authentication methods which operate very differently and all use LDAP to contact AD.


I tested using a non-domain user on a Win7 workstation and when
opening IE it prompts for a login as I had expected but I notice that
I have to input the username and password a second time before it will
allow access.  I also notice when this happens that the second
authentication dialogue automatically adds the domain prefix, i.e.
DOMAIN\user and the password is already entered.  Looking at the logs
it seems as though this second attempt is in fact the kerberos auth
not LDAP as I had initially thought, this is what's logged in
/var/cache/squid3/cache.log whilst this takes place (long lines have
been truncated).

Looking ahead I see you actually mean "Basic authentication" where you have written "LDAP".

2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:25:13| squid_kerb_auth: WARNING: received type 1 NTLM token

This NTLM version 1 authentication being sent by IE (real name: Negotiate/NTLM) instead of Kerberos (real name: Negotiate/Kerberos).

So, what is actually happening is that IE is attempting to login with NTLM. Squid helper is rejecting that old protocol, then IE is re-trying with Negotiate/Kerberos like it should have to start with.

To avoid this upgrade IE to at least IE7 and check the machines authentication security level is set to a minimum of NTLMv2, with working kerberos tokens (current IE7 will try those first if they are okay).

(I'm sorry I can't be more specific and point at how-tos' but it has been a very long time since I had to deal with the inner config details of Windows. Hopefully someone else can provide that.)


Besides that we also have a problem with iTunes access.  When iTunes
runs it prompts for authentication regardless of whether the user is
logged in to the domain or not and fails to authenticate regardless of
entering the login multiple times.  The following is logged in
/var/log/squid3/cache.log.


2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:03:13| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:03:13| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

The squid.conf is listed below.  Am I mistaken about the
authentication failing over to LDAP if kerberos fails - if so, is
there a way to make this work for computers/software that cannot do
kerberos besides white listing domains??

If updating IE and the system security level config to NTLMv2+ does not fix this you can use Marcus negotiate_wrapper helper and configure Squid to accept both Negotiate/Kerberos and Negotiate/NTLM.



I'm also a bit unsure about my http_access lines, hence you will see
some commented out from some testing I am doing.

### /etc/squid3/squid.conf Configuration File #######

### cache manager
cache_mgr cacheadmin@xxxxxxxxxxx

### kerberos authentication
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s
HTTP/squidproxy.example.local
auth_param negotiate children 10
auth_param negotiate keep_alive on

### provide access via ldap for clients not authenticated via kerberos
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
     -b "dc=example,dc=local" \
     -D squid@example.local \
     -W /etc/squid3/ldappass.txt \
     -f sAMAccountName=%s \
     -h domaincontroller.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

Here we have some confusion, which is why I stress being clear on LDAP. You have *Basic* authentication over LDAP, and several external helper group lookups over LDAP (no even autentication at all). Any one of which might trigger a popup under the right conditions.

Your discovery that the second popup is Kerberos instead of NTLM is a good sign that the negotiate_wrapper will work well for you.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux