Hi All,
I have been setting up a new proxy, it needs to have Kerberos auth so
that the users on the domain do not get prompted for a password - but
are authenticated and this is to show in the logs. Sorry for the
formatting, I tried using the bold and embed tags but they did not
work
It does not work for windows 7, windows 8 or windows 2008
I have it working when I try from a windows 2003 OS, and can see the
auth occurring in the logs:
............D1jAEc= user@xxxxxxxxxxxxx
2013/08/05 11:48:16| squid_kerb_auth: INFO: User user@xxxxxxxxxxxxx
authenticated
However from a windows 7 or windows 8 PC, the authentication does not
complete and instead there is an error:
2013/08/05 11:48:31| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information.
2013/08/05 11:48:31| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information.
==> /var/log/squid/cache.log <==
2013/08/05 11:48:31| squid_kerb_auth: INFO: User not authenticated
Below is some information on the configuration:
We are running 3 x 2008R2 domain controllers and 1 x 2003 domain
controller, thus the domain mode is set to 2003.
The krb5.conf file contains:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM.AU
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
forwardable = true
; Note, because we have a 2003 domain controller, I have the 2003
uncommented below not the 2008 with AES
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
MYDOMAIN.COM.AU = {
kdc = kdc1.mydomain.com.au
kdc = kdc2.mydomain.com.au
kdc = kdc3.mydomain.com.au
kdc = kdc4.mydomain.com.au
admin_server = kdc1.mydomain.com.au
default_domain = mydomain.com.au
}
[domain_realm]
.mydomain.com.au = MYDOMAIN.COM.AU
mydomain.com.au = MYDOMAIN.COM.AU
The squid.conf contains the following custom settings:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -i -d -s
HTTP/proxy.mydoamin.com.au
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
acl ad_auth proxy_auth REQUIRE
http_access allow ad_auth
http_access allow localnet
(Note: I would like to get rid of the http_access allow localnet, but
even on 2003 when the auth works - internet access is denied without
this line)
My /etc/sysconfig/squid file has the following custom lines:
KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME
when I ran this command, the keytab was generated successfully:
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mydomain.com.au -h
proxy.mydomain.com.au -k /etc/squid/PROXY.keytab --computer-name
PROXYK --upn HTTP/proxy.mydomain.com.au --server dc1.mydomain.com.au
--verbose
the permissions on the keytab are below which should be fine:
-rw-rw-rw-. 1 root root 1430 Aug 5 08:33 /etc/squid/PROXY.keytab
In Summary, the fact windows 2003 works and gets authenticated shows
to me that Kerberos is working, why wont windows 2008, 7 or 8 works?
Thanks,
Glenn
