Re: Squid + AD + Kerb auth question

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Thu, 19 Mar 2015 22:19:15 -0000

Hi Joao,

   OK now you use the authentication rule. 

   How did you create the keytab ?   Does the hostname 
match the keytab entry ?

  Can you run the helper with –d to get more debug ? 

Markus

From: 
Joao Paulo Monticelli 
Gaspar 

Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller 
Subject: Re:  Squid + AD + Kerb auth 
question

gettin access denied now 

watch the logs

==> /var/log/squid/squid.out <==

==> /var/log/squid/access.log <==
1426725527.219      1 192.168.1.251 TCP_DENIED/407 
4509 GET http://www.eset.com.br/download/business 
- NONE/- text/html

==> /var/log/squid/cache.log <==
2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating 
user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified 
GSS failure.  Minor code may provide more information. '

guess my SOO isnt working right?

2015-03-18 20:46 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

  Hi 
  Joao

  Then you 
  hit

  http_access allow localnet

  and not

  http_access allow ad_auth

  Comment out the following line in squid.conf 

http_access allow localnet

  and try again.

  Markus

  From: Joao Paulo Monticelli 
  Gaspar 

  Sent: Wednesday, March 18, 2015 11:38 
  PM

  To: Markus Moeller 
  Subject: Re: 
   Squid + AD + Kerb auth 
  question

  yes, I'm using localnet, this is a virtual test lab enviorment, 
  here are some log entries 

  1426694349.225  59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 
  - DIRECT/216.58.222.35 
-
  1426694352.258  62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 
  - DIRECT/216.58.222.46 
-
  1426694613.543  58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 -

  when I looked at the access.log manual pages I saw that if squid cant get 
  user info, he uses the - sign on the access, and we can see it there, but why 
  he cant get the user info?

  2015-03-18 20:20 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: 

    Hi,

      From which network do you surf ?  From localnet ? 

      Can you send sample log entries ?

    Markus

    From: 
    Joao Paulo 
    Monticelli Gaspar 
    Sent: 
    Wednesday, March 18, 2015 9:18 PM
    To: Markus Moeller 
    Subject: 
    Re:  Squid + AD + Kerb auth 
    question

    squid.conf 

    visible_hostname proxy.joznet.local

    auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
    auth_param negotiate children 10
    auth_param negotiate keep_alive on
    auth_param basic credentialsttl 2 hours

    acl ad_auth proxy_auth REQUIRED

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    acl localnet src 192.168.1.0/24 
    # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 
    4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 
    link-local (directly plugged) machines

    acl SSL_ports port 443
    acl Safe_ports port 80 # 
    http
    acl Safe_ports port 21 # 
    ftp
    acl Safe_ports port 443 # 
    https
    acl Safe_ports port 70 # 
    gopher
    acl Safe_ports port 210 # 
    wais
    acl Safe_ports port 1025-65535 
    # unregistered ports
    acl Safe_ports port 280 # 
    http-mgmt
    acl Safe_ports port 488 # 
    gss-http
    acl Safe_ports port 591 # 
    filemaker
    acl Safe_ports port 777 # 
    multiling http
    acl CONNECT method CONNECT

    http_access allow manager localhost
    http_access deny manager

    http_access deny !Safe_ports

    http_access deny CONNECT !SSL_ports

    http_access allow localnet

    http_access allow localhost
    http_access allow ad_auth
    http_access deny all

    http_port 3128

    hierarchy_stoplist cgi-bin ?

    coredump_dir /var/spool/squid

    refresh_pattern ^ftp: 
    1440 20% 10080

    refresh_pattern ^gopher: 
    1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 
    0% 0
    refresh_pattern . 0 20% 4320

    ****************************************************************************************
    krb5.conf

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = JOZNET.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

    ; for Windows 2008 with AES

    ;        default_tgs_enctypes = 
    aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ;        default_tkt_enctypes = 
    aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ;        permitted_enctypes = 
    aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    ; for MIT/Heimdal kdc no need to restrict encryption type

    [realms]
    JOZNET.LOCAL = {
      kdc = srvjoznt.joznet.local:88
      admin_server = srvjoznt.joznet.local:749
      default_domain = joznet.local 
    }

    [domain_realm]
    .joznet.local= JOZNET.LOCAL
    joznet.local= JOZNET.LOCAL

    [pam]
    debuf = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

    2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

      How does the config file look like ?  

      Markus

      "Joao Paulo Monticelli Gaspar" <jaumshock@xxxxxxxxx> wrote in message 
      news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg@xxxxxxxxxxxxxx...

      Hey people 

      I have a doubt and couldn't find the answer anywhere yet, I'm using 
      SQUID integrate to a W2K8 AD server with kerb auth, and everything works 
      fine, the main reason of chosing this setup is for the SingleSignOn 
      capabilities of the configuration, but on my ACCESS.LOG I cant see the 
      users that are visitating the sites...

      is possible to show that info with this setup, or by any other setup 
      use maintain the SOO?

      Thx in advance.

      _______________________________________________
squid-users mailing 
      list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users 
      mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users 
    mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users 
  mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users