|
Hai, First whats your OS/squid and samba version, handy to know. And post your smb.conf please. Few things to check. /etc/krb5.keytab should have rights 600 (root:root) Run : klist -e -k /etc/krb5.keytab post the output. Your SPN for squid must be HTTP/fqdn And not http/fqdn CAPS do matter here. Put the HTTP/fqdn spn in a separated file and put it in the squid dir. Chown and chmod it root:squid-user 440 Add it in your squid init script ( for debian i added it in
/etc/default/squid ( squid for 3.5.12 ) (squid3 for 3.4.8 ) KRB5_KTNAME=/etc/squid/keytab.PROXY1-HTTP export KRB5_KTNAME The squid keytab should be like (manualy added on a different user in
the AD, special user for squid services.): KVNO Principal ----
----------------------------------------------------------------------- 1 HTTP/host.internal.domain.tld@YOUR_REALM (des-cbc-crc) 1 HTTP/host.internal.domain.tld@YOUR_REALM (des-cbc-md5) 1 HTTP/host.internal.domain.tld@YOUR_REALM (arcfour-hmac) This is my default ( /etc/krb5.keytab ) (from the join of samba.) 1 host/host.internal.domain.tld@YOUR_REALM (des-cbc-crc) 1 host/host.internal.domain.tld@YOUR_REALM (des-cbc-md5) 1 host/host.internal.domain.tld@YOUR_REALM (aes128-cts-hmac-sha1-96) 1 host/host.internal.domain.tld@YOUR_REALM (aes256-cts-hmac-sha1-96) 1 host/host.internal.domain.tld@YOUR_REALM (arcfour-hmac) 1 host/host@YOUR_REALM (des-cbc-crc) 1 host/host@YOUR_REALM (des-cbc-md5) 1 host/host@YOUR_REALM (aes128-cts-hmac-sha1-96) 1 host/host@YOUR_REALM (aes256-cts-hmac-sha1-96) 1 host/host@YOUR_REALM (arcfour-hmac) 1 HOST$@YOUR_REALM (des-cbc-crc) 1 HOST$@YOUR_REALM (des-cbc-md5) 1 HOST$@YOUR_REALM (aes128-cts-hmac-sha1-96) 1 HOST$@YOUR_REALM (aes256-cts-hmac-sha1-96) 1 HOST$@YOUR_REALM (arcfour-hmac) The needed krb5.conf cat /etc/krb5.conf [libdefaults] default_realm = YOUR_REALM dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 24h ccache_type = 4 forwardable = true proxiable = true install ntp and point it to you AD so time is always in sync. Now you have 2 options to setup and you choose based on you SPN setup.
Seperated keytab for squid HTTP service. Use: auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/ host.internal.domain.tld@YOUR_REALM
\ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN Or with everyting in one keytab file and make sure squid can read this
keytab file 640 root:squid !! : auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
-d \ --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN I have a setup with a separated keytab file, i tested above and these
work. ( tested on debian jessie, samba 4.1, squid 3.4.8, 3.5.10 and 3.5.12. )
Above i told about how i did setup. A big advantave with the squid-service user. You kan add all you squid
hosts/services in that user. I have 1 user for this and 3 proxy servers. So where did you go wrong. > net ads keytab add HTTP And rights on the /etc/krb5.keytab file are the first things to check. Optionaly, start the auth progrom on command line, with the debugging
enabled. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > LYMN > Verzonden: donderdag 7 januari 2016 5:23 > Aan: squid-users@xxxxxxxxxxxxxxx > Onderwerp: [squid-users] kerberos authentication with a machine account > doesn't work > > > Hi, > > We have been using kerberos authentication against Active Directory here > for a long time by using a SPN attached to a user account and exporting > the keytab. The issue we have is that security policy mandates that > the password on the user account be changed which means we have to go > and regenerate keytabs every time this happens. Not exactly difficult > but tedious nonetheless. > > To avoid the password change I thought it may be an idea to use the > machine account and add a SPN (http/fqdn.is.here) to that. I added: > > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > > to the smb.conf so samba will manage the keytab for me then did: > > net ads join > net ads keytab add http > > klist -k shows me the principals that should be there and AD agrees they > exist. I can get a TGT using: > > kinit -k > > without error (setting the UPN to host/fqdn.is.here@KERBEROS.REALM may > have helped this). Doing a > > kinit -kS http/fqdn.is.here > > works without error too. So, I think kerberos is ok but with a squid > 3.5.12 configured with negotiate_kerberos_auth I see the dreaded > message: > > negotiate_kerberos_auth.cc(180): pid=4888 :2016/01/07 12:50:29| > negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: > Unspecified GSS failure. Minor code may provide more information. > > and only that, no minor code when I try to use the proxy with a browser > on a windows client. Interestingly, doing a klist on the windows client > I can see a kerberos ticket for HTTP/fqdn.is.here that is for the proxy > I am testing. > > Not sure what is missing here, I have a bee in my bonnet that this should > Just Work (tm) as the only real difference is that the SPN is attached > to a computer account not a user account - I would have thought as long > as the keytab is done correctly that this should not matter but clearly > something is not agreeing with me. > > -- > Brett Lymn > This email has been sent on behalf of one of the following companies > within the BAE Systems Australia group of companies: > > BAE Systems Australia Limited - Australian Company Number 008 423 005 > BAE Systems Australia Defence Pty Limited - Australian Company Number > 006 870 846 > BAE Systems Australia Logistics Pty Limited - Australian Company > Number 086 228 864 > > Our registered office is Evans Building, Taranaki Road, Edinburgh Parks, > Edinburgh, South Australia, 5111. If the identity of the sending company > is > not clear from the content of this email please contact the sender. > > This email and any attachments may contain confidential and legally > privileged information. If you are not the intended recipient, do not > copy or > disclose its content, but please reply to this email immediately and > highlight > the error to the sender and then immediately delete the message. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
