Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

Silamael Darkomen <silamael@xxxxxxxxxxxxxx> · Fri, 16 Sep 2016 10:14:45 +0200

Hello,

I'm currently working on setting up our proxy to authenticate the users
via Kerberos against a Windows AD.
The simple user authentication through negotiate_kerberos_auth is
already working.
But the second step for checking the group of an authenticated users
gives me some headache. Even with Kerberos configured not to search the
KDC via DNS, the ext_kerberos_ldap_group_acl tool complains about not
being able to find the realms KDC:

squid-3.5.20/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc(376):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: INFO: Got User:
user Domain: EXAMPLE.COM
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(63):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: User domain
loop: group@domain linux@
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(91):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Default
domain loop: group@domain linux@
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(93):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found
group@domain linux@
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_ldap.cc(898):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Setup
Kerberos credential cache
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(127):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Set
credential cache to MEMORY:squid_ldap_23191
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(138):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get default
keytab file name
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(144):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got default
keytab file name /etc/HTTP.keytab
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(158):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get
principal name from keytab /etc/HTTP.keytab
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(167):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Keytab entry
has realm name: EXAMPLE.COM
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(181):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found
principal name: host/proxy.example.com@xxxxxxxxxxx
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(196):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got
principal name host/proxy.example.com@xxxxxxxxxxx
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(64):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: ERROR: Error while
initialising credentials from keytab : unable to reach any KDC in realm
EXAMPLE.COM
...

The last lines of the error messages repeat for every entry in the keytab.
All other Kerberos related tools work fine with the given krb5.conf.

Some more information about the setup:
We're running under OpenBSD with Heimdal version 1.5.3.
The AD is reachable from the proxy machine but DNS is not done by the AD
but on the proxy machine itself.

Below you find the krb5.conf used and the settings from the squid.conf.
The limitation to 1 child is just for testing purposes.

Would be really great if anyone could shed some light on this issue!

Thanks in advance,
Matthias

---------------------------------------------------------------------

krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_keytab_name = /etc/HTTP.keytab
dns_lookup_kdc = no
dns_lookup_realm = no

[realms]
EXAMPLE.COM = {
        kdc = 1.2.3.4
        admin_server = 1.2.3.4
        default_domain = example.com
}

squid.conf:
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -di -s
HTTP/proxy.example.com
auth_param negotiate children 1
auth_param negotiate keep_alive on

external_acl_type squid_kerb_ldap children-max=1 ttl=3600
negative_ttl=3600 %LOGIN
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g
linux@
acl ldap_group_check external squid_kerb_ldap
http_access deny !ldap_group_check
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users