Re: Squid - Kerberos - update keytab issue

["L.P.H. van Belle" <belle@xxxxxxxxx>]

Hai,

 

Use winbind and never have this problem again.

 

* install winbind only is sufficient, below works since squid 3.2 up to 4.10

 

An example of a minimal smb.conf for it.

 

[global]
    # Auth-Only setup with winbind. ( no Shares )

 

    workgroup = NTDOM
    security = ADS
    realm = YOUR.REALM.TLD
    netbios name = PROXY1

 

    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes

    interfaces = IP_OR_INTERFACENAME 127.0.0.1
    bind interfaces _only_ = yes

 

    ### OBLIGATED PART begin

    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999

 

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM: backend = rid
    idmap config NTDOM: range = 100000-3999999

 

    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

 

    ### OBLIGATED PART end

 

    # Disable usershares create.. ( removes  (unneeded ) error from the logs )
    usershare path =

 

    # Disable printing completely ( removes also (unneeded ) error from the logs. )
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

 

-- ---

 

and join the Windows domain.

kinit administrator
net ads join -k

 

Allow the server in the AD to Delegate Kerberos for Squid. ( or all services ). thats up to you.

After thats done, then

 

Create Squid keytab:

export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab

net ads keytab ADD HTTP/$(hostname -f)

 

Verify it : klist -ke /etc/squid/HTTP-$(hostname -s).keytab

unset KRB5_KTNAME

 

# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

 

 

! Optional krb5.conf ( most of the time the default should be sufficient.

 

[libdefaults]
    default_realm = YOUR.REALM.TLD

    ## below her is optional.
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 24h
    ccache_type = 4
    forwardable = true
    proxiable = true

    ;https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262
    ignore_k5login = true

and the squid auth part.

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP-proxy1.keytab \
    -s HTTP/proxy1.your.DNSdomain.tld@YOUR.REALM.TLD \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Good luck.

 

Greetz,

 

Louis

 

 

---

Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Sébastien Genesta
Verzonden: maandag 23 maart 2020 16:01
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Squid - Kerberos - update keytab issue

Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k /etc/squid/squid.keytab

Below log I have every run (when everything is ok):

samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxx.xxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxx.xxxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago. -- execute: Exiting because password was changed recently. -- ~KRB5Context: Destroying Kerberos Context

Below logs when things gone bad:

lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxxxxx.xxxxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxxxx.xxxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxxxx.xxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 30 days ago. -- ldap_check_account: Checking that a computer account for KRB-PROX$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = xxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found Principal: HTTP/xxxxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found User Principal: HTTP/proxy.xxxxxxxxxxxxxxxxx.local -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try using keytab for KRB-PROX$ to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- set_password: krb5_change_password failed using keytab: (3) Authentication error -- ~KRB5Context: Destroying Kerberos Context

lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain xxxxxxxxx.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxx.xxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/xxxxxxxxxxx.xxxxxxxxxx.local from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for KRB-PROX$ with password. -- create_default_machine_password: Default machine password for KRB-PROX$ is krb-prox -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxx.xxxxxxxxx.local -- ~KRB5Context: Destroying Kerberos Context

Technical information:
-Windows 2016 server (Kerberos)
-Squid 3-x
-msktutil version 1.0

Thanks for your help!

Seb

Sébastien GENESTA

System & Network Administrator

Avis Vérifiés

	+334 13 25 81 70
	sebastien@xxxxxxxxxxxxxxxxx
	www.avis-verifies.com

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users