Re: [squid-users] HEAD over HTTPS

[Amos Jeffries]

On 31/03/2016 10:36 a.m., Dick Visser wrote:
> On 26 February 2016 at 00:38, Amos Jeffries wrote:
>> On 26/02/2016 11:47 a.m., Dick Visser wrote:
>>> Hi
>>>
>>> I'm trying to set up an acl to allow a link checker tool to do its
>>> work through squid.
>>> This tool is a Wordpress plugin.
>>> The whole reason I have squid is so that Wordpress itself cannot
>>> retrieve random stuff from the Internet.
>>>
>>> I had come up with the idea of allowing HEAD method, so the link
>>> checker plugin can do its job while at the same time not allowing
>>> malicious content to be retrieved.
>>> This appears to work well.
>>>
>>> However, when the plugins tries to check HTTPS URLs it uses CONNECT,
>>> which is then denied by squid.
>>
>> The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have
>> any more control than what you already found with that particular
>> layering will require MITM'ing that traffic with Squid SSL-Bump feature.
>>
>> However, Squid is capable of recieving TLS connections in its role as
>> explicit/forward proxy. If the tool can be updated to use TLS to secure
>> its connection to the proxy, then to deliver its https:// messages to
>> the proxy over that (instead of using "HTTPS") you will get better
>> control without any loss of security.
>>
> 
> I checked and the tool does not support TLS to the proxy...
> It is not a problem here to use SSLbump, but I don't understand how to
> configure squid to allow *only* HEAD request on HTTPS.
> Because that is done using the CONNECT method.
> The HEAD method doesn't go 'inside' the CONNECT method - or am I
> mixing things up?

Yes you are mixing things up. The CONNECT is "outside", and the HEAD is
"inside" the encryption layer.

Squid normally only sees the "outside". But SSL-Bump ('bump' action for
full decryption) lets Squid see the "inside" as well.


So for configuration:

 # let the tool send CONNECT requests (only to SSL ports)
 # NP: this is separate from the default "deny CONNECT SSL_ports" line
 #  which should come first.
 acl tool src 
 http_access allow CONNECT SSL_ports toolip

 # let HTTPS HEAD requsts happen
 acl HEAD method HEAD
 acl HTTPS proto HTTPS
 https_access allow HEAD HTTPS

 http_access deny all

... plus the usual http_port and ssl_bump settings for bumping.

I used tool IP address and src ACL above to be simple. You may have some
other way to identify the tools CONNECT requests.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HEAD over HTTPS

[Dick Visser]

On 26 February 2016 at 00:38, Amos Jeffries  wrote:
> On 26/02/2016 11:47 a.m., Dick Visser wrote:
>> Hi
>>
>> I'm trying to set up an acl to allow a link checker tool to do its
>> work through squid.
>> This tool is a Wordpress plugin.
>> The whole reason I have squid is so that Wordpress itself cannot
>> retrieve random stuff from the Internet.
>>
>> I had come up with the idea of allowing HEAD method, so the link
>> checker plugin can do its job while at the same time not allowing
>> malicious content to be retrieved.
>> This appears to work well.
>>
>> However, when the plugins tries to check HTTPS URLs it uses CONNECT,
>> which is then denied by squid.
>
> The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have
> any more control than what you already found with that particular
> layering will require MITM'ing that traffic with Squid SSL-Bump feature.
>
> However, Squid is capable of recieving TLS connections in its role as
> explicit/forward proxy. If the tool can be updated to use TLS to secure
> its connection to the proxy, then to deliver its https:// messages to
> the proxy over that (instead of using "HTTPS") you will get better
> control without any loss of security.
>

I checked and the tool does not support TLS to the proxy...
It is not a problem here to use SSLbump, but I don't understand how to
configure squid to allow *only* HEAD request on HTTPS.
Because that is done using the CONNECT method.
The HEAD method doesn't go 'inside' the CONNECT method - or am I
mixing things up?

I'll start with using Squid 3.5.x to make sure I have the latest versions.

Thanks

Dick
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] login dialog pop up occurs every site embeed a frame

[Amos Jeffries]

On 31/03/2016 1:49 a.m., Jens Kallup wrote:
> Hello,
> 
> I have the following problem:
> when i serve the site:
> 
> http://thejimmahknows.com/squid-proxy-splash-page-2/?doing_wp_cron=1459339456.8651709556579589843750
> 
> 
> the authentication/squid ask me for user & password.
> That's all ok.
> 
> But, when you look at the right, there is a frame with ads.
> And the frame/page is performing an endless login loop, if you click on OK.
> If you click "abort/cancel" few times, the web-browser produce prox error.
> 
> What can I do to prevent those loop's?

Popup is a browr feature (and decision). Question is why does/might the
browser think it needs new credentials different to the ones you just
entered?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

[Olivier CALVANO]

put keep at off but no change.

I don't think's that it's malware, it's not all time the same username

today, 5 new usernames with the same problems between 13:20 and 16:15

i don't understand the problems :<



2016-03-30 12:56 GMT+02:00 Amos Jeffries :

> On 30/03/2016 9:40 p.m., Olivier CALVANO wrote:
> > Hi
> >
> > I use:
> >
> > ## negotiate kerberos and ntlm authentication
> > auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
> > /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> > --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
> > auth_param negotiate children 100 startup=10 idle=1
> > auth_param negotiate keep_alive on
> >
> > ## Module d'authentification NTLM
> > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 100 startup=10 idle=1
> > auth_param ntlm keep_alive on
>
>
> Try with "keep_alive off" on both of those auth methods. This does not
> conflict with connection keep-alive in genral, just closes the
> connection at a very specific time in the auth handshake. Without that
> certain IE and Firefox can have problems authenticating properly.
>
> Given that the client waited 20 minutes for those WU requests to happen
> I doubt it is an actual user. Probably an automated WU background
> process doing its thing while they happen to be logged in. Which means
> the IE behaviour is relevant.
>
> The yahoo.fr request being 1 hr long is very odd though. That is
> something I'd expect to see from a real person user. But not waiting an
> hour for. Could they be infected with some toolbar malware?
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] login dialog pop up occurs every site embeed a frame

[Jens Kallup]

Hello,

I have the following problem:
when i serve the site:

http://thejimmahknows.com/squid-proxy-splash-page-2/?doing_wp_cron=1459339456.8651709556579589843750

the authentication/squid ask me for user & password.
That's all ok.

But, when you look at the right, there is a frame with ads.
And the frame/page is performing an endless login loop, if you click on OK.
If you click "abort/cancel" few times, the web-browser produce prox error.

What can I do to prevent those loop's?
Here is the config:

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /sap/squid/passwd
auth_param basic children 4
auth_param basic utf8 on
auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort 
fuer die Internetberechtigung ein!

auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive on

external_acl_type MyAclHelper %LOGIN %DST /sap/squid/myHelper/myaclhelper.pl

acl ncsa_users proxy_auth REQUIRED
acl block_list external MyAclHelper

acl localnet src 10.0.0.0/8
acl localnet src 192.168.178.0/24
#
http_access deny !ncsa_users
http_access deny !block_list
#
http_access allow localnet


acl SSL_port port 443
acl Safe_ports port 3128
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_port
http_access deny all

http_port 192.168.178.80:3128
dns_v4_first on # DNS queryis

cache_mgr jkal...@web.de
cache_mem 8 MB

cache_effective_user  squid
cache_effective_group squid

error_directory /usr/local/squid/share/errors/de-de
error_default_language de

cache_dir ufs/sap/var/spool/squid 64 16 128
cache_access_log /sap/squid/log/access.log
cache_log/sap/squid/log/cache.log
cache_store_log  none

# Leave coredumps in the first cache dir
coredump_dir /sap/var/spool/squid

pid_filename /sap/squid/squid3.pid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

logformat squid  %tl.%03tu %6tr %>a %un %Ss/%03>Hs %<>___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

[Amos Jeffries]

On 30/03/2016 9:40 p.m., Olivier CALVANO wrote:
> Hi
> 
> I use:
> 
> ## negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
> auth_param negotiate children 100 startup=10 idle=1
> auth_param negotiate keep_alive on
> 
> ## Module d'authentification NTLM
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 100 startup=10 idle=1
> auth_param ntlm keep_alive on


Try with "keep_alive off" on both of those auth methods. This does not
conflict with connection keep-alive in genral, just closes the
connection at a very specific time in the auth handshake. Without that
certain IE and Firefox can have problems authenticating properly.

Given that the client waited 20 minutes for those WU requests to happen
I doubt it is an actual user. Probably an automated WU background
process doing its thing while they happen to be logged in. Which means
the IE behaviour is relevant.

The yahoo.fr request being 1 hr long is very odd though. That is
something I'd expect to see from a real person user. But not waiting an
hour for. Could they be infected with some toolbar malware?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl + stunnel and cache peer

[Amos Jeffries]

On 30/03/2016 9:43 a.m., Baselsayeh wrote:
> sorry
> it seems that http://squid-web-proxy-cache.1019090.n4.nabble.com doesnt
> remove posts

This is an email mailing list. Nabble is just an archive display. There
is no "oops I should not have mailed the world" undo feature in email.

> 
> Yuri Voinov wrote
> I said exactly: "Cache peer cannot use re-crypting right now".
> 
> No matter what do you have behind cache_peer.

Correction:
  Squid does not (yet) support re-"CONNECT" messaging to cache_peer.

It certainly does support TLS connections to upstream peers. When
bumping it *requires* that the peer supports TLS connections. Which is
part of the problem lots of people have sending bumped data onwards to
non-TLS peers.


> 
> 30.03.16 2:40, Baselsayeh пишет:
 is there a workaround that i can use cache peer and squid sslbump?
 isnt stunnel is using ssl that squid dont need to re-crypting?


I think your main problem is that Squid *is* re-crypting the outbound
connection to stunnel. Then stunnel is double-crypting it since stunnel
purpose is to encrypt plain-text connections.

When the tunnel made by stunnel through the privoxy-like thing reaches
whatever destination Squid instructed it to contact it gets decrypted
_once_ and the data inside is found to be encrypted ... oops.

What you need to avoid this is something like httptunnel. Which does not
double-encrypt the traffic.


PS. the tutorials you see around the Internet about using Squid +
stunnel at present are either to take plain-text client connections and
send them through stunnel to a secured https_port on Squid. Or to take
outbound connections from a non-encrypting Squid and send them securely
to some upstream proxy.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

[Olivier CALVANO]

Hi

I use:

## negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 100 startup=10 idle=1
auth_param negotiate keep_alive on

## Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=10 idle=1
auth_param ntlm keep_alive on

## Si echec du NTLM proposer la fenetre d'authentification
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
dc=mydomain,dc=fr -f sAMAccountName=%s -D cn=Proxy,ou=vpn,dc=mydomain,dc=fr
-w "mypass" -t 3 -H 172.16.1.21
auth_param basic children 40 startup=5 idle=1
auth_param basic realm Proxy
#auth_param basic credentialsttl 2 hours
auth_param basic credentialsttl 1 minute


But same problems if i put :

## negotiate kerberos and ntlm authentication
#auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
#auth_param negotiate children 100 startup=10 idle=1
#auth_param negotiate keep_alive on



Yes i have the login/password of the users (on >5000 accounts, we have
10/20 accounts with this problems)


I have a second server but for Hight Availability


Sample of problems with one username
 before 11:17am that's work's
 at 11:17am username don't have access to internet and in logs we have
the error.
 at 07:30pm the username have now internet access ..


regards
Olivier



2016-03-30 9:59 GMT+02:00 Kinkie :

> Are you using BASIC, ntlm or kerberos?
> Do you know that user's password in order to run some tests?
> Do you have some other proxy or box where you can run some tests?
> AD is a complex system, so the first thing to do is to understand I'd the
> problem is caused by ad, by the system, by something related to the user or
> to the author helper or to squid.
> On Mar 30, 2016 9:50 AM, "Olivier CALVANO"  wrote:
>
>> Anyone know this problems ?
>>
>>
>> 2016-03-29 18:22 GMT+02:00 Olivier CALVANO :
>>
>>> Hi
>>>
>>> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory
>>> Authentification (tested in negotiate_wrapper but same
>>> problems with ntlm_auth) .
>>>
>>> That's work's very good a time but without reason, a limited user can't
>>> access to internet and i don't know why.
>>>
>>> In the logs, we have:
>>>
>>> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET
>>> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
>>> olivier HIER_NONE/- -
>>> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET
>>> http://yahoo.fr/ olivier HIER_NONE/- -
>>> 1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET
>>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>>> 1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD
>>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>>>
>>>
>>> I don't know why but all logs have "NONE_ABORTED/000"
>>> anyone know this errors ?
>>>
>>>
>>> If, on the same PC, i change the username, that's work ! reconnect with
>>> the old username and the problems start
>>>
>>> regards
>>> Olivier
>>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

[Kinkie]

Are you using BASIC, ntlm or kerberos?
Do you know that user's password in order to run some tests?
Do you have some other proxy or box where you can run some tests?
AD is a complex system, so the first thing to do is to understand I'd the
problem is caused by ad, by the system, by something related to the user or
to the author helper or to squid.
On Mar 30, 2016 9:50 AM, "Olivier CALVANO"  wrote:

> Anyone know this problems ?
>
>
> 2016-03-29 18:22 GMT+02:00 Olivier CALVANO :
>
>> Hi
>>
>> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory
>> Authentification (tested in negotiate_wrapper but same
>> problems with ntlm_auth) .
>>
>> That's work's very good a time but without reason, a limited user can't
>> access to internet and i don't know why.
>>
>> In the logs, we have:
>>
>> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET
>> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
>> olivier HIER_NONE/- -
>> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET
>> http://yahoo.fr/ olivier HIER_NONE/- -
>> 1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET
>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>> 1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD
>> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>>
>>
>> I don't know why but all logs have "NONE_ABORTED/000"
>> anyone know this errors ?
>>
>>
>> If, on the same PC, i change the username, that's work ! reconnect with
>> the old username and the problems start
>>
>> regards
>> Olivier
>>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] We have a big problems with Squid 3.3.8, it's a bug ?

[Olivier CALVANO]

Anyone know this problems ?


2016-03-29 18:22 GMT+02:00 Olivier CALVANO :

> Hi
>
> we use on a new server Squid 3.3.8 on CentOS 7 with a Active Directory
> Authentification (tested in negotiate_wrapper but same
> problems with ntlm_auth) .
>
> That's work's very good a time but without reason, a limited user can't
> access to internet and i don't know why.
>
> In the logs, we have:
>
> 1459266547.967 1200888 172.16.6.39 NONE_ABORTED/000 0 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
> olivier HIER_NONE/- -
> 1459266567.771 3538111 172.16.6.14 NONE_ABORTED/000 0 GET http://yahoo.fr/
> olivier HIER_NONE/- -
> 1459267856.877  30609 172.16.6.39 NONE_ABORTED/000 0 GET
> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
> 1459267917.860  60713 172.16.6.39 NONE_ABORTED/000 0 HEAD
> http://officecdn.microsoft.com/Office/Data/v32.cab olivier HIER_NONE/- -
>
>
> I don't know why but all logs have "NONE_ABORTED/000"
> anyone know this errors ?
>
>
> If, on the same PC, i change the username, that's work ! reconnect with
> the old username and the problems start
>
> regards
> Olivier
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NEGOTIATE Kerberos Auth

[akn ab]

Many thanks Markus, i solved everythings!

 



 

Sent: Tuesday, March 22, 2016 at 1:25 AM
From: "Markus Moeller" 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you use –r  the @DOMAIN will be removed.

 

 2) The client in EXTERNAL.COM needs to know where to find the HTTP/@FATHER.COM principal.  I think your trust is not fully setup. You should see some cross domain TGTs. 

 

Cross Domain SPN Lookups with Active Directory

When Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain.  If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust.  Then you could define a Kerberos Forest Search Order

 

Markus

 

 



"akn ab"  wrote in message news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...







Hello Markus,

 

firt of all thank you for your reply, today i'm having a strange issue.

KID1 and KID2 started to autenticate with kerberos correclty without any modification ...

This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems:

 

1)

On my squid logs, i can see users authenticated correctly, but not the domain users came from.

For example:

FATHER.COM\user1

KID1.FATHER.COM\user1

KID2.FATHER.COM\user1

are reported on my logs with "user1" and not in us...@kid1.father.com or KID1\user1 (for example)

I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers.

Is it possible with kerberos?

 

2)

I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail.

Using your instructions, i captured port 88 during handshake and i get:

 

eRR-C-PRINCIPAL-UNKNOWN

 

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

 

Best Regards.

 

Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth





Hi,

 

    Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 

 Can you get a wireshark capture on your client on port 88  ?  You should see some TGS –REQs in the capture and I assume also TGS-REPs  with error messages.  Can you share these error messages ?

 

Regards

Markus

 

 



"akn ab"  wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...






Dear all,

 

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains.

 

My FATHER.COM is a forest with 2 children: KID1 and KID2.

Like this: FATHER.COM -> KID1.FATHER.COM

    -> KID2.FATHER.COM

 

With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2.

I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users.

 

My krb5.conf:


[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
FATHER.COM = {
  kdc = dc1.father.com:88

  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}

KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}

[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM

.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM

[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}

KID2.FATHER.COM = {
   FATHER.COM = .
}

 

To join kerberous auth with FATHER.COM i did:

# kinit u...@father.com

# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

 

On squid config i have:

auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r