Re: [squid-users] kerberos authentication with a machine account doesn't work

2016-01-21 Thread Fabio Bucci 
apologize for my mail...

Fabio

2016-01-14 6:09 GMT+01:00 LYMN <brett.l...@baesystems.com>:
> On Wed, Jan 13, 2016 at 09:30:46AM +0100, Fabio Bucci wrote:
>> Hi All,
>> i want to terminate a previous job did by ex colleague is changed
>> company. Now there is a cluster of 2 nodes of squid with NTLM
>> transparent authentication and one spare node i'm using as test and
>> configured with kerberos instead. Reading a lot of info i understood
>> kerberos is more stable than NTLM and my plan is to migrate the
>> production cluster to this kind of authentication. Configurations
>> (squid and kerberos) seem to be ok but everytime with browser i point
>> to squid i'm unable to go to internet, popup requires me credentials
>> but even i put the right ones it doesn't work. Coudl you help me?
>>
>
> Firstly, please don't hijack someone elses thread, that makes things
> confusing.  Post a new message of your own so people can follow the
> thread.  Secondly, you need to provide answers to all the questions that
> L.P.H. van Belle asked, this will give people a good picture of what
> your set up is like and where the problem may be.
>
> --
> Brett Lymn
> This email has been sent on behalf of one of the following companies within 
> the BAE Systems Australia group of companies:
>
> BAE Systems Australia Limited - Australian Company Number 008 423 005
> BAE Systems Australia Defence Pty Limited - Australian Company Number 006 
> 870 846
> BAE Systems Australia Logistics Pty Limited - Australian Company Number 
> 086 228 864
>
> Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
> Edinburgh, South Australia, 5111. If the identity of the sending company is
> not clear from the content of this email please contact the sender.
>
> This email and any attachments may contain confidential and legally
> privileged information.  If you are not the intended recipient, do not copy or
> disclose its content, but please reply to this email immediately and highlight
> the error to the sender and then immediately delete the message.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kerberos authentication with a machine account doesn't work

2016-01-13 Thread Fabio Bucci 
Hi All,
i want to terminate a previous job did by ex colleague is changed
company. Now there is a cluster of 2 nodes of squid with NTLM
transparent authentication and one spare node i'm using as test and
configured with kerberos instead. Reading a lot of info i understood
kerberos is more stable than NTLM and my plan is to migrate the
production cluster to this kind of authentication. Configurations
(squid and kerberos) seem to be ok but everytime with browser i point
to squid i'm unable to go to internet, popup requires me credentials
but even i put the right ones it doesn't work. Coudl you help me?

2016-01-12 0:28 GMT+01:00 LYMN :
> On Mon, Jan 11, 2016 at 09:06:27PM +1300, Amos Jeffries wrote:
>> On 11/01/2016 2:48 p.m., LYMN wrote:
>> >
>> > I did manage to get this working, you did mention the correct solution
>> > right down the end of your message.
>> >
>>
>> Correct for you yes. That can happen when making half-blind guesses at
>> what the problem actually is based on partial information. It might have
>> been any of the issues mentioned or any of the solutions mentioned.
>> Others in future may find differently depending on what they have mucked
>> up or payed around with before asking.
>>
>
> Yes, correct for me.  It indeed could be one or more of the suggestions
> that were made.  Kerberos errors are such fun to debug made more so by
> multiple problems causing the same error message.  I have had a
> situation where I had a few different problems and it wasn't until I had
> sorted them all that the error message went away but it is so unsettling
> to get the same error after you have made a change that you are sure
> makes things correct.
>
>> > On Thu, Jan 07, 2016 at 09:37:46AM +0100, L.P.H. van Belle wrote:
>> >> Hai,
>> >>
>> >>
>> >> Few things to check.
>> >>
>> >> /etc/krb5.keytab should have rights 600 (root:root)
>> >>
>> >
>> > And this was the problem but it should not, in my case, be as you
>> > stated. In fact, /etc/krb5.keytab needed to have rights 640 with
>> > ownership root:nobody.  This is because the kerberos authenticator runs
>> > as the user nobody and needs access to the keytab.  I am not so sure I
>> > like this situation because this does mean the nobody user now has
>> > access to the machine kerberos keys not just the ones for the http SPN.
>>
>> "nobody" is the default low-privileged user account unless you build
>> Squid with the --with-default-user=X - in which cases it will default to
>> the "X" account.
>>
>> You can also configure "cache_effective_user X" in squid.conf to
>> override the default if your Squid was built with one you dont want to use.
>>
>
> Yes.  I think you have clarified the point that I was trying to make
> which was the user/group used may depend on your configuration or squid
> build.
>
> --
> Brett Lymn
> This email has been sent on behalf of one of the following companies within 
> the BAE Systems Australia group of companies:
>
> BAE Systems Australia Limited - Australian Company Number 008 423 005
> BAE Systems Australia Defence Pty Limited - Australian Company Number 006 
> 870 846
> BAE Systems Australia Logistics Pty Limited - Australian Company Number 
> 086 228 864
>
> Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
> Edinburgh, South Australia, 5111. If the identity of the sending company is
> not clear from the content of this email please contact the sender.
>
> This email and any attachments may contain confidential and legally
> privileged information.  If you are not the intended recipient, do not copy or
> disclose its content, but please reply to this email immediately and highlight
> the error to the sender and then immediately delete the message.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Hi,
could you help me in looking for what it's wrong?

Regar,ds
Fabio

2016-01-07 14:26 GMT+01:00 Fabio Bucci <fabiett...@gmail.com>:
> Hi Amos,
> just configured squid.conf as:
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> -d -s HTTP/myproxy.domain
> auth_param negotiate children 100
> auth_param negotiate keep_alive on
>
> acl auth proxy_auth REQUIRED
>
> http_access allow auth
>
> but it doesn't work and browser requires me credentials popup and even
> if i put them it asks me again
>
> Thanks,
> Fabio
>
> 2015-12-31 6:30 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
>> On 2015-12-31 03:42, Fabio Bucci wrote:
>>>
>>> Could you help me in kerberos configuration only? I don't want a fallback
>>
>>
>> That should be blindingly obvious ... just use the Kerberos helper directly
>> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
>> helper parts.
>>
>> Amos
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Yes of course. But i'm wondering if all the configuration are right.

Thanks,
Fabio

2016-01-11 9:43 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
> On 11/01/2016 9:34 p.m., Fabio Bucci wrote:
>> Hi,
>> could you help me in looking for what it's wrong?
>>
>
> The client / browser thinks the credentials are wrong for some reason.
>
> You need to run through all the troubleshooting checks to see if any
> reason shows up. The recent posts "kerberos authentication with a
> machine account doesn't work" might help there.
>
> Amos
>
>
>> Regar,ds
>> Fabio
>>
>> 2016-01-07 14:26 GMT+01:00 Fabio Bucci:
>>> Hi Amos,
>>> just configured squid.conf as:
>>>
>>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>>> -d -s HTTP/myproxy.domain
>>> auth_param negotiate children 100
>>> auth_param negotiate keep_alive on
>>>
>>> acl auth proxy_auth REQUIRED
>>>
>>> http_access allow auth
>>>
>>> but it doesn't work and browser requires me credentials popup and even
>>> if i put them it asks me again
>>>
>>> Thanks,
>>> Fabio
>>>
>>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries:
>>>> On 2015-12-31 03:42, Fabio Bucci wrote:
>>>>>
>>>>> Could you help me in kerberos configuration only? I don't want a fallback
>>>>
>>>>
>>>> That should be blindingly obvious ... just use the Kerberos helper directly
>>>> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
>>>> helper parts.
>>>>
>>>> Amos
>>>>
>>>>
>>>> ___
>>>> squid-users mailing list
>>>> squid-users@lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Yes of course. But i'm wondering if all the configuration are right.


2016-01-11 9:43 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
> On 11/01/2016 9:34 p.m., Fabio Bucci wrote:
>> Hi,
>> could you help me in looking for what it's wrong?
>>
>
> The client / browser thinks the credentials are wrong for some reason.
>
> You need to run through all the troubleshooting checks to see if any
> reason shows up. The recent posts "kerberos authentication with a
> machine account doesn't work" might help there.
>
> Amos
>
>
>> Regar,ds
>> Fabio
>>
>> 2016-01-07 14:26 GMT+01:00 Fabio Bucci:
>>> Hi Amos,
>>> just configured squid.conf as:
>>>
>>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>>> -d -s HTTP/myproxy.domain
>>> auth_param negotiate children 100
>>> auth_param negotiate keep_alive on
>>>
>>> acl auth proxy_auth REQUIRED
>>>
>>> http_access allow auth
>>>
>>> but it doesn't work and browser requires me credentials popup and even
>>> if i put them it asks me again
>>>
>>> Thanks,
>>> Fabio
>>>
>>> 2015-12-31 6:30 GMT+01:00 Amos Jeffries:
>>>> On 2015-12-31 03:42, Fabio Bucci wrote:
>>>>>
>>>>> Could you help me in kerberos configuration only? I don't want a fallback
>>>>
>>>>
>>>> That should be blindingly obvious ... just use the Kerberos helper directly
>>>> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
>>>> helper parts.
>>>>
>>>> Amos
>>>>
>>>>
>>>> ___
>>>> squid-users mailing list
>>>> squid-users@lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-11 Thread Fabio Bucci 
Could you kindly write me what i need to post in order to review?

2016-01-11 11:53 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
> On 11/01/2016 11:26 p.m., Fabio Bucci wrote:
>> Yes of course. But i'm wondering if all the configuration are right.
>>
>
> The Squid part of it looks okay to me. The issue is somewhere in the AD,
> keytab or client setup I think.
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2016-01-07 Thread Fabio Bucci 
Hi Amos,
just configured squid.conf as:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
-d -s HTTP/myproxy.domain
auth_param negotiate children 100
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth

but it doesn't work and browser requires me credentials popup and even
if i put them it asks me again

Thanks,
Fabio

2015-12-31 6:30 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
> On 2015-12-31 03:42, Fabio Bucci wrote:
>>
>> Could you help me in kerberos configuration only? I don't want a fallback
>
>
> That should be blindingly obvious ... just use the Kerberos helper directly
> as the auth_param helper. Omit the negotiate_wrapper helper and ntlm_auth
> helper parts.
>
> Amos
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-29 Thread Fabio Bucci 
ok thanks. I think the system guys use samba and winbind to join linux
machines to domain independetly services installed

2015-12-29 16:10 GMT+01:00 Eliezer Croitoru <elie...@ngtech.co.il>:
> Hey Fabio,
>
> If you do want to use kerberos you do not need to use winbindd there are
> other options.
> (I have not tried them both yet)
>
> Eliezer
>
> On 29/12/2015 16:30, Fabio Bucci wrote:
>>
>> Hi Amos,
>> i'm trying to implement kerberos as you suggested me. But following
>> the guide i read "Do not use this method if you run winbindd or other
>> samba services as samba will reset the machine password every x days
>> and thereby makes the keytab invalid !!" and my system guy told me we
>> use winbindd method.
>>
>> How can i implement so?
>> Thanks
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-29 Thread Fabio Bucci 
Hi Amos,
i'm trying to implement kerberos as you suggested me. But following
the guide i read "Do not use this method if you run winbindd or other
samba services as samba will reset the machine password every x days
and thereby makes the keytab invalid !!" and my system guy told me we
use winbindd method.

How can i implement so?
Thanks

2015-12-16 21:12 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
> On 17/12/2015 5:34 a.m., Fabio Bucci wrote:
>> i'm planning to migrate to kerberos instead NTLM.i got a question for
>> you Amos: sometimes a client reports issue in navigation and searching into
>> log file i cannot see "username" and all the request are 407
>>
>> In these cases is there a way to reset a user session or it's a completely
>> client issue?
>
> Usually it is the client stuck in a loop trying Negtiate/NTLM auth for
> some reason. Some old Firefox, most Safari, and older IE can all get
> stuck trying those credentials and ignoring the offers of Basic.
>
> It might be possible to figure out some LmCompatibility settings change
> that makes the problem just go away (eg, forcing NTLM of all versions to
> disabled on the client).
>
> Other than that Squid does have some workaround responses it can be made
> to send back that might help the client reach the right conclusion:
>
> a) list Basic auth first in the config. Any properly working client will
> re-sort the auth types by security level and do theKerberos anyway. But
> the broken ones (particularly IE7 and older) will have more chance of
> using Basic.
>
> b) sending 407 response with no auth headers. Such as a deny 407 status
> generated by external ACL deny, or a URL-redirector. These tell the
> client that auth failed, but there is no acceptible fallback.
>
> c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is
> the client prematurely attaching the credentials to the connection and
> re-using them. That is supposed to have been fixed recently, but I've
> not confirmed.
>
> d) sending 403 status response. To just flat-out block the client once
> it enters the looping state. Hoping that later requests will start to
> work again.
>
>
> HTH
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-16 Thread Fabio Bucci 
i'm planning to migrate to kerberos instead NTLM.i got a question for
you Amos: sometimes a client reports issue in navigation and searching into
log file i cannot see "username" and all the request are 407

In these cases is there a way to reset a user session or it's a completely
client issue?

thanks,
Fabio

2015-12-12 5:00 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:

> On 12/12/2015 3:42 a.m., Fabio Bucci wrote:
> > Thank Amos i know you suggested kerberos. How can i implement it instead
> of
> > LDAP?
>
> <http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos>
>
> Amos
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-11 Thread Fabio Bucci 
No suggestions?

2015-12-07 14:57 GMT+01:00 Fabio Bucci <fabiett...@gmail.com>:

> Thanks Amos.
> So, what do you suggest? Implement kerberos authetication instead NTLM one?
>
> I have to check if netscaler is able to perform that kind hack you wrote
> before.
>
> Thanks again,
> Fabio
>
> 2015-12-05 7:22 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:
>
>> On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
>> > Thanks Amos.
>> > Actually my load balancing is configured to perform round robin
>> balancing
>> > between the two nodes. I added a session persistance by source ip in
>> order
>> > to avoid to login again with some sites.
>> >
>> > my squid.conf is very simple:
>> > auth_param ntlm program /usr/bin/ntlm_auth
>> > --helper-protocol=squid-2.5-ntlmssp
>> > auth_param ntlm children 100
>> > auth_param ntlm keep_alive off
>> >
>> > acl auth proxy_auth REQUIRED
>> >
>> > http_access allow auth
>> >
>>
>> Okay. That *should* work. With some NTLM-specific caveats.
>>
>>
>> > forwarded_for on
>> > follow_x_forwarded_for allow netscaler
>> >
>>
>> If the LB is touching the traffic enough to add headers then it is a
>> proxy. NTLM does not work at all well through proxies. NTLM as a whole
>> is based on the assumption that there is one (and only one) TCP
>> connection between it and the proxy - the credentials are tied to the
>> TCP connection state.
>>
>> There is one VERY slim hack that lets NTLM pass straight through a
>> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
>> connections together. This is not just session persistence, but absolute
>> prohibition on any other traffic (even from other connections by the
>> same client) being sent to that outbound LB->proxy connection. Some LB
>> can do it, some can't.
>>
>>
>> I recommend advertising both/all proxy IPs to the clients and letting
>> each select the one(s) it wants to contact. That way the client can
>> perform NTLM directly to the Squid.
>>
>>
>> On the other hand NTLM was deprecated back in 2006, you should try
>> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
>> and can be tricky working with older client software. But is *way* more
>> efficient and friendlier to HTTP (but still not fully).
>>
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-11 Thread Fabio Bucci 
Thank Amos i know you suggested kerberos. How can i implement it instead of
LDAP?

2015-12-11 15:39 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:

> On 12/12/2015 3:08 a.m., Fabio Bucci wrote:
> > No suggestions?
> >
>
> I've already suggested several times to use Kerberos. But the choice is
> yours.
>
> Amos
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with NTLM auth behind netscaler

2015-12-07 Thread Fabio Bucci 
Thanks Amos.
So, what do you suggest? Implement kerberos authetication instead NTLM one?

I have to check if netscaler is able to perform that kind hack you wrote
before.

Thanks again,
Fabio

2015-12-05 7:22 GMT+01:00 Amos Jeffries <squ...@treenet.co.nz>:

> On 5/12/2015 5:39 a.m., Fabio Bucci wrote:
> > Thanks Amos.
> > Actually my load balancing is configured to perform round robin balancing
> > between the two nodes. I added a session persistance by source ip in
> order
> > to avoid to login again with some sites.
> >
> > my squid.conf is very simple:
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 100
> > auth_param ntlm keep_alive off
> >
> > acl auth proxy_auth REQUIRED
> >
> > http_access allow auth
> >
>
> Okay. That *should* work. With some NTLM-specific caveats.
>
>
> > forwarded_for on
> > follow_x_forwarded_for allow netscaler
> >
>
> If the LB is touching the traffic enough to add headers then it is a
> proxy. NTLM does not work at all well through proxies. NTLM as a whole
> is based on the assumption that there is one (and only one) TCP
> connection between it and the proxy - the credentials are tied to the
> TCP connection state.
>
> There is one VERY slim hack that lets NTLM pass straight through a
> frontend proxy/LB. That is by pinning the LB's inbound and outbound TCP
> connections together. This is not just session persistence, but absolute
> prohibition on any other traffic (even from other connections by the
> same client) being sent to that outbound LB->proxy connection. Some LB
> can do it, some can't.
>
>
> I recommend advertising both/all proxy IPs to the clients and letting
> each select the one(s) it wants to contact. That way the client can
> perform NTLM directly to the Squid.
>
>
> On the other hand NTLM was deprecated back in 2006, you should try
> migrating to Negotiate/Kerberos. Kerberos is a bit of a learning curve
> and can be tricky working with older client software. But is *way* more
> efficient and friendlier to HTTP (but still not fully).
>
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with NTLM auth behind netscaler

2015-12-04 Thread Fabio Bucci 
Hi All,
my task is implementing a squid proxy that allow all my authenticated
(windows AD) internal users to surf internet without any credential request
(pop-up).

Plus, i created two squid nodes and put them behind a citrix netscaler in
order to perform a load balance service.

I configured squid with samba and ntlm helper in order to perform a
transparent authentication but sometimes some user report me their browsers
require authentication via pop-up.

I'm not a deep expert about squid and i'd like to receive your help in
order to understand if my configuration is correct or not and if there is a
way to prevent popup.

Thanks all!

Fabio
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users