Re: [squid-users] Kerberos authentication with multiple squids
I see, I think this would mean using Basic Auth to proxy1 which then gets a Kerberos ticket for the user to authenticate to proxy2. This is possible, but I would not think it is a good secure option. Regards Markus "Grant Taylor" wrote in message news:a2070fca-07fd-9a67-3f23-551c1fe77...@spamtrap.tnetconsulting.net... On 10/16/21 1:31 PM, Markus Moeller wrote: I think you talk about a kdc proxy, which is for another case. I don't think so. I'm not talking about using a proxy to access the KDC. I'm talking about using a component of the following scenario: 1) Client uses traditional username and password to authenticate to an IMAP server. 2) IMAP server uses the provided credentials to request some sort of ticket (I don't remember what type) on the user's behalf. 3) IMAP server uses the ticket on the user's behalf to access the user's messages stored on an NFS server. I'm suggesting that the proxy1 (from the other message) do something on the user's behalf to request a ticket for the user that proxy1 can then use to authenticate as the user to proxy2. It's been quite a while since I've read about this so I may be completely wrong. But I distinctly remember there was a way to have an intermediate (e.g. IMAP) server accept username and password from clients and access a backend file server on the client's behalf in such a way that the backend server saw normal kerberized connections. -- Grant. . . . unix || die ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication with multiple squids
Hi Amos, If you let me know where exactly I can add a few lines. One way to make this setup work would be to add proxy1 also to AD like proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using ktutil. The negotiate_kerberos_auth handle would require the -s GSS_C_NO_NAME option to select either key. A second option is to add a second service principal name to the proxy2 AD account and use -s GSS_C_NO_NAME. Regards Markus "Amos Jeffries" wrote in message news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz... On 14/10/21 8:48 am, Markus Moeller wrote: The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal. The first proxy will pass it through to the authenticating proxy for authentication proxy2.internal. Now the client receiving a 407 thinks that proxy1 asked for authentication (not knowing it is only a passthrough) and will ask for a ticket for proxy1, which it can't get as proxy1 is not in AD. Even if proxy1 would be in AD, the client would send a proxy1 ticket to proxy2 which will be rejected. Markus \ Aha. That make ssense. Can we get the Kerberos auth wiki page updated with that info? this is something that has come up a few times. Cheers Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication with multiple squids
I think you talk about a kdc proxy, which is for another case. Regards Markus "Grant Taylor" wrote in message news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net... On 10/13/21 1:48 PM, Markus Moeller wrote: The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal. The first proxy will pass it through to the authenticating proxy for authentication proxy2.internal. My understanding is that there is a way that a Kerberized service (proxy1 in this case) could act as a Kerberos protocol proxy agent (of sorts) and ask for a special type of Kerberos ticket on behalf of the client (client0) asking it (proxy1) for service which it (proxy1) would use when forwarding connections on to another host (proxy2 in this case). Is my general understanding of Kerberos wrong? Does Squid support such Kerberos protocol proxy agent (term?) support? -- Grant. . . . unix || die ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication with multiple squids
The problem lies more in the way how Kerberos proxy authentication works. The client uses the proxy name to create a ticket and in this case it would be the name of the first proxy e.g. proxy1.internal. The first proxy will pass it through to the authenticating proxy for authentication proxy2.internal. Now the client receiving a 407 thinks that proxy1 asked for authentication (not knowing it is only a passthrough) and will ask for a ticket for proxy1, which it can't get as proxy1 is not in AD. Even if proxy1 would be in AD, the client would send a proxy1 ticket to proxy2 which will be rejected. Markus "Amos Jeffries" wrote in message news:ac36f75f-97c7-211e-a5bd-b12b7035a...@treenet.co.nz... On 12/10/21 9:33 pm, 森 隆聡 wrote: I made Single Sign On environment with AD+Squid and it worked fine. [It works] Client(Windows) -> Squid(CentOS) -> Internet * Client is joined the domain and Squid configured Kerberos Authentication with AD. But after add another squid, it didn't work. ... Do I misundastand something or squid originally don't support multiple proxy those relay Kerberos authentication information? login=PASSTHRU means your Squid plays no part in the authentication. It literally passes the peer the same Proxy-Auth* headers it receives from the client, and the resulting response ones go back to the client. Which means auth issues are a problem with either the client or server software. Squid cannot do anything about those. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 5 and parent peers
"Alex Rousskov" wrote in message news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com... On 10/9/21 1:46 PM, Markus Moeller wrote: i try to find a way how squid can "route" all Internet domains to a default proxy and a subset of well defined domains to the "special" proxy (and having "internal" traffic based on IP ranges go direct) Assuming the latter conditions overwrite the former ones, the part that remains unclear is what you want Squid to do when the request does not match any of the three conditions above. For example, consider a request that uses an IP address as a destination, and that IP address is not in the "go direct" range, and its reverse DNS lookup is unsuccessful so there is no "domain" that the proxy selection rules are based on. Thank you I am aware of these "edge" cases. Do I assume correctly if an IP use used and no reverse DNS is performed it would forward to the Internet proxy (in my example) Another similar question is what should Squid do with domain names that do not resolve to an IP address. Since Squid is configured to use parent proxies, Squid could let those proxies try to resolve the domain name, blindly assuming that the resolution at a parent proxy will not match one of the "go direct" IPs (a matches would possibly indicate that the decision to go to a parent proxy was wrong in the first place!). Did I see correctly acls can be build with regex to handle this ? For now I ignore it. The final set of questions deals with HTTPS traffic. For example, if clients sent HTTPS requests, are you OK with Squid making routing decisions based on the target of the initial CONNECT request? Sorry I don't get this. What is different when using CONNECT to a GET in regards to routing ? Thank you for spotting the !. I got confused with the combinations of the never/always direct statement. Does your test case work after removing that "!"? If not, please share the updated debugging snippets. Yes it looks good now. Thank you. Thank you, Alex. Thank you for pointing out the "edge" cases Markus ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 5 and parent peers
"Alex Rousskov" wrote in message news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com... On 10/9/21 9:06 AM, Markus Moeller wrote: Hi, I have now tested with the below config and I see my first request works, but the second fails. So I am not sure if it is still a configuration issue or something else. always_direct allow localdst never_direct deny !localdst I (still) do not know what you want to achive exactly (see my previous response for more specific questions), but the above combination looks suspicious to me. I would expect traffic that should always go direct to be denied in the never_direct rule instead. Did you mean for that "!" to be there? Apologies if it still not clear. I want to chain 2 proxies to the Internet, but a subset of Internet domains have to go to a "special" set of proxies. So i try to find a way how squid can "route" all Internet domains to a default proxy and a subset of well defined domains to the "special" proxy (and having "internal" traffic based on IP ranges go direct) Thank you for spotting the !. I got confused with the combinations of the never/always direct statement. I did not check the debugging trace carefully, but it may be the reason why Squid cannot forward some requests -- it is getting an impossible-to-satisfy or self-contradictory directions. BTW, thank you for posting the debugging trace! Please keep doing that if you need further help. Alex. # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #acl localdst dst 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localdst dst 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localdst dst 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localdst dst 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localdst dst fc00::/7 # RFC 4193 local private network range acl localdst dst fe80::/10 # RFC 4291 link-local (directly plugged) machines acl google dstdomain -n .google.com cache_peer internetproxy.example.com parent 8080 0 no-query no-digest no-netdb-exchange default cache_peer authproxy.example.com parent 8080 0 no-query no-digest no-netdb-exchange default login=NEGOTIATE auth-no-keytab # Only google to auth proxy cache_peer_access authproxy.example.com deny localdst cache_peer_access authproxy.example.com allow google cache_peer_access authproxy.example.com deny all # All other external domains cache_peer_access internetproxy.example.com deny localdst cache_peer_access internetproxy.example.com deny google cache_peer_access internetproxy.example.com allow all # Local goes direct always_direct allow localdst always_direct deny all never_direct deny !localdst never_direct allow all debug_options 44,10 11,20 The first test looked fine: #curl -vvv -x http://localhost:3128 http://www.google.com * Uses proxy env variable no_proxy == 'localhost, 127.0.0.1' * Trying 127.0.0.1:3128... * Connected to localhost (127.0.0.1) port 3128 (#0) GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: curl/7.75.0 Accept: */* Proxy-Connection: Keep-Alive * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Location: https://www.google.com/ < Content-Length: 0 < Date: Sat, 09 Oct 2021 12:29:23 GMT < X-Cache: MISS from clientproxy < X-Cache-Lookup: MISS from clientproxy:3128 < Connection: keep-alive < * Connection #0 to host localhost left intact Second request failed with a cache error: #curl -vvv -x http://localhost:3128 http://www.google.com * Uses proxy env variable no_proxy == 'localhost, 127.0.0.1' * Trying 127.0.0.1:3128... * Connected to localhost (127.0.0.1) port 3128 (#0) GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: curl/7.75.0 Accept: */* Proxy-Connection: Keep-Alive * Mark bundle as not supporting multiuse < HTTP/1.1 503 Service Unavailable < Server: squid/5.1-VCS < Mime-Version: 1.0 < Date: Sat, 09 Oct 20
Re: [squid-users] squid 5 and parent peers
PeerSelector2 found conn16 local=0.0.0.0 remote=172.217.23.100:80 HIER_DIRECT flags=1, destination #1 for http://www.google.com/ 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1177) handlePath: always_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1178) handlePath: never_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1179) handlePath: timedout = 0 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 11,7| HttpRequest.cc(468) clearError: old: ERR_NONE 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(479) resolveSelected: PeerSelector2 found all 1 destinations for http://www.google.com/ 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(480) resolveSelected: always_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(481) resolveSelected: never_direct = DENIED 2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(482) resolveSelected: timedout = 0 2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) interestedInitiator: PeerSelector2 2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(241) ~PeerSelector: http://www.google.com/ 2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1 2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP Client REPLY: - HTTP/1.1 503 Service Unavailable Server: squid/5.1-VCS Mime-Version: 1.0 Date: Sat, 09 Oct 2021 12:30:27 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3573 X-Squid-Error: ERR_CONNECT_FAIL 110 Vary: Accept-Language Content-Language: en X-Cache: MISS from clientproxy X-Cache-Lookup: MISS from clientproxy:3128 Connection: keep-alive -- Thank you Markus "Markus Moeller" wrote in message news:sjrrhc$lat$1...@ciao.gmane.io... I understand now better the concept. Thank you Markus "Alex Rousskov" wrote in message news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com... On 10/8/21 8:02 PM, Markus Moeller wrote: I try to setup a proxy chain, but don't get the setup right. I have one squid with 2 parents. One with auth for domainA.com and one w/o auth for the non local IPs (i.e. Internet). With the below config I see domainA.com still going to the unauthenticated parent proxy. Any hint why ? Several factors can explain that, but I would start by rephrasing your request routing requirements (and the corresponding configuration rules) as mutually exclusive (if they are). Currently, you have formulated and configured the equivalent of * send green traffic to auth-proxy * send blue traffic to parent-proxy This approach leaves important questions like "What about yellow traffic?" and "What about traffic with green and blue dots?" unanswered. If you want every request to go to either auth-proxy or parent-proxy, then say so explicitly: # green (and only green!) traffic to auth-proxy cache_peer_access auth-proxy allow green cache_peer_access auth-proxy deny all # not green (and only not green!) traffic to parent-proxy cache_peer_access auth-proxy deny green cache_peer_access auth-proxy allow all What "green" means exactly in your case, I do not know (due to the questions like those listed above). If you want every request to go to either auth-proxy, parent-proxy, or direct, then your rules will become a bit more complex, but all three routes should still be mutually exclusive: # green (and only green) traffic to auth-proxy # but exclude traffic that should go direct cache_peer_access auth-proxy deny meantToGoDirect cache_peer_access auth-proxy allow green cache_peer_access auth-proxy deny all # not green (and only not green) traffic to parent-proxy # but exclude traffic that should go direct cache_peer_access auth-proxy deny meantToGoDirect cache_peer_access auth-proxy deny green cache_peer_access auth-proxy allow all # traffic that should go direct (and only that traffic) # should always go direct always_direct allow meantToGoDirect always_direct deny all # traffic that should not go direct (and only that traffic) # should never go direct never_direct deny meantToGoDirect never_direct allow all Disclaimer: The above configuration snippets are not complete, are not tested, and can probably be reduced (some might say "simplified") if you prefer to rely on certain defaults. See also: nonhierarchical_direct. Once you get the above working for plain HTTP requests that have resolvable domain names as targets, please note that your listA ACL will not work for requests that have IP addresses, including some CONNECT requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not get any such requests,
Re: [squid-users] squid 5 and parent peers
I understand now better the concept. Thank you Markus "Alex Rousskov" wrote in message news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com... On 10/8/21 8:02 PM, Markus Moeller wrote: I try to setup a proxy chain, but don't get the setup right. I have one squid with 2 parents. One with auth for domainA.com and one w/o auth for the non local IPs (i.e. Internet). With the below config I see domainA.com still going to the unauthenticated parent proxy. Any hint why ? Several factors can explain that, but I would start by rephrasing your request routing requirements (and the corresponding configuration rules) as mutually exclusive (if they are). Currently, you have formulated and configured the equivalent of * send green traffic to auth-proxy * send blue traffic to parent-proxy This approach leaves important questions like "What about yellow traffic?" and "What about traffic with green and blue dots?" unanswered. If you want every request to go to either auth-proxy or parent-proxy, then say so explicitly: # green (and only green!) traffic to auth-proxy cache_peer_access auth-proxy allow green cache_peer_access auth-proxy deny all # not green (and only not green!) traffic to parent-proxy cache_peer_access auth-proxy deny green cache_peer_access auth-proxy allow all What "green" means exactly in your case, I do not know (due to the questions like those listed above). If you want every request to go to either auth-proxy, parent-proxy, or direct, then your rules will become a bit more complex, but all three routes should still be mutually exclusive: # green (and only green) traffic to auth-proxy # but exclude traffic that should go direct cache_peer_access auth-proxy deny meantToGoDirect cache_peer_access auth-proxy allow green cache_peer_access auth-proxy deny all # not green (and only not green) traffic to parent-proxy # but exclude traffic that should go direct cache_peer_access auth-proxy deny meantToGoDirect cache_peer_access auth-proxy deny green cache_peer_access auth-proxy allow all # traffic that should go direct (and only that traffic) # should always go direct always_direct allow meantToGoDirect always_direct deny all # traffic that should not go direct (and only that traffic) # should never go direct never_direct deny meantToGoDirect never_direct allow all Disclaimer: The above configuration snippets are not complete, are not tested, and can probably be reduced (some might say "simplified") if you prefer to rely on certain defaults. See also: nonhierarchical_direct. Once you get the above working for plain HTTP requests that have resolvable domain names as targets, please note that your listA ACL will not work for requests that have IP addresses, including some CONNECT requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not get any such requests, but if it does, then your "green" and "meantToGoDirect" ACLs may need to be more complex than "dstdomain -n" and "dst". HTH, Alex. P.S. I would not call the second proxy "parent-proxy" because both of your proxies are configured as parent proxies. # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localdst dst 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localdst dst 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localdst dst 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localdst dst fc00::/7 # RFC 4193 local private network range acl localdst dst fe80::/10 # RFC 4291 link-local (directly plugged) machines acl listA dstdomain -n domainA.com acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt
[squid-users] squid 5 and parent peers
Hi, I try to setup a proxy chain, but don't get the setup right. I have one squid with 2 parents. One with auth for domainA.com and one w/o auth for the non local IPs (i.e. Internet). With the below config I see domainA.com still going to the unauthenticated parent proxy. Any hint why ? Thank you Markus # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localdst dst 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localdst dst 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localdst dst 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localdst dst 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localdst dst fc00::/7 # RFC 4193 local private network range acl localdst dst fe80::/10 # RFC 4291 link-local (directly plugged) machines acl listA dstdomain -n domainA.com acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http cache_peer auth-proxy parent 3128 0 no-query default login=NEGOTIATE cache_peer parent-proxy parent 3128 0 no-query default cache_peer_access auth-proxy allow listA cache_peer_access parent-proxy allow !localdst never_direct deny localdst never_direct allow all debug_options 44,10 11,20 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] problen whith authentication
What does he cache log show ? Markus "Alex Gutiérrez" wrote in message news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu... HI community, reciently I install an old UBT 18.04 with squid 3. I use to authenticate my users kerberos. Everithing seem´s great, but my all my users are able to use the proxy, instead of the few in the conexion group. Can anyone be so nice to tell me what´s wrong on my config? Thanks in advance. httpd_suppress_version_string on visible_hostname Proxy via off forwarded_for off follow_x_forwarded_for deny all error_directory /usr/share/squid_error acl SSL_ports port 443 acl Safe_ports port 21 # ftp acl Safe_ports port 80 # http acl Safe_ports port 81 # http_cubaindustria acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT # #sqstat # acl webserver src proxy.esines.cu http_access allow manager webserver http_access deny manager ## # Logs: access_log /var/log/squid/access.log squid !manager logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles
Hi Klaus, The negotiate_kerberos_auth helper is not intended to run on Windows. How did you compile it ? Markus "Klaus Westkamp" wrote in message news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net... Hi, i digged a little further (but i'm no exert in WinDBG): Attachimng to the process with the most handles (currently 323 shown by Windows Process Manager, as newly started) !handles gives me: 277 Handles (weired, shows less than process manager) Type Count None 4 Event 199 Section7 File 18 Directory 3 SymbolicLink 1 Mutant 9 Semaphore 5 Key8 Token 2 Thread 5 IoCompletion 2 TpWorkerFactory2 ALPC Port 5 WaitCompletionPacket7 Asking for Handle Details: 0:003> !handle 5e8 f Handle 5e8 Type Event Attributes 0 GrantedAccess0x1f0003: Delete,ReadControl,WriteDac,WriteOwner,Synch QueryState,ModifyState HandleCount 2 PointerCount 32769 Name Object Specific Information Event Type Auto Reset Event is Waiting 0:003> !handle 5e0 f Handle 5e0 Type Event Attributes 0 GrantedAccess0x1f0003: Delete,ReadControl,WriteDac,WriteOwner,Synch QueryState,ModifyState HandleCount 2 PointerCount 32769 Name Object Specific Information Event Type Auto Reset Event is Waiting 0:003> !handle 374 f Handle 374 Type Event Attributes 0 GrantedAccess0x1f0003: Delete,ReadControl,WriteDac,WriteOwner,Synch QueryState,ModifyState HandleCount 2 PointerCount 32769 Name Object Specific Information Event Type Auto Reset Event is Waiting These events seem to increase, but only one process gets to the limit of 3x00 handles and then the other processes seem to hang ... On 15/12/2020 12:18, Klaus Westkamp wrote: Hi, yes this is Dildale's last available package. Output of squid -v is as follows: squid -v Squid Cache: Version 3.5.28 Service Name: squid This binary uses OpenSSL 1.0.2j 26 Sep 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--bindir=/bin/squid' '--sbindir=/usr/sbin/squid' '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid' '--libexecdir=/usr/lib/squid' '--disable-strict-error-checking' '--with-logdir=/var/log/squid' '--with-swapdir=/var/cache/squid' '--with-pidfile=/var/run/squid.pid' '--enable-ssl' '--enable-delay-pools' '--enable-ssl-crtd' '--enable-icap-client' '--disable-eui' '--localstatedir=/var/run/squid' '--sharedstatedir=/var/run/squid' '--datarootdir=/usr/share/squid' '--enable-disk-io=AIO,Blocking,DiskThreads,IpcIo,Mmapped' '--enable-auth-basic=DB,LDAP,NCSA,POP3,RADIUS,SASL,SMB,fake,getpwnam' '--enable-auth-ntlm=fake' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=LDAP_group,SQL_session,eDirectory_userip,file_userip,kerberos_ldap_group,session,time_quota,unix_group,wbinfo_group' '--with-openssl' '--with-filedescriptors=65536' '--enable-removal-policies=lru,heap' The helper negotiate_kerberos_auth.exe doesn't produce a Version output. Best regards, Klaus Westkamp On 15/12/2020 09:10, Amos Jeffries wrote: On 15/12/20 4:03 am, Klaus Westkamp wrote: Hi, i'm uncertain, wether this mailing list is the correct one to ask, but i have the disputable honor to make a squid running on a Windows Server (if possible). Whilst squid.exe seems to run fine, i constantly run into an unresponsive system, when i enable Kerberos authentication via auth_param and the negotiate_kerberos_auth.exe helper. For a while authentication works fine, but all at the sudden the system hangs at 100% CPU usage. My Observation is that one of the negotiate_kerberos_auth.exe processes has a constantly increasing number of handles (Files and events). If i understand the Sysinternals handle tool correctly, most handles are event corrolated. The setting: Windows 2012 R2 AD Controllers with Windows 2008R2 Domain Level. A Windows Server 2016 running Squid 3.5 for Windows. Is Squid the package built by Diladele or a custom build? Which exact version number is it? (output of "squid -v" please) Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication
Hi Maybe some general comments about LB, CNAMEs and Squid Kerberos will help. The kerberos client will try to request a ticket based on the used hostname. e.g. if you configure in your browser the proxy name as ha-proxy.slb.example.com then the client will look for a serviceprincipal of HTTP/ha-proxy.slb.example.com. If this is a Cname then you may have browser dependencies e.g. ha-proxy.slb.example.com CNAME HA-server1.real.example.com Some browsers will use HTTP/ha-proxy.slb.example.com and some will use HTTP/HA-server1.real.example.com Now if your squid server name is squid1.real.example.com you will have probably only HTTP/squid1.real.example.com in your keytab. There are now 2 Options: 1 ) Create one entry in AD for all squid servers i.e. the AD entry will have at least number of servers + 2 service principals associated to it, extract the key to a keytab and use the option –s GSS_C_NO_NAME with the negotiate_kerberos_auth helper .e.g HTTP/squid1.real.example.com , HTTP/squid2.real.example.com , HTTP/HA-server1.real.example.com , HTTP/ha-proxy.slb.example.com 2) Create separate entries in AD for each squid server, the LB and the CNAMEs and then merge the keys into one keytab to be used on all squid servers. Kind Regards Markus "L.P.H. van Belle" wrote in message news:vmime.5f1aa165.2c44.7eb4bc368bae...@ms249-lin-003.rotterdam.bazuin.nl... forgot 1 thing. (sorry) # adduser proxyuser winbind_priv or things might not work. -- Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens L.P.H. van Belle Verzonden: vrijdag 24 juli 2020 10:46 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication i would recommend to .. 1) use debian buster, 2) use squid 4.12 3) use samba (winbind). needed in smb.conf ( only shown whats really needed ), there is more offcourse. dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes # Added for freeradius support #ntlm auth = mschapv2-and-ntlmv2-only apt install winbind krb5-user should be sufficient. samba joins the domain. /etc/krb5.keytab contains the default part and refreshed the server kerberos passworks/tickes. And for squid its keytab. kinit Administrator export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator # alias name to keytab net ads keytab ADD HTTP/CNAME.FQDN # check keytab file. klist -ke /etc/squid/HTTP-$(hostname -s).keytab unset KRB5_KTNAME # set rights. chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab chmod g+r /etc/squid/HTTP-$(hostname -s).keytab And i use in squid auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab \ -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM Point to think about. server IP's needs A + PTR use CNAMEs in the DNS. and make sure the resolving is setup correctly. Add a caching DNS to the proxy. ( and let squid use it also ) I had this working (without HAproxy) but with keepalived. As far i can tel, your problem is in how the hostnames and ip are used. but above might give you ideas. Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Service MV Verzonden: donderdag 23 juli 2020 17:36 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication Hi, everybody. I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration authenticating and browsing without problems: cache.log squid_kerb_auth: User some.user authenticated access.log 10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 172.217.162.3 - The problem starts when I try to configure a HAProxy 1.8 load balancer to which by redundancy I configured a virtual IP with the keepalived service. When I point my browser to the DNS A record (balancer.mydomain.local) which in turn points to the keepalived virtual IP, the authentication stops working: cache.log no records access.log 10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 -
Re: [squid-users] squid kerberos auth, acl note group
Hi Klaus, Is the group you added a security group ? Only security groups are part of the Kerberos ticket. Which authorisation helper do you use or is this just based on the auth helper output ? What do you see on the client ? e.g. in powershell run whoami /groups Did you clear the client Kerberos cache e.g. by login out and in again or use klist purge ? Markus "Amos Jeffries" wrote in message news:704e36b3-4cd8-611c-0643-231c02045...@treenet.co.nz... On 25/07/20 2:48 am, Klaus Brandl wrote: sorry, i did not found this script, and the binary is not available on our product, because i'm no developer... Darn. Okay that hinders testing a bit. But i think, we have a caching problem here, i found out, that the group informations are only updated on a squid reconfigure. And also the acl note group ... seems to be cached as long as squid is restarted completely. I removed the configured group from the user, but i could see this group still maching in the cache.log, also after a reconfigure, when the auth_helper does not tell about this group any more. The groups are attached to credentials which are attached to the TCP connection (TTL only as long as the connection is open) and a token replay cache for up to authenticate_ttl directive time (default 1 hour). Setting that TTL to something very short, eg: authenticate_ttl 10 seconds ... and disabling connection keep-alive: client_persistent_connections off ... should work around the cache for testing. At least on HTTP traffic. HTTPS traffic goes through the proxy as a single tunnel request - so the entire HTTPS session is just one request/response pair to Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] [squid-announce] Squid-4.5 is available
Hi Amos, Is there any reason that kerberos_sid_group is not included in the tar ? Thank you Markus "Amos Jeffries" wrote in message news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz... The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.5 release! This release is a security and bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Bug 4253: ssl_bump prevents access to some web contents The SSL-Bump initial implementation was entangled with reverse-proxy handling of decrypted HTTPS messages. This was a mistake we have been reversing across the 3.5 and 4 cycles. With this release SSL-Bump traffic handling is no longer tied to reverse-proxy mode. As a result complications with ESI and Surrogate-Control header handling have finally been resolved. * Redesign forward_max_tries to count TCP connection attempts This release includes an overhaul of the counting for HTTP message forwarding and re-send attempts. This has an impact on how long it takes Squid to detect and report connection errors to clients, persistent connection overload recovery and detection of DEAD peer states. The documentation for forward_max_tries and connect_retries has been updated to more clearly specify the current expected behaviour. Any users with systems tuned to optimize these behaviours should read the updated squid.conf documentation and check their tuning after upgrade to this release or any later. * Fix client_connection_mark ACL handling of clientless transactions This bug shows up as crashes when a client_connection_mark or clientside_mark type ACL is used for access control. From this release transactions without a client TCP connection will now produce a non-match result when this ACL is tested. * Multiple NetDB behaviour updates NetDB state was not being recorded for connections to peers using TLS nor for CONNECT tunnels. With the growth of HTTPS in recent times these are increasingly important to optimize. This release will now ping and record the latency information for these connections to aid with optimizing connection setup of future transactions. * The logformat code %>handshake is added This code allows logging of initial bytes received for many protocols to allow better debugging of unknown-protocol issues and external ACL decision making. * Use pkg-config for detecting libxml2 This release adds support for auto-detection of libxml2 location using the pkg-config tools at build time. This may affect users of OS placing libraries at a location outside the FHS layout. For example cross-building or multi-architecture systems. Note that support for custom PATH parameter is not yet implemented for the --with-libxml2 build option. It is planned but did not make this release. The pkg-config environment variables may be used for that if necessary. All users of Squid-4 with SSL-Bump functionality are urged to upgrade as soon as possible. All other users of Squid-4 are encouraged to upgrade as time permits. All users of Squid-3 are encouraged to upgrade where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries ___ squid-announce mailing list squid-annou...@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-announce ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication on mobile phones
You don't have to join a domain. You only need a Kerberos authentication server to get a ticket. You only need AD (or Samba) if you want also authorisation (PAC data) in you Kerberos ticket. As Amos said you need a Kerberos client and a Browser supporting Proxy-Negotiate. Markus "Amos Jeffries" wrote in message news:36775d21-090a-e22a-bec0-78edc5754...@treenet.co.nz... On 08/05/18 10:22, Panagiotis Bariamis wrote: Hello, Is it possible with a squid kerberos only authentication setup be able to authenticate ie android phones to squid? I don't have an answer for that, maybe someone else has experience. If you have the environment available you could try it yourself. A second question. If a non domain joined machine tries to use the proxy will there be a username password prompt where if correct credentials are presented he will be able to get a ticket to use squid? Maybe, unlikely though IMO. Getting a ticket requires first joining the domain. Some client software may provide a popup and then try to contact a DC and join a domain. But whether a) the specific client software does that, and b) whether info about the domain DC server is available in DNS records, and c) whether the Kerberos realm "domain" matches the proxy DNS record domain - all those effect the possibilities AFAIK. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos Heimdal Server Authentication
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so seeing the real traffic may help identifying the issue. Kinit should create an AS req/rep the test program creates a TGS req/rep Example attached if it gets through. Markus "Panagiotis Bariamis"wrote in message news:CAPxN_PVp9RETXBPZG6ZX5rzNK6Hu-HLxdAagSfgXVcg=dcd...@mail.gmail.com... Hello my setup is as follows : Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab enviroment for example.com domain) Freebsd 11 squid proxy server Windows Client I have created a keytab from the Kerberos Server for http/squid.example.com Proxy server machine has no problem kinit ing with the keytab file and gets a ticket # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: http/squid.example@example.com IssuedExpires Principal May 9 15:38:36 2018 May 10 01:38:37 2018 krbtgt/example@example.com My squid.conf is as follows concerning the authentication : auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth auth_param negotiate children 10 startup=1 auth_param negotiate keep_alive on Trying to use : # /usr/local/libexec/squid/negotiate_kerberos_auth_test squid.example.com | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s http/squid.example.com fails with : | negotiate_kerberos_auth_test: gss_init_sec_context() failed: An unsupported mechanism was requested. unknown mech-code 0 for mech unknown BH gss_accept_sec_context() failed: A token was invalid. unknown mech-code 0 for mech unknown BH quit command Any ideas ? Thank you , Bariamis Panagiotis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users krb5.pcap Description: Binary data ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication on mobile phones
You don't have to join a domain. You only need a Kerberos authentication server to get a ticket. You only need AD (or Samba) if you want also authorisation (PAC data) in you Kerberos ticket. As Amos said you need a Kerberos client and a Browser supporting Proxy-Negotiate. Markus "Amos Jeffries" wrote in message news:36775d21-090a-e22a-bec0-78edc5754...@treenet.co.nz... On 08/05/18 10:22, Panagiotis Bariamis wrote: Hello, Is it possible with a squid kerberos only authentication setup be able to authenticate ie android phones to squid? I don't have an answer for that, maybe someone else has experience. If you have the environment available you could try it yourself. A second question. If a non domain joined machine tries to use the proxy will there be a username password prompt where if correct credentials are presented he will be able to get a ticket to use squid? Maybe, unlikely though IMO. Getting a ticket requires first joining the domain. Some client software may provide a popup and then try to contact a DC and join a domain. But whether a) the specific client software does that, and b) whether info about the domain DC server is available in DNS records, and c) whether the Kerberos realm "domain" matches the proxy DNS record domain - all those effect the possibilities AFAIK. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] kerberos authentication with kerberos groups
Hi Jeroen, Do you use Active Directory as ldap server ? My automated test says it is not. I use this check to determine the group attribute check. support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname) support_ldap.cc(345): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Found 0 ldap entries support_ldap.cc(350): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Determined ldap server not as an Active Directory server Markus "Jeroen Ruijter" wrote in message news:510fcecd6e595a4d83bf67fc07028e7507c99...@bhmb-01.bnh.local... I believe this has to be the problem, but how do I solve it? Its almost at the end of the whole listing support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*) support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: (ldapdisplayname=samaccountname) kerberos_ldap_group.cc(283): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. 2018/02/20 17:02:21 kid1| helperOpenServers: Starting 5/5 'ext_kerberos_ldap_group_acl' processes kerberos_ldap_group.cc(283): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain support_netbios.cc(83): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: DEBUG: No ldap servers defined. kerberos_ldap_group.cc(283): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group list ADGroupRaamregeling@ support_group.cc(447): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: INFO: Group ADGroupRaamregeling Domain
[squid-users] Simple ACL help for Kerberos authenticated sessions
Hi, When using the latest squid 4 release you can use %note{group} to get the group information from the Negotiate Kerberos helper to transfer the PAC group SIDs to the external ACL helper. squid.conf ... external_acl_type test_acl ipv4 %LOGIN %note{group} /opt/squid-trunk/sbin/test_acl acl squid_allow external test_acl ... The helper script will initially look for the objectsid of the group SQUID_ALLOW (i.e. it will be only called when the helper is started and never again - good for performance). After that the SIDs from the Kerberos PAC information is compared with the previously retrieved SID from AD. #!/bin/bash # # GET SID for Group # export KRB5CCNAME=/tmp/squid_krb5cc kinit -kt /etc/squid/squid.keytab HTTP/opensuse42.suse.home SID=`ldapsearch -LLL -Ygssapi -H ldap://dc1.samba.home:389 -s sub -b "DC=samba,DC=home" "(CN=SQUID_ALLOW)" objectsid 2>&1 | awk '{ if ( $0 ~/^object/ ) print $2}'` (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: SID=$SID") # # Loop over input # while [ 1 == 1 ] ; do read input found=0 user=`echo $input | awk '{ print $1 }'` groups=`echo $input | awk '{ print $2 }'` (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: user=$user") (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: groups=$groups") if [ -n "$groups" ]; then while read group; do if [ "$group" == "$SID" ]; then (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: matched group: $group") found=1 echo "OK" fi done <<< "$(echo $groups | tr , "\n" )" if [ $found -eq 0 ]; then echo "ERR" fi else if [ $found -eq 0 ]; then echo "ERR" fi fi done Example log from the cache.log file 2017/08/08 20:02:02 kid1| helperOpenServers: Starting 0/5 'test_acl' processes 2017/08/08 20:02:02 kid1| helperOpenServers: No 'test_acl' processes needed. 2017/08/08 20:02:23 kid1| Starting new test_acl helpers... 2017/08/08 20:02:23 kid1| helperOpenServers: Starting 1/5 'test_acl' processes 2017/08/08 20:02:24| test_ACL: SID=AQUAAAUVjxbSIudxUpznEbHVUwQAAA== 2017/08/08 20:02:24| test_ACL: user=administra...@samba.home 2017/08/08 20:02:24| test_ACL: groups=AQUAAAUVjxbSIudxUpznEbHVCAIAAA==,AQUAAAUVjxbSIudxUpznEbHVPAIAAA==,AQUAAAUVjxbSIudxUpznEbHVBwIAAA==,AQUAAAUVjxbSIudxUpznEbHVBgIAAA==,AQUAAAUVjxbSIudxUpznEbHVAAIAAA==,AQUAAAUVjxbSIudxUpznEbHVUwQAAA== 2017/08/08 20:02:24| test_ACL: matched group: AQUAAAUVjxbSIudxUpznEbHVUwQAAA== Regards Markus ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] AD / Kerberos Issues
Hi Rick, The log indicates that your Browser sned a NTLM token not a Kerberors token. This can be easily seen from the first characters of the token (TlRM). Check the Kerberos communication on the client ( i.e. port 88). The client should request a token for HTTP/ and receive it. If not then your name or config does not match up. Markus "Rick" wrote in message news:20161125110932.760cfeda@chavez... FreeBSD 10.3 / Samba42 / Squid 3.5 All the net ads / kinit / keytab stuff seems okay however hitting Squid from a Windows box using IE 11 results in repeated prompts for credentials which then fails after 3 attempts. Cache.log has: negotiate_kerberos_auth.cc(610): pid=42160 :2016/11/25 10:51:37| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABl4II4gAGAbEdDw==' from squid (length: 59). negotiate_kerberos_auth.cc(663): pid=42160 :2016/11/25 10:51:37| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded length: 40). I have seen others post similar errors, but I have not seen any solutions. current relevent squid config entry: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME Any help greatly appreciated. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSO (kerberos)
Hi Did you try the debug option -d for ext_kerberos_ldap_group_acl to get some debug ? Maybe it gives some indication of the problem ? Markus "erdosain9" wrote in message news:1474570767416-4679652.p...@n4.nabble.com... So, i have a little more of info this is config ###Kerberos Auth with ActiveDirectory### auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -d -s HTTP/squid.example@example.lan auth_param negotiate children 10 auth_param negotiate keep_alive on #acl auth proxy_auth REQUIRED external_acl_type i-limitado-krb children=10 cache=10 grace=15 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g i-limit...@example.lan acl i-limitado external i-limitado-krb http_access allow i-limitado AND HAVE THIS ERROR The grupos helpers are crashing too rapidly, need help! "grupos" is for "group" in AD (samba) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSO-kerberos-tp4679470p4679652.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC
Hi Silamael, Can you perform a kinit u...@example.com ? Does the squid user have read access to krb5.conf ? Markus "Silamael Darkomen" wrote in message news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de... Hello, I'm currently working on setting up our proxy to authenticate the users via Kerberos against a Windows AD. The simple user authentication through negotiate_kerberos_auth is already working. But the second step for checking the group of an authenticated users gives me some headache. Even with Kerberos configured not to search the KDC via DNS, the ext_kerberos_ldap_group_acl tool complains about not being able to find the realms KDC: squid-3.5.20/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc(376): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: INFO: Got User: user Domain: EXAMPLE.COM squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(63): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: User domain loop: group@domain linux@ squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(91): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Default domain loop: group@domain linux@ squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(93): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found group@domain linux@ squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_ldap.cc(898): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(127): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_23191 squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(138): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get default keytab file name squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(144): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/HTTP.keytab squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(158): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/HTTP.keytab squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(167): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.COM squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(181): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found principal name: host/proxy.example@example.com squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(196): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got principal name host/proxy.example@example.com squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(64): pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: ERROR: Error while initialising credentials from keytab : unable to reach any KDC in realm EXAMPLE.COM ... The last lines of the error messages repeat for every entry in the keytab. All other Kerberos related tools work fine with the given krb5.conf. Some more information about the setup: We're running under OpenBSD with Heimdal version 1.5.3. The AD is reachable from the proxy machine but DNS is not done by the AD but on the proxy machine itself. Below you find the krb5.conf used and the settings from the squid.conf. The limitation to 1 child is just for testing purposes. Would be really great if anyone could shed some light on this issue! Thanks in advance, Matthias - krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [libdefaults] ticket_lifetime = 24000 default_realm = EXAMPLE.COM default_keytab_name = /etc/HTTP.keytab dns_lookup_kdc = no dns_lookup_realm = no [realms] EXAMPLE.COM = { kdc = 1.2.3.4 admin_server = 1.2.3.4 default_domain = example.com } squid.conf: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -di -s HTTP/proxy.example.com auth_param negotiate children 1 auth_param negotiate keep_alive on external_acl_type squid_kerb_ldap children-max=1 ttl=3600 negative_ttl=3600 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g linux@ acl ldap_group_check external squid_kerb_ldap http_access deny !ldap_group_check ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi Louis, I know a user and machine account can be used and they work the same. What my concern is, is that many companies deploy password policies for users in AD. You would need to create exceptions for user accounts which have SPNs with associated keytabs as a password change will make the keytab invalid. Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl... Hello Markus, Thank you for the explanation, that helped a lot. I use the TLS_CACERTFILE in the init script now and that works for me . ( in debian the /etc/default/squid ) >>The helper tries to “authenticate” squid to AD as a user with the found SPN >>name, so the UPN must be the same as the SPN. There is no easy way to query >>what the UPN for the SPN is. Ah, this helped identify-ing so other small things to. >>msktutil (my preferred tool) Since i try to use only debian packages the msktutil is not available for me. >>Also msktutil (my preferred tool) creates a machine account not a user >>account in AD. >>The reason I prefer this is that often user accounts have a global password >>policy e.g. change every 60 days otherwise it will be locked. >>machine accounts do not have that limitation. But as I said it is just my >>preference. Thats not correct in my optionion. A the computer account, works the (almost) same an user account. Like a computer account = a user account. some pointers : https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx https://adsecurity.org/?p=280 I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing, thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and add the UPN/SPN on the computer account where needed. Which maybe even a better option. Thanks again for you replies. Best regards, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:52 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the
Re: [squid-users] Trouble negotiate_kerberos_auth
Hi Marcio, That looks OK. TT means the helper requires additional data from the client which I did not prepare a test for. In my case I get the AF response. # /opt/squid-trunk/sbin/negotiate_kerberos_auth_test opensuse42.suse.home | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /opt/squid-trunk/sbin/negotiate_kerberos_auth -r -k squid.keytab -s HTTP/opensuse42.suse.home AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus group= BH quit command Anyway the basic check looks good. You now just need to run the helper with squid. I will see if I can create a test which deals with the TT response too. Regards Markus "Marcio Demetrio Bacci" <marcioba...@gmail.com> wrote in message news:CA+0Tdyr+2jEL7p09yrtJQ516M-2uE-q=Zayd3F5J0A=25zc...@mail.gmail.com... Hi Markus, thank you for help me. When I type the klist command, the result is: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: rob...@cms.ensino.br Valid starting Expires Service principal 28-08-2016 22:40:53 29-08-2016 08:40:53 krbtgt/cms.ensino...@cms.ensino.br renew until 29-08-2016 22:40:41 But, I have the following result to command bellow: /usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br Result: TT oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA= BH quit command The HTTP/proxy.cms.ensino.br is in keytab files I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos, but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it. My Linux distribution is CentOS 7 Regards, Márcio 2016-08-28 15:24 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>: HI Marcio, The helper need a Kerberos token as input. Please have a look at test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk version. The squid hostname must match the entry in your keytab and you must have done kinit to authenticate against a Kerberos server (e.g. AD) as user first. Regards Markus "Marcio Demetrio Bacci" <marcioba...@gmail.com> wrote in message news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com... I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm using CentOS 7 and Squid 3.3.8 (yum install squid) When I type the bellow command in terminal: /usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy.cms.ensino...@cms.ensino.br john xyz@12345 I have the following error: negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14). negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345] BH invalid request Here are my files configuration: /etc/krb5.conf [libdefaults] default_realm = CMS.ENSINO.BR [realms] CMS.ENSINO.BR = { kdc = dc1.cms.ensino.br:88 admin_server = dc1.cms.ensino.br default_domain = CMS.ENSINO.BR } [domain_realm] .cms.ensino.br = CMS.ENSINO.BR cms.ensino.br = CMS.ENSINO.BR Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br Keytab name: FILE:/etc/squid/PROXY.keytab KVNO Principal -- 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/pro
Re: [squid-users] Trouble negotiate_kerberos_auth
HI Marcio, The helper need a Kerberos token as input. Please have a look at test_negotiate_auth.sh which is in src/auth/negotiate/kerberos of the trunk version. The squid hostname must match the entry in your keytab and you must have done kinit to authenticate against a Kerberos server (e.g. AD) as user first. Regards Markus "Marcio Demetrio Bacci"wrote in message news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com... I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm using CentOS 7 and Squid 3.3.8 (yum install squid) When I type the bellow command in terminal: /usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy.cms.ensino...@cms.ensino.br john xyz@12345 I have the following error: negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14). negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345] BH invalid request Here are my files configuration: /etc/krb5.conf [libdefaults] default_realm = CMS.ENSINO.BR [realms] CMS.ENSINO.BR = { kdc = dc1.cms.ensino.br:88 admin_server = dc1.cms.ensino.br default_domain = CMS.ENSINO.BR } [domain_realm] .cms.ensino.br = CMS.ENSINO.BR cms.ensino.br = CMS.ENSINO.BR Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 host/pr...@cms.ensino.br 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 PROXY$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br 1 HTTP/pr...@cms.ensino.br Keytab name: FILE:/etc/squid/PROXY.keytab KVNO Principal -- 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 proxy-k$@CMS.ENSINO.BR 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 HTTP/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br 1 host/proxy.cms.ensino...@cms.ensino.br /etc/sysconfig/squid # default squid options SQUID_OPTS="" # Time to wait for Squid to shut down when asked. Should not be necessary # most of the time. SQUID_SHUTDOWN_TIMEOUT=100 # default squid conf file SQUID_CONF="/etc/squid/squid.conf" KRB5_KTNAME=/etc/squid/PROXY.keytab export KRB5_KTNAME kinit and klist commands are OK. Best Regards, Márcio ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle"wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2 small bugs here? Or is this a “Debian” related thing? Debug output. /usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined. testuser internet-mail kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group@domain internet-m...@your.realm.tld support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain internet-m...@your.realm.tld support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902 support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG:
Re: [squid-users] ext_kerberos_ldap_group_acl problem
Hi Louis, I made lately a change in how the SSL certifcate verification is done. Did you use the latest version from trunk ? Also set the variable TLS_CACERTFILE in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do not read any ldap.conf file for this yet. Markus "L.P.H. van Belle"wrote in message news:vmime.57beabe1.6a01.3a47ad2737b8d...@ms249-lin-003.rotterdam.bazuin.nl... Hai, I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. The last part, here i need some help. support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636 support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server. support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server I tried to set TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there to put these variables. I need a user to connect to the ldap. Hi have that one in place. I just can find how to put this in this line so i can test this out, but i can only authenticate if the TLS_CACERTFILE is set correctly. Any suggestions here? Greetz, Louis ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] missing negotiate_kerberos_auth on my squid
Hi Nilesh, Just add a –d to # enable kerberos authentication auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain@domain.org like # enable kerberos authentication auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain@domain.org –d Then you get debug output in your cache.log file. Markus "Markus Moeller" <hua...@moeller.plus.com> wrote in message news:nikoqr$i2m$1...@ger.gmane.org... What does the log say when you use the –d option with the helper Markus "Nilesh Gavali" <nilesh.gav...@tcs.com> wrote in message news:of059dedf2.dd0eb7d2-on80257fc4.006a0132-80257fc4.006a2...@tcs.com... Hello All; Configured the steps require for kerberos authentication as given at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos but instead of SSO to work when we try to open url; it is prompt for username and password, when passing credential it is not authenticating. attached is our squid config for your reference. Kindly let us know what went wrong. we are using windows 2012 AD. Thanks & Regards Nilesh Suresh Gavali From:Nilesh Gavali/MUM/TCS To:squid-users@lists.squid-cache.org, be...@bazuin.nl Date:27/05/2016 15:07 Subject:missing negotiate_kerberos_auth on my squid Thanks louise for reply. but Should be include imo. -- not sure what is imo Shoud be in any Squid-3.2 and later. And on my debian server its locate here. /usr/lib/squid/negotiate_kerberos_auth - check the path but it is not there on my linux box. Did you enable : --enable-auth-negotiate=kerberos,wrapper on compile ? NO didn't gave this option while compilation Run squid –v to check it. -- we have"--enable-auth-negotiate" only and some other configured option. can you help me how to get hit recomipled with reuqire options. Thanks & Regards Nilesh Suresh Gavali - Forwarded by Nilesh Gavali/MUM/TCS on 27/05/2016 15:01 - From:squid-users-requ...@lists.squid-cache.org To:squid-users@lists.squid-cache.org Date:27/05/2016 12:42 Subject:squid-users Digest, Vol 21, Issue 101 Sent by:"squid-users" <squid-users-boun...@lists.squid-cache.org> Send squid-users mailing list submissions to squid-users@lists.squid-cache.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to squid-users-requ...@lists.squid-cache.org You can reach the person managing the list at squid-users-ow...@lists.squid-cache.org When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. NULL characters (joe) 2. Re: Looking for a way to route into cache_peer traffic dynamically. (Alex Rousskov) 3. The system returned: (111) Connection refused; (deepa ganu) 4. Re: NULL characters (Eliezer Croitoru) 5. missing negotiate_kerberos_auth on my squid (Nilesh Gavali) 6. Re: missing negotiate_kerberos_auth on my squid (L.P.H. van Belle) -- Message: 1 Date: Thu, 26 May 2016 07:30:16 -0700 (PDT) From: joe <chip_...@hotmail.com> To: squid-users@lists.squid-cache.org Subject: [squid-users] NULL characters Message-ID: <1464273016183-4677691.p...@n4.nabble.com> Content-Type: text/plain; charset=us-ascii 2016/05/26 06:41:28 kid1| ctx: enter level 0: 'http://js.advert.mirtesen.ru/data/js/82090.js' 2016/05/26 06:41:28 kid1| WARNING: HTTP header contains NULL characters {Server: nginx Date: Thu, 26 May 2016 03:46:52 GMT Content-Type: application/javascript;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-MaxSize: 5 X-MaxShm: 5 X-ShmTol: 2 X-Loc: 2347 X-MID: 16 X-Node: ssel6 X-ChosenReserve: 2 X-TotalPrimary: 290 X-ExclByGeo: 266 X-TotalPrimaryPayable: 219 X-ChosenPrimary: 3 X-ExclByTime: 18 X-ShmNews: 1989237,2010118,2009700, X-TotalPrimaryExchange: 0 X-TotalReserve: 332 X-ChosenPayable: 3 X-ShmCnt: 3 Set-Cookie: nid} NULL {Server: nginx Date: Thu, 26 May 2016 03:46:52 GMT Content-Type: application/javascript;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-MaxSize: 5 X-MaxShm: 5 X-ShmTol: 2 X-Loc: 2347 X-MID: 16 X-Node: ssel6 X-ChosenReserve: 2 X-TotalPrimary: 290 X-ExclByGeo: 266 X-TotalPrimaryPayable: 219 X-ChosenPrimary: 3 X-ExclByTime: 18 X-ShmNews: 1989237,2010118,2009700, X-TotalPrimaryExchange: 0 X-TotalReserve: 332 X-ChosenPayable: 3 X-ShmCnt: 3 Set-Cookie: nid 2016/05/26 06:41:28 kid1| c
Re: [squid-users] Changing negotiate_kerberos_auth default location forrcache
Hi Michael, Yes you should be able to set a environment variable KRB5RCACHEDIR in your startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache type. Markus "Michael Pelletier"wrote in message news:caencsg74pkxndiasr4yfgy9uuzqhk21jl5uytzxp6_tmpeu...@mail.gmail.com... Hello, I am using squid 3.4 and need to change the default location from /var/tmp to a tmpfs filesystem. The current version does not have the "-c" option to change the default location. I was wondering if there was another way. Michael Disclaimer: Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] NEGOTIATE Kerberos Auth
Hi, 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you use –r the @DOMAIN will be removed. 2) The client in EXTERNAL.COM needs to know where to find the HTTP/@FATHER.COM principal. I think your trust is not fully setup. You should see some cross domain TGTs. Cross Domain SPN Lookups with Active Directory When Domains are within the same forest, the KDC should consult the GC (Global Catalog) and provide a referral if the account is in a different domain. If the account is not in the same forest you would need to define Host Mapping for the account, unless you are using a forest trust. Then you could define a Kerberos Forest Search Order Markus "akn ab" <drcim...@mail.com> wrote in message news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05... Hello Markus, firt of all thank you for your reply, today i'm having a strange issue. KID1 and KID2 started to autenticate with kerberos correclty without any modification ... This is so strange, but i'm very happy, so i started others configurations, but i have 2 more problems: 1) On my squid logs, i can see users authenticated correctly, but not the domain users came from. For example: FATHER.COM\user1 KID1.FATHER.COM\user1 KID2.FATHER.COM\user1 are reported on my logs with "user1" and not in us...@kid1.father.com or KID1\user1 (for example) I need to differentiate domains because i'm sending x-authenticated-user to my proxy peers. Is it possible with kerberos? 2) I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, so i added it in my krb5.conf like KID1, but kerberos auth fail. Using your instructions, i captured port 88 during handshake and i get: eRR-C-PRINCIPAL-UNKNOWN User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM Best Regards. Sent: Saturday, March 19, 2016 at 12:28 AM From: "Markus Moeller" <hua...@moeller.plus.com> To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] NEGOTIATE Kerberos Auth Hi, Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? Can you get a wireshark capture on your client on port 88 ? You should see some TGS –REQs in the capture and I assume also TGS-REPs with error messages. Can you share these error messages ? Regards Markus "akn ab" <drcim...@mail.com> wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01... Dear all, i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains. My FATHER.COM is a forest with 2 children: KID1 and KID2. Like this: FATHER.COM -> KID1.FATHER.COM -> KID2.FATHER.COM With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2. I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users. My krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FATHER.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_keytab_name = /usr/local/squid/etc/HTTP.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] FATHER.COM = { kdc = dc1.father.com:88 kdc = dc2.father.com:88 default_domain = father.com } KID1.FATHER.COM = { kdc = dc1.kid1.father.com:88 kdc = dc2.kid1.father.com:88 default_domain = kid1.father.com } KID2.FATHER.COM = { kdc = dc1.kid2.father.com:88 kdc = dc2.kid2.father.com:88 default_domain = kid2.father.com } [domain_realm] .father.com = FATHER.COM father.com = FATHER.COM .kid1.father.com = KID1.FATHER.COM kid1.father.com = KID1.FATHER.COM .kid2.father.com = KID2.FATHER.COM kid2.father.com = KID2.FATHER.COM [capaths] KID1.FATHER.COM = { FATHER.COM = . } KID2.FATHER.COM = { FATHER.COM = . } To join kerberous auth with FATHER.COM i did: # kinit u...@father.com # msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N On squid config i have: auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq uid/etc/HTTP.keytab -s HTTP/proxy1.father.com Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work). Now i'm trying to add KID1 an
Re: [squid-users] NEGOTIATE Kerberos Auth
Hi, Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? Can you get a wireshark capture on your client on port 88 ? You should see some TGS –REQs in the capture and I assume also TGS-REPs with error messages. Can you share these error messages ? Regards Markus "akn ab"wrote in message news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01... Dear all, i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos authentication in my Mono Forest Multi Domains. My FATHER.COM is a forest with 2 children: KID1 and KID2. Like this: FATHER.COM -> KID1.FATHER.COM -> KID2.FATHER.COM With actual configurazion, squid negotiated kerberos auth works with only FATHER.COM but not when my users belongs to KID1 and KID2. I readed some discussions on mailing list about forest, but cannot find a definitive advice and procedure to authenticate childern domains users. My krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FATHER.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_keytab_name = /usr/local/squid/etc/HTTP.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] FATHER.COM = { kdc = dc1.father.com:88 kdc = dc2.father.com:88 default_domain = father.com } KID1.FATHER.COM = { kdc = dc1.kid1.father.com:88 kdc = dc2.kid1.father.com:88 default_domain = kid1.father.com } KID2.FATHER.COM = { kdc = dc1.kid2.father.com:88 kdc = dc2.kid2.father.com:88 default_domain = kid2.father.com } [domain_realm] .father.com = FATHER.COM father.com = FATHER.COM .kid1.father.com = KID1.FATHER.COM kid1.father.com = KID1.FATHER.COM .kid2.father.com = KID2.FATHER.COM kid2.father.com = KID2.FATHER.COM [capaths] KID1.FATHER.COM = { FATHER.COM = . } KID2.FATHER.COM = { FATHER.COM = . } To join kerberous auth with FATHER.COM i did: # kinit u...@father.com # msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N On squid config i have: auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth -r -k /usr/local/sq uid/etc/HTTP.keytab -s HTTP/proxy1.father.com Doing so, all my users belonging to FATHER.COM can negotiate kerberos using proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not work). Now i'm trying to add KID1 and KID2 users to krb auth. As i sayed previously, i readed some posts but i cannot find correct configuration to support my forest. 1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did: - kinit u...@father.com - msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com -k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N but this configuration give my an error authentication of my keytab or ticketing problem. So i tryed: - kinit u...@kid1.father.com but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket. After many, many and many hours, i need some advices to complete my configuration. Is there anyone that could help me? Many thanks in advance. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.3.8 -- Authentication Problems when usingAlias Host Name
Hi Markus, When you say authentication does not work, do you mean Kerberos authentication or Kerberos and NTLM ? Can you add a -d for debug to the Kerberos authentication helper and provide the log file messages ? Can you also provide the content of the keytab ? Regards Markus "Markus Sonnenberg" wrote in message news:56c1c720.5030...@rz-amper.de... Hi, i've set up a CentOS 7 machine with Squid 3.3.8 and kerberos/ntlm authentication in order to replace our older Squid Proxy. The new Squid server runs fine and authentication is working as expected. We use group policies to set proxy server address at terminal servers and workstations,which is "proxy.company.com". This address is an A record and currently points to the ip address of our old proxy server. The hostname of our old proxy server is "euprx001.company.com" and the hostname of our new proxy server is "euprx101.company.com" When I change the A record for "proxy.company.com" pointing to the ip address of our new proxy server then authentication is not working. proxy.company.com10.222.40.106 euprx101.company.com 10.222.40.106 Authentication work if internet explorer uses the real host name but it does not work if uses "proxy.company.com" Gues what, this A record is pointing currently to our old proxy server and works fine regardless if internet explorer connects to proxy... or euprx001 Here's the current config I'm using on our new proxy server. # Network Options # +-+ http_port 8080 icp_port 0 offline_mode off # Administrative Options # +-+ via off cache_mgr edc.helpd...@company.com cachemgr_passwd ap0ll0 all cache_effective_user squid cache_effective_group squid # cache_dir rock /cache 4 max-size=4194304 slot-size=32768 cache_mem 6144 MB memory_pools on pid_filename /var/run/squid.pid ftp_user anonymous ftp_passive off check_hostnames off request_header_max_size 20 KB snmp_port 3401 shutdown_lifetime 2 seconds maximum_object_size 1048576 KB maximum_object_size_in_memory 10240 KB forwarded_for on snmp_incoming_address 0.0.0.0 workers 4 error_directory /usr/share/squid/errors/TTI deny_info ERR_AD_REMOVED AdServer deny_info ERR_BLOCKED_FILES BlockedFiles deny_info ERR_BLOCKED_SITES BlockedSites deny_info ERR_BLOCKED_SOCIAL BlockedSocialnet deny_info ERR_BLOCKED_WEBMAIL BlockedWebmail ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DE.COMPANY.COM --kerberos /usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME auth_param negotiate children 300 startup=10 idle=10 auth_param negotiate keep_alive on ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DE.COMPANY.COM auth_param ntlm children 10 auth_param ntlm keep_alive on ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=DE,dc=COMPANY,dc=COM" -D svc_sq...@company.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h euads201.de.company.com auth_param basic children 10 startup=0 idle=1 auth_param basic realm Company, Inc. European Web Proxy auth_param basic credentialsttl 120 minute ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -K -S -b "dc=DE,dc=COMPANY,dc=COM" -D svc_sq...@de.company.com -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%g,cn=Users,dc=DE,dc=COMPANY,dc=COM))" -h euads201.de.company.com # Logging # +-+ logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %http://.*\.gif$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.png$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.jpg$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.jpeg$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.bmp$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.gif$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.ico$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.swf$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.flv$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.rar$ 10080 100% 120960 reload-into-ims override-expire ignore-reload refresh_pattern -i \.ram$
Re: [squid-users] squid auth
Hi, The issue appears if you use the same AD account for samba and the kerberos keytab creation. As samba will reset the password of the AD account and thereby invalidate the extracted keytab. Markus "Alex Samad" wrote in message news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qfnewm...@mail.gmail.com... Hi So what your saying is I should install the mskutil and let it manage the squid krb keytab file. Could you possible help with the changed to the squid.conf file do I leave as is and just add kerberos first ? On 8 December 2015 at 20:03, Amos Jeffrieswrote: On 8/12/2015 7:44 p.m., Alex Samad wrote: Hi Currently using 3.1 (from centos 6) I have setup squid to auth against MS AD I have # ### # Negotiate # ### # http://wiki.squid-cache.org/Features/Authentication # http://wiki.squid-cache.org/Features/NegotiateAuthentication auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid auth_param negotiate children 10 startup=0 idle=3 auth_param negotiate keep_alive on # ### # NTLM AUTH # ### # ntlm auth auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --configfile /etc/samba/smb.conf-squid auth_param ntlm children 10 #auth_param ntlm children 10 startup=0 idle=3 #auth_param ntlm keep_alive # ### # NTLM over basic # ### # warning: basic authentication sends passwords plaintext # a network sniffer can and will discover passwords auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --configfile /etc/samba/smb.conf-squid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours I want to move towards using kerberos come to this page http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos worked through that, but i saw this Do not use this method if you run winbindd or other samba services as samba will reset the machine password every x days and thereby makes the keytab invalid !! As I understand it that disclaimer applies only to the "OR with Samba" instructions for keytab creation directly above it. The other two methods should work. Also, it is just a disclaimer about a known problem. There is always the option to setup a script that re-builds the keytab and reloads Squid every X days when it changes. I have winbindd running for my users list in linux is there a way around this and if not how The initial mskutil method of keytab creation is both a way around it and the preferred method of keytab creation. As you found elsewhere ... then found this one http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory but I am not using msktutil, i do have samba and the krb-workstation installed mskutil is just a tool to generate keytabs and link the machine to domain. I *think* it should still be usable even if you have Sambe, the probem is just that if you let Samba know about the keytab and account it will do the periodic updates. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid auth
Hi Alex, Yes I talk about the AD computer account password. Markus "Alex Samad" wrote in message news:CAJ+Q1PVw1rrSvMUjzqbp_QNUAVwN=r7rqrg0lt94hv3v3o9...@mail.gmail.com... so when I do kinit I should use a different account to the samba one. I'm lost sorry. when I attach with winbind, I kinit with my personal admin account and also do a net ads join -U . the password on the doesn't / hasn't changed. are you talking about the computer account password ? if so, then I setup a different computer account for the squid kerberos application ! On 9 December 2015 at 07:20, Markus Moeller <hua...@moeller.plus.com> wrote: Hi, The issue appears if you use the same AD account for samba and the kerberos keytab creation. As samba will reset the password of the AD account and thereby invalidate the extracted keytab. Markus "Alex Samad" wrote in message news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qfnewm...@mail.gmail.com... Hi So what your saying is I should install the mskutil and let it manage the squid krb keytab file. Could you possible help with the changed to the squid.conf file do I leave as is and just add kerberos first ? On 8 December 2015 at 20:03, Amos Jeffries <squ...@treenet.co.nz> wrote: On 8/12/2015 7:44 p.m., Alex Samad wrote: Hi Currently using 3.1 (from centos 6) I have setup squid to auth against MS AD I have # ### # Negotiate # ### # http://wiki.squid-cache.org/Features/Authentication # http://wiki.squid-cache.org/Features/NegotiateAuthentication auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid auth_param negotiate children 10 startup=0 idle=3 auth_param negotiate keep_alive on # ### # NTLM AUTH # ### # ntlm auth auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --configfile /etc/samba/smb.conf-squid auth_param ntlm children 10 #auth_param ntlm children 10 startup=0 idle=3 #auth_param ntlm keep_alive # ### # NTLM over basic # ### # warning: basic authentication sends passwords plaintext # a network sniffer can and will discover passwords auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --configfile /etc/samba/smb.conf-squid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours I want to move towards using kerberos come to this page http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos worked through that, but i saw this Do not use this method if you run winbindd or other samba services as samba will reset the machine password every x days and thereby makes the keytab invalid !! As I understand it that disclaimer applies only to the "OR with Samba" instructions for keytab creation directly above it. The other two methods should work. Also, it is just a disclaimer about a known problem. There is always the option to setup a script that re-builds the keytab and reloads Squid every X days when it changes. I have winbindd running for my users list in linux is there a way around this and if not how The initial mskutil method of keytab creation is both a way around it and the preferred method of keytab creation. As you found elsewhere ... then found this one http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory but I am not using msktutil, i do have samba and the krb-workstation installed mskutil is just a tool to generate keytabs and link the machine to domain. I *think* it should still be usable even if you have Sambe, the probem is just that if you let Samba know about the keytab and account it will do the periodic updates. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] negotiate_wrapper: Return 'AF = * username
What other output do you get when using –d ( i.e. enable debug output) ? It may indicate the reason for your return message. Markus "Michael Pelletier"wrote in message news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com... Hello, I am building a new squid virtual template for my environment. I already have squid up and running and everything is well. When building a new template and testing it I keep getting negotiate_wrapper: Return 'AF = * username'. I can not figure out why. Can anyone help? All the software is the same version and I am using the same squid.conf that is surrently running in production. I had to miss something but cant think of what it might be. Michael Disclaimer: Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squit with NTLM and Kerberos auth => a error
Hi Olivier, I think on some of your newer clients you have an issue with Negotiate and NTLM fallback. If I look at https://msdn.microsoft.com/en-us/library/ff468736.aspx I see this https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif If I interpret this correctly the client will try NegoEx after failing with Kerberos and before trying NTLM. If on the client NegoEx is successful then NTLM will not be attempted. And I think that is the case here. Do you know if NegoEx is used on the client ? Does anybody else know about NegoEx ? Markus From: Olivier CALVANO Sent: Tuesday, November 03, 2015 9:22 AM To: Markus Moeller Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error that's said that squid can by used with Windows AD ? 2015-11-02 22:46 GMT+01:00 Markus Moeller <hua...@moeller.plus.com>: Hi Olivier, If I decode a token I see /base64> hexdump -c base64_dec.out 000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201 010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002 020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004 030 p N E G O E X T S \0 \0 \0 \0 \0 \0 \0 040 \0 ` \0 \0 \0 p \0 \0 \0 020 366 L 3 & 023 256 050 O 271 216 4 305 \f 200 ! \t 034 340 # 327 322 177 _ 060 211 202 > 254 { g 234 325 225 001 022 225 \f 323 276 A 070 206 024 6 367 ; . \0 C 273 \0 \0 \0 \0 \0 \0 \0 080 \0 ` \0 \0 \0 001 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 090 \0 E r | 2 2 E 213 H 277 331 * k 240 ^ 244 0a0 \n 0a1 It says NEGOEXTS which points me to https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396 That is not supported. Markus "Olivier CALVANO" <o.calv...@gmail.com> wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 160 startup=5 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 160 startup=5 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic auth_param basic children 40 startup=5 idle=1 auth_param basic realm Company proxy-caching web server auth_param basic credentialsttl 2 hours i have a lot of user that works, but for other user, squid request Login/pass in loop. In cache.log i have: 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An
Re: [squid-users] Squit with NTLM and Kerberos auth => a error
Hi Olivier, Which Kerberos version do you use ? MIT or Heimdal ? Markus "Olivier CALVANO"wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 160 startup=5 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 160 startup=5 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic auth_param basic children 40 startup=5 idle=1 auth_param basic realm Company proxy-caching web server auth_param basic credentialsttl 2 hours i have a lot of user that works, but for other user, squid request Login/pass in loop. In cache.log i have: 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE GENSEC login failed: NT_STATUS_LOGON_FAILURE anyone know this problems ? regards Olivier ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squit with NTLM and Kerberos auth => a error
Hi Olivier, If I decode a token I see /base64> hexdump -c base64_dec.out 000 ` 201 236 006 006 + 006 001 005 005 002 240 201 223 0 201 010 220 240 032 0 030 006 \n + 006 001 004 001 202 7 002 002 020 036 006 \n + 006 001 004 001 202 7 002 002 \n 242 r 004 030 p N E G O E X T S \0 \0 \0 \0 \0 \0 \0 040 \0 ` \0 \0 \0 p \0 \0 \0 020 366 L 3 & 023 256 050 O 271 216 4 305 \f 200 ! \t 034 340 # 327 322 177 _ 060 211 202 > 254 { g 234 325 225 001 022 225 \f 323 276 A 070 206 024 6 367 ; . \0 C 273 \0 \0 \0 \0 \0 \0 \0 080 \0 ` \0 \0 \0 001 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 090 \0 E r | 2 2 E 213 H 277 331 * k 240 ^ 244 0a0 \n 0a1 It says NEGOEXTS which points me to https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396 That is not supported. Markus "Olivier CALVANO"wrote in message news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com... Hi i test a authentification AD with Kerberos/Ntlm ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 160 startup=5 idle=1 auth_param negotiate keep_alive on ## Module d'authentification NTLM auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 160 startup=5 idle=1 auth_param ntlm keep_alive on ## Si echec du NTLM proposer la fenetre d'authentification auth_param basic program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic auth_param basic children 40 startup=5 idle=1 auth_param basic realm Company proxy-caching web server auth_param basic credentialsttl 2 hours i have a lot of user that works, but for other user, squid request Login/pass in loop. In cache.log i have: 2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' GENSEC login failed: NT_STATUS_LOGON_FAILURE 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error' 2015/11/02 17:37:58| squid_kerb_auth: Got 'YR YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' from squid (length: 219). 2015/11/02 17:37:58| squid_kerb_auth: Decode 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo=' (decoded length: 161). 2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was requested. Unknown error 2015/11/02 17:37:58 kid1| ERROR:
Re: [squid-users] Negotiateauthenticator processes are busy
What happens if you adjust the system time to be in sync with the AD server ? Markus "Михаил"wrote in message news:1462781444845...@web15m.yandex.ru... Hi All! Sometime I get a error message and squid stop: 2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator processes are busy. 2015/10/14 14:31:51| WARNING: 300 pending requests queued 2015/10/14 14:31:51| WARNING: Consider increasing the number of negotiateauthenticator processes in your config file. 2015/10/14 14:32:24| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Clock skew too great; }} 2015/10/14 14:32:37| Closing HTTP port 0.0.0.0:3128 2015/10/14 14:32:48| storeDirWriteCleanLogs: Starting... 2015/10/14 14:32:48| Finished. Wrote 0 entries. 2015/10/14 14:32:48| Took 0.00 seconds ( 0.00 entries/sec). FATAL: Too many queued negotiateauthenticator requests Squid Cache (Version 3.5.7): Terminated abnormally. What can I do that squid don't terminated? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5.7 for Windows (from Diladele) and kerberosauth
Hi Paul, negotiate_kerberos_auth is for Unix only. Regards Markus "MORRIS Paul [Tuart College]" wrote in message news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal... Hi, I am trying without success to use the "negotiate_kerberos_auth.exe" helper and "basic_smb_auth.exe" on a Windows 2008R2 server on a 2008R2 domain. Previously I have used mswin_negotiate_auth.exe and mswin_auth.exe from the last stable 2.7 build with no issues. Most of the instructions for setting up Kerberos authentication are for Linux, I am unsure which parts are applicable to Windows. Can anyone help with the requirements for both of these new helpers in 3.5.7 under Windows? Can I just use the helper from 2.7 in 3.5.7? Thank you, Paul. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid3 Kerberos Auth works but does not update theusers group membership in the winbind cache of samba as forexamle ntlm_auth does
Hi Enrico, The Kerberos helper will authenticate only for now ( There is a now code to get the group information, but it is not further processed). It does not do anything to group membership like the winbind cache. Also keep in mind Kerberos cache for about 10 hours the ticket on the client machine. If the user does not lock/unlock his PC there won’t be any update to the cached ticket and therefore not to the group membership information in the ticket either. Regards Markus "Heine, Enrico"wrote in message news:c821a938e46c6278b4cc39912760b408bb84f...@data-core.org... Hello together, My Issue is the following: Using Squid3 with Kerberos Auth works just fine but does not update the users group membership in the winbind cache of samba as for examle ntlm_auth does. So when using /usr/lib/squid3/negotiate_kerberos_auth for Kerberos, the auth works, but group memberships for my user as example are never updated, when I comment this auth helper then it gets updated because then I use ntlm_auth for ntlmssp So if I have a new group eg: My_Test , then I can check this like this: wbinfo -n My_Test -> returns SID of My_Test wbinfo -Y SID -> returns mapped GID wbinfo -r myuser | grep GID -> GID is not listed!! getent group My_Test -> returns: myuser is member of that group! So just in my account "myuser" it is not listed (wbinfo -r myuser | grep GID -> GID is not listed!!) but ext_wbinfo_group_acl is checking my group membership based on the commands listed above. Commenting Kerberos auth in the squid conf, so that only ntlm_auth is used and requesting one website to be sure to have done an auth, works. So then the GID is listed in the output of wbinfo -r myuser How can I ensure that my memberships are getting updated using /usr/lib/squid3/negotiate_kerberos_auth as it does work with ntlm_user? Or is there another auth helper that can be used for Kerberos that is doing what ntlm_user does automatically after an successfull authentication? My Squid Config for Auth Helpers looks like this: # Kerberos # #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/myserver.MYDOMAIN@MYDOMAIN #auth_param negotiate children 300 #auth_param negotiate keep_alive on # NTLM # auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param ntlm keep_alive off # BASIC # auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 50 auth_param basic credentialsttl 2 hours auth_param basic realm Windows Authentication required auth_param basic casesensitive off Also I am using the following to check group memberships, which is working fine !! with all auth helpers !! and it is much faster than the slow Kerberos group check, I assume that this helper is updating automatically the winbind group cache, which is the reason that the group itself is beeing recognized and I am also a member of that group when I check that specific group via getent group My_Test external_acl_type nt_group ttl=60 children-max=300 children-startup=50 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl -K Software Versions used: - Squid Cache: Version 3.4.8 - Samba & winbindd Version 4.1.17-Debian - Distri: Debian Jessie -- -- Best regards, Enrico Heine This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3
Hi Louis, When you have an offline PC do you use DHCP to give an IP ? If so can you also provide the PC with a WINS server via DHCP ? If that is possible and you run WINS you can authenticate the user with u...@domain.com when you get the authentication popup. The WINS server will point the PC to the AD server of the domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the none domain PC ) Regards Markus L.P.H. van Belle be...@bazuin.nl wrote in message news:vmime.55d2d089.2ba7.1a22bdbf5ed74...@ms249-lin-003.rotterdam.bazuin.nl... Nobody any hint where the NTLM auth is going wrong, or what i can do to fix this. -- Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens L.P.H. van Belle Verzonden: maandag 17 augustus 2015 17:06 Aan: squid-users@lists.squid-cache.org Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3 Hai all, I have a Debian Jessie setup with squid 3.4 , all debian packages. Im using samba 4 AD as domain controllers for my kerberos authentication. I've a setup as followed here : http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory I have my kerberos auth working, so i dont type any password with a domain joined computer when i want to internet. I Have my Ldap auth working, for my Non windows, non domain joined Devices. Now, i need to give users access to the internet, a non domain joined, windows PC. Im getting : ( with markus negotiate_wrapper 1.0.1 ) 2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; } 2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR =' from squid (length: 59). 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 40). 2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token 2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR.. AA= * 2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR 8=' from squid (length: 711). 2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.8=' (decoded length: 530). 2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token 2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL 2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * NT_STATUS_UNSUCCESSFUL; }} I know the following : ( and correct me if im thinking wrong here.) ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's. ##Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices. ##NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth. ##Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations. ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined. But i recieve a type 3 NTLM token... This are the configs have tested and these 2 work. For kerberos auth auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/hostname.fqdn@REALM for basic auth auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \ -b dc=internal,dc=domain,dc=tld \ -D ldap-b...@internal.domain.tld -W /etc/squid3/private/ldap-bind \ -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ -h addc.internal.domain.tld These dont work. auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \ --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME or auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \ --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME tried here the supplied wrapper with squid.: /usr/lib/squid3/negotiate_wrapper_auth and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org also says here http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory ( Install negotiate_wrapper ) the kerberos part works but not the ntlm . when i try with only: ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE auth_param ntlm children 10 auth_param ntlm keep_alive off im also unable to authenticat on the proxy. all winbind test work.. I googled a lot, but i didnt find any solutions so im hoping someone here knows more. so anyone any hint
Re: [squid-users] Squid and Kerberos problems
Did you compile msktutil or is it a package in centos ? Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com... Hi Thanks for your answer CentOS Linux release 7.1.1503 (Core) krb5-workstation-1.12.2-14.el7.x86_64 krb5-libs-1.12.2-14.el7.x86_64 regards olivier 2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com: Which OS and Kerberos version do you have ? There might be some issue with the cache used KEYRING:persistent:0:0 Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com... Hi I request your help because i want use NTLM/Kerberos for authenticate my user. For NTLM, i use Winbind, no problems, [root@gw]# wbinfo -t checking the trust secret for domain MYADDOMAIN via RPC calls succeeded but for Kerberos, i can't create the .keytab [root@gw]# kinit MYUSERNAME Password for myusern...@myaddomain.fr: [root@gw]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: myusern...@myaddomain.fr Valid starting Expires Service principal 02/05/2015 04:51:25 02/05/2015 14:51:25 krbtgt/myaddomain...@myaddomain.fr renew until 09/05/2015 04:51:07 MYUSERNAME is the same account that i join the domain (net join) with winbind after, i put: msktutil -c -b CN=COMPUTERS -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose and i have a error: [root@gw etc]# msktutil -c -b CN=COMPUTERS -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 84 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-jnxTuG -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password. -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found) -- try_user_creds: User ticket cache was not valid. Error: could not find any credentials to authenticate with. Neither keytab, default machine password, nor calling user's tickets worked. Try kiniting yourself some tickets with permission to create computer objects, or pre-creating the computer object in AD and selecting 'reset account'. -- ~KRB5Context: Destroying Kerberos Context same error if i change gw.srv1-v4.tcy.myinternetdomain.org to ophtcysrv1v4.myaddomain.fr anyone know the origin of this error ? thanks Olivier -- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid and Kerberos problems
Hi Olivier, You may need to check with the msktutil authors as this is not directly related to squid. Regards Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:CAJajPecBcrbW+jtiwF2J=ujz4kwdtwf6opzjf56pvz+-gfn...@mail.gmail.com... Hi i have compiled the 1.0rc version : [root@gw msktutil-1.0rc1]# ./msktutil -c -b CN=COMPUTERS -s HTTP/ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myasdomain.fr --server myad.myaddomain.fr --verbose --enctypes 28 -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-jPXQHu -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.sodiaal.ophelys.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password. -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr SASL/GSSAPI authentication started SASL username: myusern...@myaddomain.fr SASL SSF: 56 SASL data security layer installed. -- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN,dc=FR -- ldap_check_account: Checking that a computer account for OPHTCYSRV1V4-K$ exists -- ldap_check_account: Computer account not found, create the account No computer account for OPHTCYSRV1V4-K found, creating a new one. -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_check_account_strings: Found userPrincipalName = -- ldap_check_account_strings: userPrincipalName should be HTTP/ophtcysrv1v4.myaddomain...@myaddomain.fr -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x20 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776 Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication error Error: set_password failed -- ~KRB5Context: Destroying Kerberos Context 2015-05-03 13:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com: Did you compile msktutil or is it a package in centos ? Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com... Hi Thanks for your answer CentOS Linux release 7.1.1503 (Core) krb5-workstation-1.12.2-14.el7.x86_64 krb5-libs-1.12.2-14.el7.x86_64 regards olivier 2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com: Which OS and Kerberos version do you have ? There might be some issue with the cache used KEYRING:persistent:0:0 Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com... Hi I request your help because i want use NTLM/Kerberos for authenticate my user. For NTLM, i use Winbind, no problems, [root@gw]# wbinfo -t checking the trust secret for domain MYADDOMAIN via RPC calls succeeded but for Kerberos, i can't create the .keytab [root@gw]# kinit MYUSERNAME Password for myusern...@myaddomain.fr: [root@gw]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: myusern...@myaddomain.fr Valid starting Expires Service principal 02/05/2015 04:51:25 02/05/2015 14:51:25 krbtgt/myaddomain...@myaddomain.fr renew until 09/05/2015 04:51:07 MYUSERNAME is the same account that i join the domain (net join
Re: [squid-users] Squid and Kerberos problems
Which OS and Kerberos version do you have ? There might be some issue with the cache used KEYRING:persistent:0:0 Markus Olivier CALVANO o.calv...@gmail.com wrote in message news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com... Hi I request your help because i want use NTLM/Kerberos for authenticate my user. For NTLM, i use Winbind, no problems, [root@gw]# wbinfo -t checking the trust secret for domain MYADDOMAIN via RPC calls succeeded but for Kerberos, i can't create the .keytab [root@gw]# kinit MYUSERNAME Password for myusern...@myaddomain.fr: [root@gw]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: myusern...@myaddomain.fr Valid starting Expires Service principal 02/05/2015 04:51:25 02/05/2015 14:51:25 krbtgt/myaddomain...@myaddomain.fr renew until 09/05/2015 04:51:07 MYUSERNAME is the same account that i join the domain (net join) with winbind after, i put: msktutil -c -b CN=COMPUTERS -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose and i have a error: [root@gw etc]# msktutil -c -b CN=COMPUTERS -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 84 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-jnxTuG -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password. -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found) -- try_user_creds: User ticket cache was not valid. Error: could not find any credentials to authenticate with. Neither keytab, default machine password, nor calling user's tickets worked. Try kiniting yourself some tickets with permission to create computer objects, or pre-creating the computer object in AD and selecting 'reset account'. -- ~KRB5Context: Destroying Kerberos Context same error if i change gw.srv1-v4.tcy.myinternetdomain.org to ophtcysrv1v4.myaddomain.fr anyone know the origin of this error ? thanks Olivier ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid + AD + Kerb auth question
Hi Joao, OK now you use the authentication rule. How did you create the keytab ? Does the hostname match the keytab entry ? Can you run the helper with –d to get more debug ? Markus From: Joao Paulo Monticelli Gaspar Sent: Thursday, March 19, 2015 12:41 AM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question gettin access denied now watch the logs == /var/log/squid/squid.out == == /var/log/squid/access.log == 1426725527.219 1 192.168.1.251 TCP_DENIED/407 4509 GET http://www.eset.com.br/download/business - NONE/- text/html == /var/log/squid/cache.log == 2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. ' guess my SOO isnt working right? 2015-03-18 20:46 GMT-03:00 Markus Moeller hua...@moeller.plus.com: Hi Joao Then you hit http_access allow localnet and not http_access allow ad_auth Comment out the following line in squid.conf http_access allow localnet and try again. Markus From: Joao Paulo Monticelli Gaspar Sent: Wednesday, March 18, 2015 11:38 PM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question yes, I'm using localnet, this is a virtual test lab enviorment, here are some log entries 1426694349.225 59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - DIRECT/216.58.222.35 - 1426694352.258 62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - DIRECT/216.58.222.46 - 1426694613.543 58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 - when I looked at the access.log manual pages I saw that if squid cant get user info, he uses the - sign on the access, and we can see it there, but why he cant get the user info? 2015-03-18 20:20 GMT-03:00 Markus Moeller hua...@moeller.plus.com: Hi, From which network do you surf ? From localnet ? Can you send sample log entries ? Markus From: Joao Paulo Monticelli Gaspar Sent: Wednesday, March 18, 2015 9:18 PM To: Markus Moeller Subject: Re: [squid-users] Squid + AD + Kerb auth question squid.conf visible_hostname proxy.joznet.local auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 192.168.1.0/24 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow ad_auth http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = JOZNET.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ; for Windows 2008 with AES ;default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ;default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ;permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; for MIT/Heimdal kdc no need to restrict encryption type [realms] JOZNET.LOCAL = { kdc = srvjoznt.joznet.local:88 admin_server = srvjoznt.joznet.local:749 default_domain = joznet.local
Re: [squid-users] Squid + AD + Kerb auth question
How does the config file look like ? Markus Joao Paulo Monticelli Gaspar jaumsh...@gmail.com wrote in message news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com... Hey people I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites... is possible to show that info with this setup, or by any other setup use maintain the SOO? Thx in advance. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Logging variable question
Oh pretty old bug. Thank you Markus Amos Jeffries wrote in message news:54f26815.4020...@treenet.co.nz... On 1/03/2015 4:55 a.m., Markus Moeller wrote: Hi, I wonder about the total size variables st and st for squid logs # st Sent reply size including HTTP headers # st Received request size including HTTP headers. In the # case of chunked requests the chunked encoding metadata # are not included I have set the logformat to logformat squid_mm %tg %6tr %a %Ss/%03Hs %st %st %rm %ru %un %Sh/%A %mt and have 2 cases for which I would like to see the request/reply total data size. Case 1 Just receiving data. (44073 and 35754 are local and remote ports respectively) 28/Feb/2015:15:29:27 5887 192.168.1.17 TCP_TUNNEL/200 8895 45 CONNECT opensuse13.suse.home:443 - HIER_DIRECT/opensuse13.suse.home - http://bugs.squid-cache.org/show_bug.cgi?id=3069 Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] benefits of usingext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2015 11:31 p.m., Simon Stäheli wrote: Are there any other benefits in using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl except the Netbios name to Kerberos domain name” mappings provided by the -N option. As far as I can tell, this mapping can also easily be done by writing you own helper perl script which is doing the mapping and finally feeds the more common ext_ldap_group_acl helper. Whatever floats your boat. The point of the Addon/Plugin/helpers API is that you can use scripts if thy serve your needs better. All the usual Open Source benefits of many eyeballs and somebody else doing code maintenance for you applies to using a bundled helper over a custom written one. Beyond that the kerberos helper also provides automatic detection of which LDAP server to use via mutiple auto-configuration methods. The idea of the helper was to automate most of the configuration ( ignoring some performance ) and avoid using a username/password, support users from multiple domains. Secondly I wanted check for nested groups which was not available in the existing helper and thirdly I also check now against the primary group of the user. Thank you Markus for your explanations. I played around with ext_kerberos_ldap_group_acl and would like to go into some details: 1) it is possible to define more than one LDAP server (e.g. for high availability reasons)? The -l parameter allows only one ldap url while -S allows several server realm - mappings. I didn't see the need. The -l was more for cases when digest or basic auth is used and I do not know the domain to check against. So a fallback option. 2) It is correct, that compared to ext_ldap_group_acl, ext_kerberos_ldap_group_acl does not require a groupname as input (from stdin), because -g -t -T or -D control the group name?! You have two options with ext_kerberos_ldap_group_acl as input or as -g .. control 3) What is the use case for defining -g GROUP@? What is the difference to -g GROUP (without @) -g GROUP is for all users including the once with nor provided domain The an pages describe it a bit under Note: 1) For user@REALM a) Query DNS for SRV record _ldap._tcp.REALM b) Query DNS for A record REALM c) Use LDAP_URL if given 2) For user a) Use domain -D REALM and follow step 1) b) Use LDAP_URL if given The Groups to check against are determined as follows: 1) For user@REALM a) Use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM b) Use values given by -g option which contain a @ only e.g. -g GROUP1@:GROUP2@ c) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 2) For user a) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 3) For NDOMAIN\user a) Use realm given by -N NDOMAIN@REALM and then use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM 4) The query DNS for SRV record _ldap._tcp.REALM mechanism seems no to work for me although the DNS server is configured correctly and querying with dig SRV _ldap._tcp.REALM works fine. Anything to consider here? _ldap._tcp.REALM SRV query was never sent so far. I would not see an obvious reason. Does -d show any hints ? I can only imagine that REAM is not what is send by the client. 5) Similar issues with the Kerberos feature. Keytab und Kerberos config are available and exported, but the helper only says: support_ldap.cc(888): DEBUG: Setup Kerberos credential cache support_ldap.cc(897): DEBUG: Kerberos is not supported. Use username/password with ldap url instead The message support_ldap.cc(897): DEBUG: Kerberos is not supported. means your Kerberos installation is not fully available. It means HAVE_KRB5 is not set ( maybe header files were missing). Can you give me some further information about the requirements of the helper regarding kerberos? I am trying to use it with Heimdal kerberos (Heimdal 1.3.3). negotiate_kerberos_auth for example works very well with the present kerberos libraries. Can you send the config.log file ? For some reason HAVE_KRB5 is not set ( which is a bit strange as it is also used for the auth helper) Instead of that I found a dns SRV _kerberos._udp.REALM query which was actually answered by the dns. I assume this is related to the Kerberos feature? yes it is. It is a way to find the kdc. 6) It is possible to use the helper when DNS service is not reachable? Got some error messages during testing: kerberos_ldap_group: DEBUG: Canonicalise ldap server name 213.156.236.111:3268 kerberos_ldap_group: ERROR: Error while resolving ip address with getnameinfo: Temporary failure in name resolution kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: Success If you add a line to your hosts file and use the approriate nsswitch.conf it should work. You can also add a line to the
Re: [squid-users] Kerberos authentication problem - squid 3.4.11
Hi Ludovit, How did you create the keytab ? Usually there is an option allowing you to select the encryption type. The other place to check would be /etc/krb5.conf. It can contain a list of supported encryption types. See http://www.freebsd.org/cgi/man.cgi?query=krb5.confapropos=0sektion=5manpath=FreeBSD+Ports+10.1-RELEASEarch=defaultformat=html default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes Markus Ludovit Koren wrote in message news:86h9usfpsk@gmail.com... Markus Moeller hua...@moeller.plus.com writes: Hi Ludovit, Which Kerberos library version do you use ?Is it possible that the encryption types don't match ? I saw in your first email the following: It is standard Heimdal library on FreeBSD: # kinit --version kinit (Heimdal 1.5.2) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-b...@h5l.org FreeBSD 10.1-STABLE #1 r275861 Your klist shows a HTTP ticket for arcfour Server: HTTP/squid1.mdpt.local@MDPT.LOCAL Client: HTTP/squid1.mdpt.local@MDPT.LOCAL Ticket etype: arcfour-hmac-md5, kvno 8 Ticket length: 1090 Auth time: Feb 9 14:55:18 2015 Start time: Feb 9 14:55:20 2015 End time: Feb 10 00:55:18 2015 Ticket flags: enc-pa-rep, pre-authent Addresses: addressless but the keytab has aes128. # ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal Aliases 8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL You are right... I tried to find out how to change it. Is it option on KDC server? I am not able to find anything relevant. lk ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication problem - squid 3.4.11
Hi Ludovit, Which Kerberos library version do you use ?Is it possible that the encryption types don't match ? I saw in your first email the following: Your klist shows a HTTP ticket for arcfour Server: HTTP/squid1.mdpt.local@MDPT.LOCAL Client: HTTP/squid1.mdpt.local@MDPT.LOCAL Ticket etype: arcfour-hmac-md5, kvno 8 Ticket length: 1090 Auth time: Feb 9 14:55:18 2015 Start time: Feb 9 14:55:20 2015 End time: Feb 10 00:55:18 2015 Ticket flags: enc-pa-rep, pre-authent Addresses: addressless but the keytab has aes128. # ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal Aliases 8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL Markus Ludovit Koren wrote in message news:86d25i9plr@gmail.com... Markus Moeller hua...@moeller.plus.com writes: Hi Ludovit, I haven't seen that error before either, but when you test you sould have your own user credentials in the cache. You should use kinit user@MDPT.LOCAL and then try again the test. is the hostname correctly set to squid1.mdpt.local ? If not try /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | awk '{sub(/Token:/,YR); print $0}END{print QQ}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME Hello, still no progress... # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: xkoren@MDPT.LOCAL IssuedExpires Principal Feb 10 08:41:06 2015 Feb 10 18:41:06 2015 krbtgt/MDPT.LOCAL@MDPT.LOCAL Feb 10 08:42:17 2015 Feb 10 18:41:06 2015 HTTP/squid1.mdpt.local@MDPT.LOCAL # hostname squid1.mdpt.local # /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | awk '{sub(/Token:/,YR); print $0}END{print QQ}' | /usr/local/libexec/squid/otiate_kerberos_auth -r -s HTTP/squid1.mdpt.local BH gss_accept_sec_context() failed: Miscellaneous failure (see text). unknown mech-code 2529639093 for mech unknown BH quit command # /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | awk '{sub(/Token:/,YR); print $0}END{print }' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME BH gss_accept_sec_context() failed: Miscellaneous failure (see text). unknown mech-code 2529639094 for mech unknown BH quit command regards, lk ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos authentication problem - squid 3.4.11
Hi Ludovit, I haven't seen that error before either, but when you test you sould have your own user credentials in the cache. You should use kinit user@MDPT.LOCAL and then try again the test. is the hostname correctly set to squid1.mdpt.local ? If not try /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | awk '{sub(/Token:/,YR); print $0}END{print QQ}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME Markus Ludovit Koren wrote in message news:86a90nxj41@gmail.com... Hi, I have setup kerberos according to: http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL IssuedExpires Principal Feb 9 14:55:18 2015 Feb 10 00:55:18 2015 krbtgt/MDPT.LOCAL@MDPT.LOCAL Feb 9 14:55:20 2015 Feb 10 00:55:18 2015 HTTP/squid1.mdpt.local@MDPT.LOCAL # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL Cache version: 4 Server: krbtgt/MDPT.LOCAL@MDPT.LOCAL Client: HTTP/squid1.mdpt.local@MDPT.LOCAL Ticket etype: aes256-cts-hmac-sha1-96, kvno 3 Session key: aes128-cts-hmac-sha1-96 Ticket length: 1081 Auth time: Feb 9 14:55:18 2015 End time: Feb 10 00:55:18 2015 Ticket flags: enc-pa-rep, pre-authent, initial, forwardable Addresses: addressless Server: HTTP/squid1.mdpt.local@MDPT.LOCAL Client: HTTP/squid1.mdpt.local@MDPT.LOCAL Ticket etype: arcfour-hmac-md5, kvno 8 Ticket length: 1090 Auth time: Feb 9 14:55:18 2015 Start time: Feb 9 14:55:20 2015 End time: Feb 10 00:55:18 2015 Ticket flags: enc-pa-rep, pre-authent Addresses: addressless # ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal Aliases 8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local@MDPT.LOCAL When I try to test it with the following command I get the error: # /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | awk '{sub(/Token:/,YR); print $0}END{print QQ}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/squid1.mdpt.local BH gss_accept_sec_context() failed: Miscellaneous failure (see text). unknown mech-code 2529639093 for mech unknown BH quit command I cannot find anything suitable for the error code. Could you, please, point me in the right direction? Any hint appreciated. regards, lk ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] benefits of using ext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl
Amos Jeffries wrote in message news:54BE3B5C.8040800 at treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2015 11:31 p.m., Simon Stäheli wrote: Are there any other benefits in using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl except the Netbios name to Kerberos domain name” mappings provided by the -N option. As far as I can tell, this mapping can also easily be done by writing you own helper perl script which is doing the mapping and finally feeds the more common ext_ldap_group_acl helper. Whatever floats your boat. The point of the Addon/Plugin/helpers API is that you can use scripts if thy serve your needs better. All the usual Open Source benefits of many eyeballs and somebody else doing code maintenance for you applies to using a bundled helper over a custom written one. Beyond that the kerberos helper also provides automatic detection of which LDAP server to use via mutiple auto-configuration methods. The idea of the helper was to automate most of the configuration ( ignoring some performance ) and avoid using a username/password, support users from multiple domains. Secondly I wanted check for nested groups which was not available in the existing helper and thirdly I also check now against the primary group of the user. Thank you Markus for your explanations. I played around with ext_kerberos_ldap_group_acl and would like to go into some details: 1) it is possible to define more than one LDAP server (e.g. for high availability reasons)? The -l parameter allows only one ldap url while -S allows several server realm - mappings. I didn't see the need. The -l was more for cases when digest or basic auth is used and I do not know the domain to check against. So a fallback option. 2) It is correct, that compared to ext_ldap_group_acl, ext_kerberos_ldap_group_acl does not require a groupname as input (from stdin), because -g -t -T or -D control the group name?! You have two options with ext_kerberos_ldap_group_acl as input or as -g .. control 3) What is the use case for defining -g GROUP@? What is the difference to -g GROUP (without @) -g GROUP is for all users including the once with nor provided domain The an pages describe it a bit under Note: 1) For user@REALM a) Query DNS for SRV record _ldap._tcp.REALM b) Query DNS for A record REALM c) Use LDAP_URL if given 2) For user a) Use domain -D REALM and follow step 1) b) Use LDAP_URL if given The Groups to check against are determined as follows: 1) For user@REALM a) Use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM b) Use values given by -g option which contain a @ only e.g. -g GROUP1@:GROUP2@ c) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 2) For user a) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2 3) For NDOMAIN\user a) Use realm given by -N NDOMAIN@REALM and then use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM 4) The query DNS for SRV record _ldap._tcp.REALM mechanism seems no to work for me although the DNS server is configured correctly and querying with dig SRV _ldap._tcp.REALM works fine. Anything to consider here? _ldap._tcp.REALM SRV query was never sent so far. I would not see an obvious reason. Does -d show any hints ? I can only imagine that REAM is not what is send by the client. 5) Similar issues with the Kerberos feature. Keytab und Kerberos config are available and exported, but the helper only says: support_ldap.cc(888): DEBUG: Setup Kerberos credential cache support_ldap.cc(897): DEBUG: Kerberos is not supported. Use username/password with ldap url instead The message support_ldap.cc(897): DEBUG: Kerberos is not supported. means your Kerberos installation is not fully available. It means HAVE_KRB5 is not set ( maybe header files were missing). Instead of that I found a dns SRV _kerberos._udp.REALM query which was actually answered by the dns. I assume this is related to the Kerberos feature? yes it is. It is a way to find the kdc. 6) It is possible to use the helper when DNS service is not reachable? Got some error messages during testing: kerberos_ldap_group: DEBUG: Canonicalise ldap server name 213.156.236.111:3268 kerberos_ldap_group: ERROR: Error while resolving ip address with getnameinfo: Temporary failure in name resolution kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: Success If you add a line to your hosts file and use the approriate nsswitch.conf it should work. You can also add a line to the hosts file for the domain for the case the SRV record fails. Beside this tiny issues the helper works excellent (tested with basic, NTLM and Kerberos authentication). I am just trying to discover the whole potential. Thank you very much for any responses. Regards Simon Regards Markus If you can demonstrate
Re: [squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl
Amos Jeffries wrote in message news:54be3b5c.8040...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2015 11:31 p.m., Simon Stäheli wrote: Are there any other benefits in using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl except the Netbios name to Kerberos domain name” mappings provided by the -N option. As far as I can tell, this mapping can also easily be done by writing you own helper perl script which is doing the mapping and finally feeds the more common ext_ldap_group_acl helper. Whatever floats your boat. The point of the Addon/Plugin/helpers API is that you can use scripts if thy serve your needs better. All the usual Open Source benefits of many eyeballs and somebody else doing code maintenance for you applies to using a bundled helper over a custom written one. Beyond that the kerberos helper also provides automatic detection of which LDAP server to use via mutiple auto-configuration methods. The idea of the helper was to automate most of the configuration ( ignoring some performance ) and avoid using a username/password, support users from multiple domains. Secondly I wanted check for nested groups which was not available in the existing helper and thirdly I also check now against the primary group of the user. If you can demonstrate that the ext_kerberos_ldap_group_acl does provides a superset of the functionality of ext_ldap_group_acl helper then I can de-duplicate the two helpers. Amos Regards Markus -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUvjtbAAoJELJo5wb/XPRjb1sH/2mO/l+k7jTdFr5CBfrBjXr8 hp8ECHtKkpHvhiinKadcQd69ZYz0bqYmKQ4AX44XaTKTgc2ctKeywuDBRtSVnMwH KrSFY+YUhxpje7hRIwtoloVtPcT+JawUbnvGaAGtcbLNypkT1VEICBA/5QJbSWUH Uc+6szgksFWbDldl7kGYd42e7ZE8CdfcjzYqROaFxTglTKgEpqNvaY7KrNx2cZ+c 5Kx4C6LzKrHML28TsWurWBpS3NVkUveFBLqkD8hY8QULolKleSFkHfuHn/S4gXGf IkyNDtEBbdFPKIQw5bkBvzpAWKxSn2fWsq4GW2AJeCcKiJVHDLqwTVQ4vIddsY8= =BbhE -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl
Amos Jeffries wrote in message news:54be53b2.9070...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 21/01/2015 1:38 a.m., Simon Staeheli wrote: Whatever floats your boat. The point of the Addon/Plugin/helpers API is that you can use scripts if thy serve your needs better. All the usual Open Source benefits of many eyeballs and somebody else doing code maintenance for you applies to using a bundled helper over a custom written one. Beyond that the kerberos helper also provides automatic detection of which LDAP server to use via mutiple auto-configuration methods. If you can demonstrate that the ext_kerberos_ldap_group_acl does provides a superset of the functionality of ext_ldap_group_acl helper then I can de-duplicate the two helpers. Amos Thanks for the hint regarding automatic detection of LDAP servers. I am just trying to find what the differences between the two helpers are and which one does fit my needs better. Any others? Nothing I can pick out easily. Do you know anything about the feature in ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an earlier post? I have a new method in my squid 3.4 patch which uses the Group Information MS is putting in the ticket. This would eliminate the ldap lookup completely. (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html) I think that refers to a work in progress. Markus maintains the un-bundled version of his helpers a little in advance of what has made it into the Squid stable branch. Some of what is available in his helper downloads is only in the Squid-3.HEAD alpha development code so far. I am working on obsoleting the need for external group helpers. From 3.5 auth helpers can deliver to Squid a set of group= kv-pair in their response. Those can be used with the note ACL type to check group names without any external_acl_type helper lookup (making group checks possible in 'fast' access controls). Markus joined me in this project and his latest kerberos auth helper (in 3.HEAD and his versions - *not* the 3.5 bundled version) produces group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry ID format MS uses. The external_acl_type helper interface cannot yet be passed notes to decipher that to a known group name. The Kerberos authentication helper extracts the Microsoft authorisation data from the Kerberos ticket. This so called PAC data contains the AD Security Groups a user belongs too ( even over a forest/domain as far as I recall and nested groups). The format of the authorisation data is the AD objectsid which the helper returns in base64 encoding. So now instead of querying LDAP an external helper just need to compare the base64 encoded SID with a predefined SID. You just have to know the SID when you setup the configuration in the same way as you have to know the AD group name with an ldap helper. From a Unix system you can easily get the object sid if you know the groupname. e.g. # kinit mar...@win2003r2.home # ldapsearch -LLL -H ldap://w2k3r2.win2003r2.home -s sub -b DC=WIN2003R2,DC=HOME (CN=SOCKS_ALLOW) objectsid SASL/GSSAPI authentication started SASL username: mar...@win2003r2.home SASL SSF: 56 SASL data security layer installed. dn: CN=SOCKS_ALLOW,OU=Groups,DC=win2003r2,DC=home objectSid:: AQUAAAUVploCbWTufUFPWoiaiwQAAA== Any ldap browser like ldapadmin can also show the objectsid. I have also a tool which I can provide to convert a SID into a base64 value Examples: # ./convert_sid S-1-5-21-1828870822-1098772068-2592627279-1163 base64 encoded: AQUAAAUVploCbWTufUFPWoiaiwQAAA== hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 5a 88 9a 8b 04 00 00 SID: S-1-5-21-1828870822-1098772068-2592627279-1163 # ./convert_sid AQUAAAUVploCbWTufUFPWoiaiwQAAA== base64 encoded: AQUAAAUVploCbWTufUFPWoiaiwQAAA== hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 5a 88 9a 8b 04 00 00 SID: S-1-5-21-1828870822-1098772068-2592627279-1163 # ./convert_sid 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 5a 88 9a 8b 04 00 00 base64 encoded: AQUAAAUVploCbWTufUFPWoiaiwQAAA== hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 5a 88 9a 8b 04 00 00 SID: S-1-5-21-1828870822-1098772068-2592627279-1163 Please let me know if you have questions, comments or ideas Regards Markus Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUvlOyAAoJELJo5wb/XPRjZskH/3VQdCv4juTHZ0QAOyQvCdLP L1ZRDF/ix4MkVIsblsPL20G1KznKRbDBdDZ+DWM4lHDp7m1rwXD972GUmI7JZQDV VvjQVMrXfZ3h8VcwpzPXKKiIOJp3+P5e7XpVDQGYAzOBJjnvs2OsIKGGsGwo4kXE lElRU9WbspurY4ic07hjSCcM3VAdWMtIy8FVoq2bdegH6qor1dGeoVIMYVnSOBUG 9gTqWBYxkltI5S19f6zWjk2Kscn7ZYWvPezN38NHouL4ueM0rAHxvUNP2ueudUwR tZBavBNpiCJ08dXbhU1nUivyTQX99w8t0VMmYeomTc2Q7znofsX0FefFRFZ1GcY= =Yg6k -END PGP SIGNATURE- ___ squid-users
Re: [squid-users] Proxy to proxy authentication
I thought it wasn't trivial, otherwise it would have been already done. ;-) Thank you Markus Amos Jeffries wrote in message news:54a3416f.9060...@treenet.co.nz... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31/12/2014 7:59 a.m., Markus Moeller wrote: Hi Amos, On 30/12/2014 3:31 p.m., Markus Moeller wrote: Hi, Can squid authenticate to an upstream proxy using digest ? If I saw it right cache_peer allows basic and negotiate only (or passthrough) Thank you Markus Not yet. Amos Is it planned to add or no real interest in it ? Mostly lack of interest. As usual if you are interested please feel free to code. :-) The biggest issue is that Digest like NTLM does not permit the initial challenge step to be avoided. So Squid has to be made to handle request retry when fetching the first nonce. The peer is supposed to supply a next-nonce before the old one expires so further retries *should* not be necessary, but may also happen on persistent connections. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUo0FvAAoJELJo5wb/XPRjyjIIAMLwnM/JkZAvRjClivoJUIXC vZ9a3Z/r69pBMNM1snZ1ep4C+hg7jNYsBjennl03u8Fr+kQ4BhhoaAsqjuOAVeWb boR1MtOpmkt2dhf+U2js9Y3tSd/tY6QSNoCboVDNEUoZDyowHBovdqL9Ei3gFr1t lqRNoW39K/vvbWRwB6/WflH4xHiX595Wywshh9Hec7a6nhjwdGvZzeeBvDhG1eVj ECHcIkBICfTydazIFulyCiDTvUgspC1YpcIV2+P//PKGQEDJ/ds6KwxjKqYix9JU 8pnAnm423O11RzUh7qq8NixACPkOjkP7IDXbvJPG2YrKGVFQj8Fi2gEeEcJ/sgU= =rq6Y -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed
Hi Pedro, Did you try the –s GSS_C_NO_NAME option ? Markus Pedro Lobo pal...@gmail.com wrote in message news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com... Hey Everybody, Seems as though I celebrated too soon on Saturday. Today things are back to not working for Windows 7+ machines and XP/2003 machines are working just fine. I've also checked the permissions on the keytab file and they haven't changed since Saturday, so it's not that... ARGH Craving ideas and solutions right now... Pilot users are less than satisfied ;) Cheers, Pedro On 25 Oct 2014, at 14:13, Markus Moeller wrote: Hi Pedro, I wonder if he upper case in the name is a problem. Can you try auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s GSS_C_NO_NAME instead of auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net Markus Pedro Lobo pal...@gmail.com wrote in message news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com... Hi Markus, I used msktutil to create the keytab. msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose Output of klist -ekt: 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac) 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (arcfour-hmac) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (aes256-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (arcfour-hmac) 2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (aes256-cts-hmac-sha1-96) Yep, using MIT Kerberos Thanks in advance for any help. Cheers, Pedro On 25 Oct 2014, at 1:26, Markus Moeller wrote: Hi Pedro, How did you create your keytab ? What does klist –ekt squid.keytab show ( I assume you use MIT Kerberos) ? Markus Pedro Lobo pal...@gmail.com wrote in message news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... Hi Squid Gurus, I'm at my wit's end and in dire need of some squid expertise. We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry. If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with: negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. ' The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :) Current Setup Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers). krb5.conf [libdefaults] default_realm = FAKE.NET dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] FAKE.NET = { kdc = srv01.fake.net kdc = srv02.fake.net kdc = srv03.fake.net admin_server = srv01.fake.net default_domain = fake.net } [domain_realm] .fake.net = FAKE.NET fake.net = FAKE.NET [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log squid.conf auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net auth_param negotiate children 20 startup=0 idle=1 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET auth_param ntlm children 10 auth_param ntlm keep_alive off Cheers, Pedro Cumprimentos Pedro Lobo
Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed
Hi Pedro, Can you capture the traffic from one Windows 7 on XP client on port 88 ( just after the login before access a website via squid until successful or unsuccessful accessing the website) using wireshark ? Send me the .cap files to check. Markus Pedro Lobo pal...@gmail.com wrote in message news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone... Hi Markus Moeller, Hi Markus, Yeah, I'm currently using that option and permissions are correct too. On 27 Oct 2014 19:47, Markus Moeller wrote: Hi Pedro, Did you try the –s GSS_C_NO_NAME option ? Markus Pedro Lobo pal...@gmail.com wrote in message news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com... Hey Everybody, Seems as though I celebrated too soon on Saturday. Today things are back to not working for Windows 7+ machines and XP/2003 machines are working just fine. I've also checked the permissions on the keytab file and they haven't changed since Saturday, so it's not that... ARGH Craving ideas and solutions right now... Pilot users are less than satisfied ;) Cheers, Pedro On 25 Oct 2014, at 14:13, Markus Moeller wrote: Hi Pedro, I wonder if he upper case in the name is a problem. Can you try auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s GSS_C_NO_NAME instead of auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net Markus Pedro Lobo pal...@gmail.com wrote in message news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com... Hi Markus, I used msktutil to create the keytab. msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose Output of klist -ekt: 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac) 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (arcfour-hmac) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (aes256-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (arcfour-hmac) 2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (aes128-cts-hmac-sha1-96) 2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (aes256-cts-hmac-sha1-96) Yep, using MIT Kerberos Thanks in advance for any help. Cheers, Pedro On 25 Oct 2014, at 1:26, Markus Moeller wrote: Hi Pedro, How did you create your keytab ? What does klist –ekt squid.keytab show ( I assume you use MIT Kerberos) ? Markus Pedro Lobo pal...@gmail.com wrote in message news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... Hi Squid Gurus, I'm at my wit's end and in dire need of some squid expertise. We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry. If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with: negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. ' The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :) Current Setup Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers). krb5.conf [libdefaults] default_realm = FAKE.NET dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] FAKE.NET = { kdc = srv01.fake.net kdc = srv02.fake.net kdc = srv03.fake.net admin_server = srv01.fake.net
Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed
Hi Pedro, How did you create your keytab ? What does klist –ekt squid.keytab show ( I assume you use MIT Kerberos) ? Markus Pedro Lobo pal...@gmail.com wrote in message news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com... Hi Squid Gurus, I'm at my wit's end and in dire need of some squid expertise. We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry. If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with: negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. ' The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :) Current Setup Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers). krb5.conf [libdefaults] default_realm = FAKE.NET dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 [realms] FAKE.NET = { kdc = srv01.fake.net kdc = srv02.fake.net kdc = srv03.fake.net admin_server = srv01.fake.net default_domain = fake.net } [domain_realm] .fake.net = FAKE.NET fake.net = FAKE.NET [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log squid.conf auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net auth_param negotiate children 20 startup=0 idle=1 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET auth_param ntlm children 10 auth_param ntlm keep_alive off Cheers, Pedro Cumprimentos Pedro Lobo Solutions Architect | System Engineer pedro.l...@pt.clara.net Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 Claranet Portugal Ed. Parque Expo Av. D. João II, 1.07-2.1, 4º Piso 1998-014 Lisboa www.claranet.pt Empresa certificada ISO 9001, ISO 2 e ISO 27001 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Hi Victor, That sounds a bit strange. Can you capture with wireshark the traffic on port 88 on the system which has squiduser in the cache ( best after a clear the cache with kerbtray first) when accessing squid and send it to me as cap file ? Markus Victor Sudakov wrote in message news:20141016161928.ga49...@admin.sibptus.tomsk.ru... This question is neither exactly squid-related nor Heimdal-related, but maybe someone guru could shed some light. I configure MSIE to use the proxy server proxy.sibptus.transneft.ru. On starting MSIE, some Windows hosts request a ticket for the principal HTTP/proxy.sibptus.transneft.ru and receive it from the DC and get authenticated successfully by squid. So far so good. However, some other Windows hosts when requesting a ticket for HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for squidu...@sibptus.transneft.ru (kerbtray.exe shows this) and therefore fail to get authenticated by squid. squidu...@sibptus.transneft.ru is the AD account to which the SPN HTTP/proxy.sibptus.transneft.ru is bound. But why do they receive a ticket for a different name than requested, is beyond me. Has anyone seen anything like this? The KDC involved is the w2k AD. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Kerberos auth not working
Can you capture the traffic on port 88 from the PC to AD after a clean boot and when you access squid ? Markus masterx81 wrote in message news:1412360733691-4667648.p...@n4.nabble.com... All solved! Seem that kerberos is ALWAYS not working only on a specific worstation. If i use kerberos from any other pc it works as excepted. What can cause the error on that specific workstation? I've reinstalled the os due to this problem, and it's still there (os preinstalled, so i've used the recovery procedure from hp, maybe the problem is in the recovery os image) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-not-working-tp4667646p4667648.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users