Re: [squid-users] Kerberos authentication with multiple squids

[Markus Moeller]

I see,  I think this would mean using Basic Auth to proxy1 which then gets a 
Kerberos ticket for the user to authenticate to proxy2.  This is possible, 
but I would not think it is a good secure option.


Regards
Markus

"Grant Taylor"  wrote in message 
news:a2070fca-07fd-9a67-3f23-551c1fe77...@spamtrap.tnetconsulting.net...

On 10/16/21 1:31 PM, Markus Moeller wrote:

I think you talk about a kdc proxy, which is for another case.


I don't think so.  I'm not talking about using a proxy to access the KDC.

I'm talking about using a component of the following scenario:

1)  Client uses traditional username and password to authenticate to an
IMAP server.
2)  IMAP server uses the provided credentials to request some sort of
ticket (I don't remember what type) on the user's behalf.
3)  IMAP server uses the ticket on the user's behalf to access the
user's messages stored on an NFS server.

I'm suggesting that the proxy1 (from the other message) do something on
the user's behalf to request a ticket for the user that proxy1 can then
use to authenticate as the user to proxy2.

It's been quite a while since I've read about this so I may be
completely wrong.  But I distinctly remember there was a way to have an
intermediate (e.g. IMAP) server accept username and password from
clients and access a backend file server on the client's behalf in such
a way that the backend server saw normal kerberized connections.



--
Grant. . . .
unix || die
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication with multiple squids

[Markus Moeller]

Hi Amos,

  If you let me know where exactly I can add a few lines.

  One way to make this setup work would be to add proxy1 also to AD like 
proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using 
ktutil. The negotiate_kerberos_auth handle would require the -s 
GSS_C_NO_NAME option to select either key.


 A second option is to add a second service principal name to the proxy2 AD 
account and use -s GSS_C_NO_NAME.


Regards
Markus


"Amos Jeffries"  wrote in message 
news:95c70ccd-5c15-3395-2103-3025ef043...@treenet.co.nz...



On 14/10/21 8:48 am, Markus Moeller wrote:
The problem lies more in the way how Kerberos proxy authentication works. 
The client uses the proxy name to create a ticket and in this case it 
would be the name of the first proxy e.g. proxy1.internal.  The first 
proxy will pass it through to the authenticating proxy for authentication 
proxy2.internal. Now the client receiving a 407 thinks that proxy1 asked 
for authentication (not knowing it is only a passthrough) and will ask for 
a ticket for proxy1, which it can't get as proxy1 is not in AD.  Even if 
proxy1 would be in AD, the client would send a proxy1 ticket to proxy2 
which will be rejected.


Markus
\


Aha. That make ssense.

Can we get the Kerberos auth wiki page updated with that info? this is
something that has come up a few times.


Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication with multiple squids

[Markus Moeller]

I think you talk about a kdc proxy, which is for another case.

Regards
Markus

"Grant Taylor"  wrote in message 
news:b815528d-34ff-0fed-3194-dc6f34199...@spamtrap.tnetconsulting.net...


On 10/13/21 1:48 PM, Markus Moeller wrote:

The problem lies more in the way how Kerberos proxy authentication
works. The client uses the proxy name to create a ticket and in this
case it would be the name of the first proxy e.g. proxy1.internal.  The
first proxy will pass it through to the authenticating proxy for
authentication proxy2.internal.


My understanding is that there is a way that a Kerberized service
(proxy1 in this case) could act as a Kerberos protocol proxy agent (of
sorts) and ask for a special type of Kerberos ticket on behalf of the
client (client0) asking it (proxy1) for service which it (proxy1) would
use when forwarding connections on to another host (proxy2 in this
case).  Is my general understanding of Kerberos wrong?

Does Squid support such Kerberos protocol proxy agent (term?) support?



--
Grant. . . .
unix || die

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication with multiple squids

[Markus Moeller]

The problem lies more in the way how Kerberos proxy authentication works. 
The client uses the proxy name to create a ticket and in this case it would 
be the name of the first proxy e.g. proxy1.internal.  The first proxy will 
pass it through to the authenticating proxy for authentication 
proxy2.internal. Now the client receiving a 407 thinks that proxy1 asked for 
authentication (not knowing it is only a passthrough) and will ask for a 
ticket for proxy1, which it can't get as proxy1 is not in AD.  Even if 
proxy1 would be in AD, the client would send a proxy1 ticket to proxy2 which 
will be rejected.


Markus





"Amos Jeffries"  wrote in message 
news:ac36f75f-97c7-211e-a5bd-b12b7035a...@treenet.co.nz...


On 12/10/21 9:33 pm, 森 隆聡 wrote:

I made Single Sign On environment with AD+Squid and it worked fine.

[It works]
Client(Windows) -> Squid(CentOS) -> Internet

* Client is joined the domain and Squid configured Kerberos Authentication 
with AD.


But after add another squid, it didn't work.


...


Do I misundastand something or squid originally don't support
multiple proxy those relay Kerberos authentication information?



login=PASSTHRU means your Squid plays no part in the authentication. It
literally passes the peer the same Proxy-Auth* headers it receives from
the client, and the resulting response ones go back to the client.
 Which means auth issues are a problem with either the client or server
software. Squid cannot do anything about those.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5 and parent peers

[Markus Moeller]

"Alex Rousskov"  wrote in message 
news:7e75c2bf-51db-f8c3-73f0-ba7fca55e...@measurement-factory.com...


On 10/9/21 1:46 PM, Markus Moeller wrote:

i try to find a way how squid can "route" all Internet
domains to a default proxy and a subset of well defined domains to the
"special" proxy (and having  "internal" traffic based on IP ranges go
direct)


Assuming the latter conditions overwrite the former ones, the part that
remains unclear is what you want Squid to do when the request does not
match any of the three conditions above. For example, consider a request
that uses an IP address as a destination, and that IP address is not in
the "go direct" range, and its reverse DNS lookup is unsuccessful so
there is no "domain" that the proxy selection rules are based on.



Thank you I am aware of these "edge" cases. Do I assume correctly if an IP 
use used and no reverse DNS is performed it would forward to the Internet 
proxy (in my example)




Another similar question is what should Squid do with domain names that
do not resolve to an IP address. Since Squid is configured to use parent
proxies, Squid could let those proxies try to resolve the domain name,
blindly assuming that the resolution at a parent proxy will not match
one of the "go direct" IPs (a matches would possibly indicate that the
decision to go to a parent proxy was wrong in the first place!).



Did I see correctly acls can be build with regex to handle this ? For now I 
ignore it.



The final set of questions deals with HTTPS traffic. For example, if
clients sent HTTPS requests, are you OK with Squid making routing
decisions based on the target of the initial CONNECT request?



Sorry I don't get this. What is different when using CONNECT to a GET in 
regards  to routing ?





Thank you for spotting the !. I got confused with the combinations of
the never/always direct statement.


Does your test case work after removing that "!"? If not, please share
the updated debugging snippets.



Yes it looks good now. Thank you.



Thank you,

Alex.



Thank you for pointing out the "edge" cases
Markus 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 5 and parent peers

[Markus Moeller]

"Alex Rousskov"  wrote in message 
news:cbe23671-7b3c-e270-f3f4-593d4f030...@measurement-factory.com...


On 10/9/21 9:06 AM, Markus Moeller wrote:

Hi,

I have now tested with the below config and I see my first request
works, but the second fails. So I am not sure if it is still a
configuration issue or something else.




always_direct allow localdst
never_direct deny !localdst


I (still) do not know what you want to achive exactly (see my previous
response for more specific questions), but the above combination looks
suspicious to me. I would expect traffic that should always go direct to
be denied in the never_direct rule instead. Did you mean for that "!" to
be there?


Apologies if it still not clear. I want to chain 2 proxies to the Internet, 
but a subset of Internet domains have to go to a "special" set of proxies. 
So i try to find a way how squid can "route" all Internet domains to a 
default proxy and a subset of well defined domains to the "special" proxy 
(and having  "internal" traffic based on IP ranges go direct)


Thank you for spotting the !. I got confused with the combinations of the 
never/always direct statement.





I did not check the debugging trace carefully, but it may be the reason
why Squid cannot forward some requests -- it is getting an
impossible-to-satisfy or self-contradictory directions.


BTW, thank you for posting the debugging trace! Please keep doing that
if you need further help.

Alex.




# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10  # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12  # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7   # RFC 4193 local private network
range
acl localnet src fe80::/10  # RFC 4291 link-local (directly
plugged) machines

#acl localdst dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localdst dst 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localdst dst 100.64.0.0/10  # RFC 6598 shared address space
(CGN)
acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localdst dst 172.16.0.0/12  # RFC 1918 local private network
(LAN)
acl localdst dst 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localdst dst fc00::/7   # RFC 4193 local private network
range
acl localdst dst fe80::/10  # RFC 4291 link-local (directly
plugged) machines

acl google dstdomain -n .google.com

cache_peer internetproxy.example.com parent 8080 0 no-query no-digest
no-netdb-exchange default
cache_peer authproxy.example.com parent 8080 0 no-query no-digest
no-netdb-exchange default login=NEGOTIATE auth-no-keytab
# Only google to auth proxy
cache_peer_access authproxy.example.com deny localdst
cache_peer_access authproxy.example.com allow google
cache_peer_access authproxy.example.com deny all
# All other external domains
cache_peer_access internetproxy.example.com deny localdst
cache_peer_access internetproxy.example.com deny google
cache_peer_access internetproxy.example.com allow all
# Local goes direct
always_direct allow localdst
always_direct deny all
never_direct deny !localdst
never_direct allow all

debug_options 44,10 11,20



The first test looked fine:

#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Length: 0
< Date: Sat, 09 Oct 2021 12:29:23 GMT
< X-Cache: MISS from clientproxy
< X-Cache-Lookup: MISS from clientproxy:3128
< Connection: keep-alive
<
* Connection #0 to host localhost left intact


Second request failed with a cache error:


#curl -vvv -x http://localhost:3128 http://www.google.com
* Uses proxy env variable no_proxy == 'localhost, 127.0.0.1'
*   Trying 127.0.0.1:3128...
* Connected to localhost (127.0.0.1) port 3128 (#0)

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: curl/7.75.0
Accept: */*
Proxy-Connection: Keep-Alive


* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< Server: squid/5.1-VCS
< Mime-Version: 1.0
< Date: Sat, 09 Oct 20

Re: [squid-users] squid 5 and parent peers

[Markus Moeller]

 
PeerSelector2 found conn16 local=0.0.0.0 remote=172.217.23.100:80 
HIER_DIRECT flags=1, destination #1 for http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1177) handlePath: 
always_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1178) handlePath: 
never_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(1179) handlePath: 
timedout = 0
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 11,7| HttpRequest.cc(468) clearError: old: 
ERR_NONE
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(479) resolveSelected: 
PeerSelector2 found all 1 destinations for http://www.google.com/
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(480) resolveSelected: 
always_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(481) resolveSelected: 
never_direct = DENIED
2021/10/09 13:29:27.287 kid1| 44,2| peer_select.cc(482) resolveSelected: 
timedout = 0
2021/10/09 13:29:27.287 kid1| 44,7| peer_select.cc(1149) 
interestedInitiator: PeerSelector2
2021/10/09 13:29:27.287 kid1| 44,3| peer_select.cc(241) ~PeerSelector: 
http://www.google.com/
2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(279) sendStartOfMessage: HTTP 
Client conn15 local=127.0.0.1:3128 remote=127.0.0.1:45219 FD 12 flags=1
2021/10/09 13:30:27.421 kid1| 11,2| Stream.cc(280) sendStartOfMessage: HTTP 
Client REPLY:

-
HTTP/1.1 503 Service Unavailable
Server: squid/5.1-VCS
Mime-Version: 1.0
Date: Sat, 09 Oct 2021 12:30:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3573
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from clientproxy
X-Cache-Lookup: MISS from clientproxy:3128
Connection: keep-alive


--






Thank you
Markus





"Markus Moeller"  wrote in message news:sjrrhc$lat$1...@ciao.gmane.io...

I understand now better the concept.

Thank you
Markus


"Alex Rousskov"  wrote in message
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com...

On 10/8/21 8:02 PM, Markus Moeller wrote:


I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for
the non local IPs (i.e. Internet).



With the below config I see domainA.com still going to the
unauthenticated parent proxy. Any hint why ?


Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of

* send green traffic to auth-proxy
* send blue traffic to parent-proxy

This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.

If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:

# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

What "green" means exactly in your case, I do not know (due to the
questions like those listed above).


If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:

# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all

# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all

Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.

Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, 

Re: [squid-users] squid 5 and parent peers

[Markus Moeller]

I understand now better the concept.

Thank you
Markus


"Alex Rousskov"  wrote in message 
news:3dec529a-b62e-1e95-6cb7-0b68f6bf3...@measurement-factory.com...


On 10/8/21 8:02 PM, Markus Moeller wrote:


I try to setup a proxy chain, but don't get the setup right. I have one
squid with 2 parents. One with auth for domainA.com and one w/o auth for
the non local IPs (i.e. Internet).



With the below config I see domainA.com still going to the
unauthenticated parent proxy. Any hint why ?


Several factors can explain that, but I would start by rephrasing your
request routing requirements (and the corresponding configuration rules)
as mutually exclusive (if they are). Currently, you have formulated and
configured the equivalent of

* send green traffic to auth-proxy
* send blue traffic to parent-proxy

This approach leaves important questions like "What about yellow
traffic?" and "What about traffic with green and blue dots?" unanswered.

If you want every request to go to either auth-proxy or parent-proxy,
then say so explicitly:

# green (and only green!) traffic to auth-proxy
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green!) traffic to parent-proxy
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

What "green" means exactly in your case, I do not know (due to the
questions like those listed above).


If you want every request to go to either auth-proxy, parent-proxy, or
direct, then your rules will become a bit more complex, but all three
routes should still be mutually exclusive:

# green (and only green) traffic to auth-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy allow green
cache_peer_access auth-proxy deny all

# not green (and only not green) traffic to parent-proxy
# but exclude traffic that should go direct
cache_peer_access auth-proxy deny meantToGoDirect
cache_peer_access auth-proxy deny green
cache_peer_access auth-proxy allow all

# traffic that should go direct (and only that traffic)
# should always go direct
always_direct allow meantToGoDirect
always_direct deny all

# traffic that should not go direct (and only that traffic)
# should never go direct
never_direct deny meantToGoDirect
never_direct allow all

Disclaimer: The above configuration snippets are not complete, are not
tested, and can probably be reduced (some might say "simplified") if you
prefer to rely on certain defaults. See also: nonhierarchical_direct.

Once you get the above working for plain HTTP requests that have
resolvable domain names as targets, please note that your listA ACL will
not work for requests that have IP addresses, including some CONNECT
requests that ask your Squid to tunnel HTTPS traffic. Your Squid may not
get any such requests, but if it does, then your "green" and
"meantToGoDirect" ACLs may need to be more complex than "dstdomain -n"
and "dst".


HTH,

Alex.
P.S. I would not call the second proxy "parent-proxy" because both of
your proxies are configured as parent proxies.




# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10  # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12  # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7   # RFC 4193 local private network
range
acl localnet src fe80::/10  # RFC 4291 link-local (directly
plugged) machines

acl localdst dst 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localdst dst 100.64.0.0/10  # RFC 6598 shared address space
(CGN)
acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localdst dst 172.16.0.0/12  # RFC 1918 local private network
(LAN)
acl localdst dst 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localdst dst fc00::/7   # RFC 4193 local private network
range
acl localdst dst fe80::/10  # RFC 4291 link-local (directly
plugged) machines

acl listA dstdomain -n  domainA.com

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt

[squid-users] squid 5 and parent peers

[Markus Moeller]

Hi,

 I try to setup a proxy chain, but don't get the setup right. I have one 
squid with 2 parents. One with auth for domainA.com and one w/o auth for the 
non local IPs (i.e. Internet).


 With the below config I see domainA.com still going to the unauthenticated 
parent proxy. Any hint why ?


Thank you
Markus


#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network 
(LAN)
acl localnet src 100.64.0.0/10  # RFC 6598 shared address space 
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly 
plugged) machines
acl localnet src 172.16.0.0/12  # RFC 1918 local private network 
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network 
(LAN)
acl localnet src fc00::/7   # RFC 4193 local private network 
range
acl localnet src fe80::/10  # RFC 4291 link-local (directly 
plugged) machines


acl localdst dst 10.0.0.0/8 # RFC 1918 local private network 
(LAN)
acl localdst dst 100.64.0.0/10  # RFC 6598 shared address space 
(CGN)
acl localdst dst 169.254.0.0/16 # RFC 3927 link-local (directly 
plugged) machines
acl localdst dst 172.16.0.0/12  # RFC 1918 local private network 
(LAN)
acl localdst dst 192.168.0.0/16 # RFC 1918 local private network 
(LAN)
acl localdst dst fc00::/7   # RFC 4193 local private network 
range
acl localdst dst fe80::/10  # RFC 4291 link-local (directly 
plugged) machines


acl listA dstdomain -n  domainA.com

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

cache_peer auth-proxy parent   3128 0  no-query default login=NEGOTIATE
cache_peer parent-proxy parent   3128 0  no-query default
cache_peer_access auth-proxy allow listA
cache_peer_access parent-proxy allow !localdst
never_direct deny localdst
never_direct allow all

debug_options 44,10 11,20


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problen whith authentication

[Markus Moeller]

What does he cache log show  ?

Markus

"Alex Gutiérrez"  wrote in message 
news:acd33a78-c0dc-d539-1028-ed1c700db...@esines.cu...
HI community, reciently I install an old UBT 18.04 with squid 3. I use to 
authenticate my users kerberos.

Everithing seem´s great, but my all my users are able to use the proxy, instead 
of the few in the conexion group.

Can anyone be so nice to tell me what´s wrong on my config?

Thanks in advance.



httpd_suppress_version_string on
visible_hostname Proxy
via off
forwarded_for off
follow_x_forwarded_for deny all
error_directory /usr/share/squid_error
acl SSL_ports port 443
acl Safe_ports port 21 # ftp
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http_cubaindustria
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
#
#sqstat
#
acl webserver src proxy.esines.cu
http_access allow manager webserver
http_access deny manager
##
# Logs:
access_log /var/log/squid/access.log squid !manager
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows: negotiate_kerberos_auth helper seems to leak(?) handles

[Markus Moeller]

Hi Klaus,

  The negotiate_kerberos_auth helper is not intended to run on Windows. 
How did you compile it ?


Markus



"Klaus Westkamp"  wrote in message 
news:8251c91f-1b08-82f2-f6ec-46ef92fe9...@westkamp.net...


Hi,

i digged a little further (but i'm no exert in WinDBG):

Attachimng to the process with the most handles (currently 323 shown by
Windows Process Manager, as newly started)

!handles gives me:

277 Handles (weired, shows less than process manager)
Type   Count
None   4
Event  199
Section7
File   18
Directory  3
SymbolicLink   1
Mutant 9
Semaphore  5
Key8
Token  2
Thread 5
IoCompletion   2
TpWorkerFactory2
ALPC Port  5
WaitCompletionPacket7

Asking for Handle Details:

0:003> !handle 5e8 f
Handle 5e8
  Type Event
  Attributes   0
  GrantedAccess0x1f0003:
 Delete,ReadControl,WriteDac,WriteOwner,Synch
 QueryState,ModifyState
  HandleCount  2
  PointerCount 32769
  Name 
  Object Specific Information
Event Type Auto Reset
Event is Waiting

0:003> !handle 5e0 f
Handle 5e0
  Type Event
  Attributes   0
  GrantedAccess0x1f0003:
 Delete,ReadControl,WriteDac,WriteOwner,Synch
 QueryState,ModifyState
  HandleCount  2
  PointerCount 32769
  Name 
  Object Specific Information
Event Type Auto Reset
Event is Waiting

0:003> !handle 374 f
Handle 374
  Type Event
  Attributes   0
  GrantedAccess0x1f0003:
 Delete,ReadControl,WriteDac,WriteOwner,Synch
 QueryState,ModifyState
  HandleCount  2
  PointerCount 32769
  Name 
  Object Specific Information
Event Type Auto Reset
Event is Waiting

These events seem to increase, but only one process gets to the limit of
3x00 handles and then the other processes seem to hang ...


On 15/12/2020 12:18, Klaus Westkamp wrote:

Hi,


yes this is Dildale's last available package. Output of squid -v is as 
follows:


squid -v

Squid Cache: Version 3.5.28
Service Name: squid

This binary uses OpenSSL 1.0.2j  26 Sep 2016. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--bindir=/bin/squid' '--sbindir=/usr/sbin/squid' 
'--sysconfdir=/etc/squid' '--datadir=/usr/share/squid' 
'--libexecdir=/usr/lib/squid'
'--disable-strict-error-checking' '--with-logdir=/var/log/squid' 
'--with-swapdir=/var/cache/squid' '--with-pidfile=/var/run/squid.pid' 
'--enable-ssl'
'--enable-delay-pools' '--enable-ssl-crtd' '--enable-icap-client' 
'--disable-eui' '--localstatedir=/var/run/squid' 
'--sharedstatedir=/var/run/squid'
'--datarootdir=/usr/share/squid' 
'--enable-disk-io=AIO,Blocking,DiskThreads,IpcIo,Mmapped' 
'--enable-auth-basic=DB,LDAP,NCSA,POP3,RADIUS,SASL,SMB,fake,getpwnam'
'--enable-auth-ntlm=fake' '--enable-auth-negotiate=kerberos,wrapper' 
'--enable-external-acl-helpers=LDAP_group,SQL_session,eDirectory_userip,file_userip,kerberos_ldap_group,session,time_quota,unix_group,wbinfo_group'
'--with-openssl' '--with-filedescriptors=65536' 
'--enable-removal-policies=lru,heap'


The helper negotiate_kerberos_auth.exe doesn't produce a Version output.


Best regards,

Klaus Westkamp


On 15/12/2020 09:10, Amos Jeffries wrote:

On 15/12/20 4:03 am, Klaus Westkamp wrote:

Hi,

i'm uncertain, wether this mailing list is the correct one to ask, but i 
have the disputable honor to make a squid running on a Windows Server 
(if possible). Whilst squid.exe seems to run fine, i constantly run into 
an unresponsive system, when i enable Kerberos authentication via 
auth_param and the negotiate_kerberos_auth.exe helper.


For a while authentication works fine, but all at the sudden the system 
hangs at 100% CPU usage. My Observation is that one of the 
negotiate_kerberos_auth.exe processes has a constantly increasing number 
of handles (Files and events). If i understand the Sysinternals handle 
tool correctly, most handles are event corrolated.


The setting:

Windows 2012 R2 AD Controllers with Windows 2008R2 Domain Level. A 
Windows Server 2016 running Squid 3.5 for Windows.


Is Squid the package built by Diladele or a custom build?

Which exact version number is it? (output of "squid -v" please)


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

[Markus Moeller]

Hi 


Maybe some general comments about LB, CNAMEs and Squid Kerberos will help.  The 
kerberos client will try to request a ticket based on the used hostname. e.g. 
if you configure in your browser the proxy name as  ha-proxy.slb.example.com 
then the client will look for a serviceprincipal of 
HTTP/ha-proxy.slb.example.com. If this is a Cname then you may have browser 
dependencies e.g. 

  ha-proxy.slb.example.com CNAME HA-server1.real.example.com 

Some browsers will use HTTP/ha-proxy.slb.example.com  and some will use 
HTTP/HA-server1.real.example.com  

Now if your squid server name is squid1.real.example.com you will have probably 
only HTTP/squid1.real.example.com  in your keytab.  


There are now 2 Options:

1 ) Create one entry in AD for all squid servers  i.e. the AD entry will have 
at least number of servers + 2  service principals associated to it, extract 
the key to a keytab and use the option –s GSS_C_NO_NAME with the 
negotiate_kerberos_auth helper 
 .e.g HTTP/squid1.real.example.com , HTTP/squid2.real.example.com , 
HTTP/HA-server1.real.example.com  ,  HTTP/ha-proxy.slb.example.com  
2) Create separate entries in AD for each squid server, the LB and the CNAMEs 
and then merge the keys into one keytab to be used on all squid servers.

Kind Regards
Markus



"L.P.H. van Belle"  wrote in message 
news:vmime.5f1aa165.2c44.7eb4bc368bae...@ms249-lin-003.rotterdam.bazuin.nl...
forgot 1 thing. (sorry) 
# 
adduser proxyuser winbind_priv 

or things might not work. 

 



--
  Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
L.P.H. van Belle
  Verzonden: vrijdag 24 juli 2020 10:46
  Aan: squid-users@lists.squid-cache.org
  Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication


  i would recommend to ..
  1) use debian buster,
  2) use squid 4.12
  3) use samba (winbind). 

  needed  in smb.conf ( only shown whats really needed ), there is more 
offcourse. 

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  # renew the kerberos ticket
  winbind refresh tickets = yes

  # Added for freeradius support
  #ntlm auth = mschapv2-and-ntlmv2-only


  apt install winbind krb5-user should be sufficient. 

  samba joins the domain. 
  /etc/krb5.keytab contains the default part and refreshed the server kerberos 
passworks/tickes. 

  And for squid its keytab. 

  kinit Administrator
  export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
  net ads keytab add_update_ads HTTP/$(hostname -f) -U Administrator

  # alias name to keytab
  net ads keytab ADD HTTP/CNAME.FQDN 

  # check keytab file.
  klist -ke /etc/squid/HTTP-$(hostname -s).keytab
  unset KRB5_KTNAME

  # set rights.
  chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
  chmod g+r /etc/squid/HTTP-$(hostname -s).keytab

  And i use  in squid 
  auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
  --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/HTTP-hostname.keytab \
  -s HTTP/hostname.fqdn@REALM -s HTTP/CNAME.FQDN@REALM 
  --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM 

  Point to think about. 

  server IP's needs A + PTR 
  use CNAMEs in the DNS. 
  and make sure the resolving is setup correctly. 

  Add a caching DNS to the proxy. ( and let squid use it also ) 

  I had this working (without HAproxy) but with keepalived. 

  As far i can tel, your problem is in how the hostnames and ip are used. 
  but above might give you ideas. 


  Greetz, 

  Louis







Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Service MV
Verzonden: donderdag 23 juli 2020 17:36
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Problem with HAProxy + Squid 4.11 + Kerberos 
authentication


Hi, everybody.
I have a SQUID 4.11 compiled on Debian 9.8 with kerberos integration 
authenticating and browsing without problems:
cache.log
squid_kerb_auth: User some.user authenticated
access.log
10.10.10.203 TCP_TUNNEL/200 5264 CONNECT update.googleapis.com:443 
some.user HIER_DIRECT/MailScanner warning: numerical links are often malicious: 
MailScanner warning: numerical links are often malicious: MailScanner warning: 
numerical links are often malicious: MailScanner warning: numerical links are 
often malicious: 172.217.162.3 -

The problem starts when I try to configure a HAProxy 1.8 load balancer to 
which by redundancy I configured a virtual IP with the keepalived service. When 
I point my browser to the DNS A record (balancer.mydomain.local) which in turn 
points to the keepalived virtual IP, the authentication stops working:
cache.log 
no records
access.log
10.10.8.207 TCP_DENIED/407 4142 CONNECT update.googleapis.com:443 - 

Re: [squid-users] squid kerberos auth, acl note group

[Markus Moeller]

Hi Klaus,

   Is the group you added a security group ?  Only security groups are part 
of the Kerberos ticket.  Which authorisation helper do you use or is this 
just based on the auth helper output ?


   What do you see on the client ?  e.g. in powershell run whoami /groups

   Did you clear the client Kerberos cache e.g. by login out and in again 
or use klist purge ?



Markus

"Amos Jeffries"  wrote in message 
news:704e36b3-4cd8-611c-0643-231c02045...@treenet.co.nz...


On 25/07/20 2:48 am, Klaus Brandl wrote:

sorry, i did not found this script, and the binary is not available on our
product, because i'm no developer...



Darn. Okay that hinders testing a bit.


But i think, we have a caching problem here, i found out, that the group
informations are only updated on a squid reconfigure.

And also the acl note group ... seems to be cached as long as squid is
restarted completely. I removed the configured group from the user, but i 
could
see this group still maching in the cache.log, also after a reconfigure, 
when

the auth_helper does not tell about this group any more.



The groups are attached to credentials which are attached to the TCP
connection (TTL only as long as the connection is open) and a token
replay cache for up to authenticate_ttl directive time (default 1 hour).

Setting that TTL to something very short, eg:

 authenticate_ttl 10 seconds

... and disabling connection keep-alive:

 client_persistent_connections off

... should work around the cache for testing. At least on HTTP traffic.
HTTPS traffic goes through the proxy as a single tunnel request - so the
entire HTTPS session is just one request/response pair to Squid.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid-announce] Squid-4.5 is available

[Markus Moeller]

Hi Amos,

 Is there any reason that kerberos_sid_group is not included in the tar ?

Thank you
Markus

"Amos Jeffries"  wrote in message 
news:d6159d58-f75b-1af7-4690-5819cd465188__18406.7017086365$1546614300$gmane$o...@treenet.co.nz...


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.5 release!


This release is a security and bug fix release resolving several issues
found in the prior Squid releases.


The major changes to be aware of:

* Bug 4253: ssl_bump prevents access to some web contents

The SSL-Bump initial implementation was entangled with reverse-proxy
handling of decrypted HTTPS messages. This was a mistake we have been
reversing across the 3.5 and 4 cycles.

With this release SSL-Bump traffic handling is no longer tied to
reverse-proxy mode. As a result complications with ESI and
Surrogate-Control header handling have finally been resolved.


* Redesign forward_max_tries to count TCP connection attempts

This release includes an overhaul of the counting for HTTP message
forwarding and re-send attempts. This has an impact on how long it takes
Squid to detect and report connection errors to clients, persistent
connection overload recovery and detection of DEAD peer states.

The documentation for forward_max_tries and connect_retries has been
updated to more clearly specify the current expected behaviour.

Any users with systems tuned to optimize these behaviours should read
the updated squid.conf documentation and check their tuning after
upgrade to this release or any later.


* Fix client_connection_mark ACL handling of clientless transactions

This bug shows up as crashes when a client_connection_mark or
clientside_mark type ACL is used for access control. From this release
transactions without a client TCP connection will now produce a
non-match result when this ACL is tested.


* Multiple NetDB behaviour updates

NetDB state was not being recorded for connections to peers using TLS
nor for CONNECT tunnels. With the growth of HTTPS in recent times these
are increasingly important to optimize.

This release will now ping and record the latency information for these
connections to aid with optimizing connection setup of future transactions.


* The logformat code %>handshake is added

This code allows logging of initial bytes received for many protocols
to allow better debugging of unknown-protocol issues and external ACL
decision making.


* Use pkg-config for detecting libxml2

This release adds support for auto-detection of libxml2 location using
the pkg-config tools at build time. This may affect users of OS placing
libraries at a location outside the FHS layout. For example
cross-building or multi-architecture systems.

Note that support for custom PATH parameter is not yet implemented for
the --with-libxml2 build option. It is planned but did not make this
release. The pkg-config environment variables may be used for that if
necessary.



 All users of Squid-4 with SSL-Bump functionality are urged to upgrade
as soon as possible.

 All other users of Squid-4 are encouraged to upgrade as time permits.

 All users of Squid-3 are encouraged to upgrade where possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
 http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication on mobile phones

[Markus Moeller]

You don't have to join a domain.  You only need a Kerberos authentication
server to get a ticket.

You only need AD (or Samba) if you want also authorisation (PAC data) in you
Kerberos ticket.

As Amos said you need a Kerberos client and a Browser supporting
Proxy-Negotiate.

Markus

"Amos Jeffries"  wrote in message 
news:36775d21-090a-e22a-bec0-78edc5754...@treenet.co.nz...


On 08/05/18 10:22, Panagiotis Bariamis wrote:

Hello,
Is it possible with a squid kerberos only authentication  setup be able
to authenticate ie android phones to squid?


I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it yourself.



A second question. If a non domain joined machine tries to use the proxy
will there be a username password prompt where if correct credentials
are presented he will be able to get a ticket to use squid?


Maybe, unlikely though IMO. Getting a ticket requires first joining the
domain. Some client software may provide a popup and then try to contact
a DC and join a domain.

But whether a) the specific client software does that, and b) whether
info about the domain DC server is available in DNS records, and c)
whether the Kerberos realm "domain" matches the proxy DNS record domain
- all those effect the possibilities AFAIK.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos Heimdal Server Authentication

[Markus Moeller]

Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so 
seeing the real traffic may help identifying the issue.

Kinit should create an AS req/rep
the test program creates a TGS req/rep

Example attached if it gets through.

Markus

"Panagiotis Bariamis"  wrote in message 
news:CAPxN_PVp9RETXBPZG6ZX5rzNK6Hu-HLxdAagSfgXVcg=dcd...@mail.gmail.com...
Hello my setup is as follows :

Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab 
enviroment for example.com domain) 

Freebsd 11 squid proxy server 

Windows Client 



I have created a keytab from the Kerberos Server for http/squid.example.com

Proxy server machine has no problem kinit ing with the keytab file and gets a 
ticket 

# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: http/squid.example@example.com

  IssuedExpires   Principal
May  9 15:38:36 2018  May 10 01:38:37 2018  krbtgt/example@example.com


My squid.conf is as follows concerning the authentication :
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
auth_param negotiate children 10 startup=1
auth_param negotiate keep_alive on


Trying to use :
# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid.example.com 
| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' 
| /usr/local/libexec/squid/negotiate_kerberos_auth -r -s http/squid.example.com


fails with :
| negotiate_kerberos_auth_test: gss_init_sec_context() failed:  An unsupported 
mechanism was requested. unknown mech-code 0 for mech unknown
BH gss_accept_sec_context() failed:  A token was invalid. unknown mech-code 0 
for mech unknown
BH quit command



Any ideas ?


Thank you , 

Bariamis Panagiotis 






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


krb5.pcap
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication on mobile phones

[Markus Moeller]

You don't have to join a domain.  You only need a Kerberos authentication 
server to get a ticket.


You only need AD (or Samba) if you want also authorisation (PAC data) in you 
Kerberos ticket.


As Amos said you need a Kerberos client and a Browser supporting 
Proxy-Negotiate.


Markus

"Amos Jeffries"  wrote in message 
news:36775d21-090a-e22a-bec0-78edc5754...@treenet.co.nz...


On 08/05/18 10:22, Panagiotis Bariamis wrote:

Hello,
Is it possible with a squid kerberos only authentication  setup be able
to authenticate ie android phones to squid?


I don't have an answer for that, maybe someone else has experience. If
you have the environment available you could try it yourself.



A second question. If a non domain joined machine tries to use the proxy
will there be a username password prompt where if correct credentials
are presented he will be able to get a ticket to use squid?


Maybe, unlikely though IMO. Getting a ticket requires first joining the
domain. Some client software may provide a popup and then try to contact
a DC and join a domain.

But whether a) the specific client software does that, and b) whether
info about the domain DC server is available in DNS records, and c)
whether the Kerberos realm "domain" matches the proxy DNS record domain
- all those effect the possibilities AFAIK.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kerberos authentication with kerberos groups

[Markus Moeller]

Hi Jeroen,

 Do you use Active Directory as ldap server ?  My automated test says it is 
not. I use this check to determine the group attribute check.



support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: Search ldap server with bind path 
CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: 
(ldapdisplayname=samaccountname)
support_ldap.cc(345): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: Found 0 ldap entries
support_ldap.cc(350): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: Determined ldap server not as an Active Directory server


Markus

"Jeroen Ruijter"  wrote in message 
news:510fcecd6e595a4d83bf67fc07028e7507c99...@bhmb-01.bnh.local...


I believe this has to be the problem, but how do I solve it? Its almost at 
the end of the whole listing


support_ldap.cc(333): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: Search ldap server with bind path "" and filter: (objectclass=*)
support_ldap.cc(602): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: Search ldap entries for attribute : schemaNamingContext
support_ldap.cc(645): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: 1 ldap entry found with attribute : schemaNamingContext
support_ldap.cc(342): pid=2951 :2018/02/20 17:02:27| kerberos_ldap_group: 
DEBUG: Search ldap server with bind path 
CN=Schema,CN=Configuration,DC=bnh,DC=local and filter: 
(ldapdisplayname=samaccountname)





kerberos_ldap_group.cc(283): pid=2951 :2018/02/20 17:02:21| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2951 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2953 :2018/02/20 17:02:21| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2953 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2952 :2018/02/20 17:02:21| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2952 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No ldap servers defined.
2018/02/20 17:02:21 kid1| helperOpenServers: Starting 5/5 
'ext_kerberos_ldap_group_acl' processes
kerberos_ldap_group.cc(283): pid=2954 :2018/02/20 17:02:21| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group ADGroupRaamregeling  Domain
support_netbios.cc(83): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2954 :2018/02/20 17:02:21| kerberos_ldap_group: 
DEBUG: No ldap servers defined.
kerberos_ldap_group.cc(283): pid=2955 :2018/02/20 17:02:21| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group list ADGroupRaamregeling@
support_group.cc(447): pid=2955 :2018/02/20 17:02:21| kerberos_ldap_group: 
INFO: Group ADGroupRaamregeling  Domain

[squid-users] Simple ACL help for Kerberos authenticated sessions

[Markus Moeller]

Hi,

   When using the latest squid 4 release you can use  %note{group} to get 
the group information from the Negotiate Kerberos helper to transfer the PAC 
group SIDs to the external ACL helper.


squid.conf

...
external_acl_type test_acl ipv4 %LOGIN %note{group} 
/opt/squid-trunk/sbin/test_acl

acl squid_allow external test_acl
...

The helper script will initially look for the objectsid of the group 
SQUID_ALLOW (i.e. it will be only called when the helper is started and 
never again - good for performance).  After that the SIDs from the Kerberos 
PAC information is compared with the previously retrieved SID from AD.



#!/bin/bash
#
# GET SID for Group
#
export KRB5CCNAME=/tmp/squid_krb5cc
kinit -kt /etc/squid/squid.keytab HTTP/opensuse42.suse.home
SID=`ldapsearch -LLL -Ygssapi -H ldap://dc1.samba.home:389 -s sub -b 
"DC=samba,DC=home" "(CN=SQUID_ALLOW)" objectsid 2>&1 | awk '{ if ( $0 
~/^object/ ) print $2}'`


(>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: SID=$SID")

#
# Loop over input
#
while [ 1 == 1 ] ; do
 read input
 found=0
 user=`echo $input | awk '{ print $1 }'`
 groups=`echo $input | awk '{ print $2 }'`
 (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: user=$user")
 (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: groups=$groups")
 if [ -n "$groups" ]; then
   while read group; do
 if [ "$group" == "$SID" ]; then
   (>&2 echo "`date +"%Y/%m/%d %H:%M:%S"`| test_ACL: matched group: 
$group")

   found=1
   echo "OK"
 fi
   done <<< "$(echo $groups | tr , "\n" )"
   if [ $found -eq 0 ]; then
 echo "ERR"
   fi
 else
   if [ $found -eq 0 ]; then
 echo "ERR"
   fi
 fi
done

Example log from the cache.log file


2017/08/08 20:02:02 kid1| helperOpenServers: Starting 0/5 'test_acl' 
processes

2017/08/08 20:02:02 kid1| helperOpenServers: No 'test_acl' processes needed.
2017/08/08 20:02:23 kid1| Starting new test_acl helpers...
2017/08/08 20:02:23 kid1| helperOpenServers: Starting 1/5 'test_acl' 
processes

2017/08/08 20:02:24| test_ACL: SID=AQUAAAUVjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: user=administra...@samba.home
2017/08/08 20:02:24| test_ACL: 
groups=AQUAAAUVjxbSIudxUpznEbHVCAIAAA==,AQUAAAUVjxbSIudxUpznEbHVPAIAAA==,AQUAAAUVjxbSIudxUpznEbHVBwIAAA==,AQUAAAUVjxbSIudxUpznEbHVBgIAAA==,AQUAAAUVjxbSIudxUpznEbHVAAIAAA==,AQUAAAUVjxbSIudxUpznEbHVUwQAAA==
2017/08/08 20:02:24| test_ACL: matched group: 
AQUAAAUVjxbSIudxUpznEbHVUwQAAA==



Regards
Markus 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] AD / Kerberos Issues

[Markus Moeller]

Hi Rick,

  The log  indicates that your Browser sned a NTLM token not a Kerberors 
token. This can be easily seen from the first characters of the token 
(TlRM).  Check the Kerberos communication on the client ( i.e. port 88). The 
client should request a token for HTTP/ and receive it.  If not 
then your name or config does not match up.


Markus


"Rick"  wrote in message news:20161125110932.760cfeda@chavez...

FreeBSD 10.3 / Samba42 / Squid 3.5

All the net ads / kinit / keytab stuff seems okay however hitting Squid
from a Windows box using IE 11 results in repeated prompts for
credentials which then fails after 3 attempts.

Cache.log has:

negotiate_kerberos_auth.cc(610): pid=42160 :2016/11/25 10:51:37|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABl4II4gAGAbEdDw==' from squid
(length: 59). negotiate_kerberos_auth.cc(663): pid=42160 :2016/11/25
10:51:37| negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABl4II4gAGAbEdDw==' (decoded
length: 40).

I have seen others post similar errors, but I have not seen any
solutions.

current relevent squid config entry:

auth_param negotiate
program /usr/local/libexec/squid/negotiate_kerberos_auth -d -s
GSS_C_NO_NAME

Any help greatly appreciated.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSO (kerberos)

[Markus Moeller]

Hi

 Did you try the debug option -d for ext_kerberos_ldap_group_acl  to get 
some debug ? Maybe it gives some indication of the problem ?


Markus

"erdosain9"  wrote in message 
news:1474570767416-4679652.p...@n4.nabble.com...


So, i have a little more of info

this is config

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -d -s
HTTP/squid.example@example.lan
auth_param negotiate children 10
auth_param negotiate keep_alive on

#acl auth proxy_auth REQUIRED

external_acl_type i-limitado-krb children=10 cache=10 grace=15 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g i-limit...@example.lan

acl i-limitado external i-limitado-krb
http_access allow i-limitado



AND HAVE THIS ERROR
The grupos helpers are crashing too rapidly, need help!

"grupos" is for "group" in AD (samba)



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/SSO-kerberos-tp4679470p4679652.html

Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with Kerberos and ext_kerberos_ldap_group_acl not being able to reach realm's KDC

[Markus Moeller]

Hi Silamael,

Can you perform a kinit u...@example.com ?   Does the squid user have 
read access to  krb5.conf ?


Markus

"Silamael Darkomen"  wrote in message 
news:955b9071-4d07-f0a2-2925-8f63fa332...@coronamundi.de...


Hello,

I'm currently working on setting up our proxy to authenticate the users
via Kerberos against a Windows AD.
The simple user authentication through negotiate_kerberos_auth is
already working.
But the second step for checking the group of an authenticated users
gives me some headache. Even with Kerberos configured not to search the
KDC via DNS, the ext_kerberos_ldap_group_acl tool complains about not
being able to find the realms KDC:

squid-3.5.20/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc(376):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: INFO: Got User:
user Domain: EXAMPLE.COM
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(63):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: User domain
loop: group@domain linux@
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(91):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Default
domain loop: group@domain linux@
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_member.cc(93):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found
group@domain linux@
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_ldap.cc(898):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Setup
Kerberos credential cache
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(127):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Set
credential cache to MEMORY:squid_ldap_23191
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(138):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get default
keytab file name
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(144):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got default
keytab file name /etc/HTTP.keytab
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(158):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Get
principal name from keytab /etc/HTTP.keytab
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(167):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Keytab entry
has realm name: EXAMPLE.COM
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(181):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Found
principal name: host/proxy.example@example.com
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(196):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: DEBUG: Got
principal name host/proxy.example@example.com
squid-3.5.20/helpers/external_acl/kerberos_ldap_group/support_krb5.cc(64):
pid=23191 :2016/09/16 09:53:10| kerberos_ldap_group: ERROR: Error while
initialising credentials from keytab : unable to reach any KDC in realm
EXAMPLE.COM
...

The last lines of the error messages repeat for every entry in the keytab.
All other Kerberos related tools work fine with the given krb5.conf.

Some more information about the setup:
We're running under OpenBSD with Heimdal version 1.5.3.
The AD is reachable from the proxy machine but DNS is not done by the AD
but on the proxy machine itself.

Below you find the krb5.conf used and the settings from the squid.conf.
The limitation to 1 child is just for testing purposes.

Would be really great if anyone could shed some light on this issue!

Thanks in advance,
Matthias

-

krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_keytab_name = /etc/HTTP.keytab
dns_lookup_kdc = no
dns_lookup_realm = no

[realms]
EXAMPLE.COM = {
   kdc = 1.2.3.4
   admin_server = 1.2.3.4
   default_domain = example.com
}

squid.conf:
auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -di -s
HTTP/proxy.example.com
auth_param negotiate children 1
auth_param negotiate keep_alive on

external_acl_type squid_kerb_ldap children-max=1 ttl=3600
negative_ttl=3600 %LOGIN
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl -di -S 1.2.3.4@ -g
linux@
acl ldap_group_check external squid_kerb_ldap
http_access deny !ldap_group_check
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

[Markus Moeller]

Hi Louis,

I know a user and machine account can be used and they work the same. What 
my concern is, is that many companies deploy password policies for users in AD. 
 You would need to create exceptions for user accounts which have SPNs with 
associated keytabs as a password change will make the keytab invalid.

Markus 


"L.P.H. van Belle" <be...@bazuin.nl> wrote in message 
news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl...
Hello Markus, 

 

Thank you for the explanation, that helped a lot. 

 

I use the TLS_CACERTFILE in the init script now and that works for me . 

( in debian the /etc/default/squid  )

 

>>The helper tries to “authenticate” squid to AD as a user with the found SPN 
>>name, so the UPN must be the same as the SPN.  There is no easy way to query 
>>what the UPN for the SPN is. 

Ah, this helped identify-ing so other small things to. 

 

>>msktutil (my preferred tool)

Since i try to use only debian packages the msktutil is not available for me. 

 

>>Also msktutil (my preferred tool) creates a machine account not a user 
>>account in AD. 

>>The reason I prefer this is that often user accounts have a global password 
>>policy e.g. change every 60 days otherwise it will be locked. 

>>machine accounts do not have that limitation. But as I said it is just my 
>>preference.

 

Thats not correct in my optionion. A the computer account, works the (almost) 
same an user account. 

Like a computer account = a user account. 

 

some pointers :

https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx

https://adsecurity.org/?p=280 

 

I used a seperated user since i wanted to have 2 proxy on 1 service account, 
but due to the UPS/SPN thing,

thats not options anymore, not thats a problem, I’ll change to add the computer 
to the samba domain and 

add the UPN/SPN on the computer account where needed.

Which maybe even a better option.

 

Thanks again for you replies. 

 

 

Best regards, 

 

Louis

 

 

 




Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe )

 

Hi,

 

   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 

 

  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 

 

   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.

 

 

Kind regards

Markus

 

 

"L.P.H. van Belle" <be...@bazuin.nl> wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...

Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the 

Re: [squid-users] Trouble negotiate_kerberos_auth

[Markus Moeller]

Hi Marcio,

That looks OK.  TT means the helper requires additional data from the client 
which I did not prepare a test for. In my case I get the AF response.

#  /opt/squid-trunk/sbin/negotiate_kerberos_auth_test opensuse42.suse.home | 
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}'  | 
/opt/squid-trunk/sbin/negotiate_kerberos_auth -r -k squid.keytab -s 
HTTP/opensuse42.suse.home
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus group=
BH quit command

  Anyway the basic check looks good. You now just need to run the helper with 
squid.  I will see if I can create a test which deals with the TT response too.

Regards
Markus

"Marcio Demetrio Bacci" <marcioba...@gmail.com> wrote in message 
news:CA+0Tdyr+2jEL7p09yrtJQ516M-2uE-q=Zayd3F5J0A=25zc...@mail.gmail.com...
Hi Markus, thank you for help me.

When I type the klist command, the result is:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rob...@cms.ensino.br
Valid starting   Expires  Service principal
28-08-2016 22:40:53  29-08-2016 08:40:53  krbtgt/cms.ensino...@cms.ensino.br
renew until 29-08-2016 22:40:41

But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk 
'{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
/usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br 

Result:
TT 
oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command


The HTTP/proxy.cms.ensino.br is in keytab files

I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos, 
but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.

My Linux distribution is CentOS 7


Regards,


Márcio






2016-08-28 15:24 GMT-03:00 Markus Moeller <hua...@moeller.plus.com>:


  HI Marcio,

The helper need a Kerberos token as input.  Please have a look at 
test_negotiate_auth.sh  which is in src/auth/negotiate/kerberos of the trunk 
version. The squid hostname must match the entry in your keytab and you must 
have done kinit to authenticate against a Kerberos server (e.g. AD) as user 
first.

  Regards
  Markus 


  "Marcio Demetrio Bacci" <marcioba...@gmail.com> wrote in message 
news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com...
  I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm 
using CentOS 7 and Squid 3.3.8 (yum install squid)


  When I type the bellow command in terminal: 
  /usr/lib64/squid/negotiate_kerberos_auth -d -i -s 
HTTP/proxy.cms.ensino...@cms.ensino.br
  john xyz@12345

  I have the following error:
  negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| 
negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14).
  negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| 
negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345]
  BH invalid request 


  Here are my files configuration:

  /etc/krb5.conf
  [libdefaults]
  default_realm = CMS.ENSINO.BR
  [realms]
  CMS.ENSINO.BR = {
  kdc = dc1.cms.ensino.br:88
  admin_server = dc1.cms.ensino.br
  default_domain = CMS.ENSINO.BR 
  }
  [domain_realm]
  .cms.ensino.br = CMS.ENSINO.BR
  cms.ensino.br = CMS.ENSINO.BR



  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
   
--
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/proxy.cms.ensino...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 host/pr...@cms.ensino.br
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 PROXY$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br
 1 HTTP/pr...@cms.ensino.br


  Keytab name: FILE:/etc/squid/PROXY.keytab
  KVNO Principal
   
--
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 proxy-k$@CMS.ENSINO.BR
 1 HTTP/proxy.cms.ensino...@cms.ensino.br
 1 HTTP/pro

Re: [squid-users] Trouble negotiate_kerberos_auth

[Markus Moeller]

HI Marcio,

  The helper need a Kerberos token as input.  Please have a look at 
test_negotiate_auth.sh  which is in src/auth/negotiate/kerberos of the trunk 
version. The squid hostname must match the entry in your keytab and you must 
have done kinit to authenticate against a Kerberos server (e.g. AD) as user 
first.

Regards
Markus 


"Marcio Demetrio Bacci"  wrote in message 
news:ca+0tdyqeat4l5ko4zrjnj1aue64my2re7z95kfdqw7y8sv_...@mail.gmail.com...
I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm using 
CentOS 7 and Squid 3.3.8 (yum install squid)


When I type the bellow command in terminal: 
/usr/lib64/squid/negotiate_kerberos_auth -d -i -s 
HTTP/proxy.cms.ensino...@cms.ensino.br
john xyz@12345

I have the following error:
negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| 
negotiate_kerberos_auth: DEBUG: Got 'john xyz@12345' from squid (length: 14).
negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| 
negotiate_kerberos_auth: ERROR: Invalid request [john xyz@12345]
BH invalid request 


Here are my files configuration:

/etc/krb5.conf
[libdefaults]
default_realm = CMS.ENSINO.BR
[realms]
CMS.ENSINO.BR = {
kdc = dc1.cms.ensino.br:88
admin_server = dc1.cms.ensino.br
default_domain = CMS.ENSINO.BR 
}
[domain_realm]
.cms.ensino.br = CMS.ENSINO.BR
cms.ensino.br = CMS.ENSINO.BR



Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   1 proxy-k$@CMS.ENSINO.BR
   1 proxy-k$@CMS.ENSINO.BR
   1 proxy-k$@CMS.ENSINO.BR
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/pr...@cms.ensino.br
   1 host/pr...@cms.ensino.br
   1 host/pr...@cms.ensino.br
   1 host/pr...@cms.ensino.br
   1 host/pr...@cms.ensino.br
   1 PROXY$@CMS.ENSINO.BR
   1 PROXY$@CMS.ENSINO.BR
   1 PROXY$@CMS.ENSINO.BR
   1 PROXY$@CMS.ENSINO.BR
   1 PROXY$@CMS.ENSINO.BR
   1 proxy-k$@CMS.ENSINO.BR
   1 proxy-k$@CMS.ENSINO.BR
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 HTTP/pr...@cms.ensino.br
   1 HTTP/pr...@cms.ensino.br
   1 HTTP/pr...@cms.ensino.br
   1 HTTP/pr...@cms.ensino.br
   1 HTTP/pr...@cms.ensino.br


Keytab name: FILE:/etc/squid/PROXY.keytab
KVNO Principal
 --
   1 proxy-k$@CMS.ENSINO.BR
   1 proxy-k$@CMS.ENSINO.BR
   1 proxy-k$@CMS.ENSINO.BR
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 HTTP/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br
   1 host/proxy.cms.ensino...@cms.ensino.br


/etc/sysconfig/squid
# default squid options
SQUID_OPTS=""
# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
# default squid conf file
SQUID_CONF="/etc/squid/squid.conf"

KRB5_KTNAME=/etc/squid/PROXY.keytab
export KRB5_KTNAME



kinit and klist commands are OK.


Best Regards,


Márcio





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

[Markus Moeller]

Hi,

   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 

  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 

   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.


Kind regards
Markus


"L.P.H. van Belle"  wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...
Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the (SPN name)   
HTTP/proxyserver.internal.domain.tld@REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in 
ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but 
i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable 
through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT  /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i find 2 small bugs here?  

Or is this a “Debian” related thing? 

 

 

Debug output. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D 
YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d

kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
INFO: Group list internet-m...@your.realm.tld

support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: Netbios list internet-mail@NTDOMAIN

support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: ldap server list NULL

support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: No ldap servers defined.

testuser internet-mail

kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| 
kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| 
kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: User domain loop: group@domain internet-m...@your.realm.tld

support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Found group@domain internet-m...@your.realm.tld

support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Set credential cache to MEMORY:squid_ldap_6902

support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: 

Re: [squid-users] ext_kerberos_ldap_group_acl problem

[Markus Moeller]

Hi  Louis,

I made lately a change in how the SSL certifcate verification is done.  Did 
you use the latest version from trunk ?  Also set the variable TLS_CACERTFILE 
in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do 
not read any ldap.conf file for this yet.

Markus



"L.P.H. van Belle"  wrote in message 
news:vmime.57beabe1.6a01.3a47ad2737b8d...@ms249-lin-003.rotterdam.bazuin.nl...
Hai, 

 

I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. 



The last part, here i need some help.

support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636

support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set SSL defaults

support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set certificate file for ldap server to 
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable 
TLS_CACERTFILE)

support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP 
server

support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636

support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set SSL defaults

support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Set certificate file for ldap server to 
/etc/ssl/certs/cert.pem.(Changeable through setting environment variable 
TLS_CACERTFILE)

support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: 
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP 
server

 

I tried to set 

TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there 
to put these variables. 

 

I need a user to connect to the ldap.  Hi have that one in place. 

I just can find how to put this in this line so i can test this out, but i can 
only authenticate if the TLS_CACERTFILE is set correctly. 

 

Any suggestions here? 

 

 

Greetz, 

 

Louis




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] missing negotiate_kerberos_auth on my squid

[Markus Moeller]

Hi Nilesh,

Just add a –d to 


# enable kerberos authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/hostname.domain@domain.org

like 

# enable kerberos authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/hostname.domain@domain.org –d 

Then you get debug output in your cache.log file.

Markus


"Markus Moeller" <hua...@moeller.plus.com> wrote in message 
news:nikoqr$i2m$1...@ger.gmane.org...
What does the log say when you use the –d option with the helper

Markus


"Nilesh Gavali" <nilesh.gav...@tcs.com> wrote in message 
news:of059dedf2.dd0eb7d2-on80257fc4.006a0132-80257fc4.006a2...@tcs.com...
Hello All; 

Configured the steps require for kerberos authentication as given at 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 
but instead of SSO to work when we try to open url; it is prompt for username 
and password, when passing credential it is not authenticating. 
attached is our squid config for your reference. 

Kindly let us know what went wrong. 

we are using windows 2012 AD. 



Thanks & Regards
Nilesh Suresh Gavali




From:Nilesh Gavali/MUM/TCS 
To:squid-users@lists.squid-cache.org, be...@bazuin.nl 
Date:27/05/2016 15:07 
Subject:missing negotiate_kerberos_auth on my squid 




Thanks louise for reply. 

but 

Should be include imo. -- not sure what is imo

 

Shoud be in any Squid-3.2 and later.

 

And on my debian server its locate here. 

/usr/lib/squid/negotiate_kerberos_auth - check the path but it is not there on 
my linux box.

 

Did you enable : --enable-auth-negotiate=kerberos,wrapper on compile ?   NO 
didn't gave this option while compilation

 

Run squid –v to check it. -- we have"--enable-auth-negotiate" only and some 
other configured option. 

can you help me how to get hit recomipled with reuqire options. 


Thanks & Regards
Nilesh Suresh Gavali

- Forwarded by Nilesh Gavali/MUM/TCS on 27/05/2016 15:01 - 

From:squid-users-requ...@lists.squid-cache.org 
To:squid-users@lists.squid-cache.org 
Date:27/05/2016 12:42 
Subject:squid-users Digest, Vol 21, Issue 101 
Sent by:"squid-users" <squid-users-boun...@lists.squid-cache.org> 





Send squid-users mailing list submissions to
squid-users@lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-requ...@lists.squid-cache.org

You can reach the person managing the list at
squid-users-ow...@lists.squid-cache.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

  1. NULL characters (joe)
  2. Re: Looking for a way to route into cache_peer traffic
 dynamically. (Alex Rousskov)
  3. The system returned: (111) Connection refused; (deepa ganu)
  4. Re: NULL characters (Eliezer Croitoru)
  5. missing negotiate_kerberos_auth on my squid (Nilesh Gavali)
  6. Re: missing negotiate_kerberos_auth on my squid (L.P.H. van Belle)


--

Message: 1
Date: Thu, 26 May 2016 07:30:16 -0700 (PDT)
From: joe <chip_...@hotmail.com>
To: squid-users@lists.squid-cache.org
Subject: [squid-users] NULL characters
Message-ID: <1464273016183-4677691.p...@n4.nabble.com>
Content-Type: text/plain; charset=us-ascii

2016/05/26 06:41:28 kid1| ctx: enter level  0:
'http://js.advert.mirtesen.ru/data/js/82090.js'
2016/05/26 06:41:28 kid1| WARNING: HTTP header contains NULL characters
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/javascript;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid}
NULL
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/javascript;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid
2016/05/26 06:41:28 kid1| c

Re: [squid-users] Changing negotiate_kerberos_auth default location forrcache

[Markus Moeller]

Hi Michael,

   Yes you should be able to set a environment variable KRB5RCACHEDIR in your 
startup script. You can also use KRB5RCACHETYPE to set (or disable) the cache 
type. 

Markus

"Michael Pelletier"  wrote in message 
news:caencsg74pkxndiasr4yfgy9uuzqhk21jl5uytzxp6_tmpeu...@mail.gmail.com...
Hello,

I am using squid 3.4 and need to change the default location from /var/tmp to a 
tmpfs filesystem. The current version does not have the "-c" option to change 
the default location. I was wondering if there was another way.


Michael






Disclaimer: Under Florida law, e-mail addresses are public records. If you do 
not want your e-mail address released in response to a public records request, 
do not send electronic mail to this entity. Instead, contact this office by 
phone or in writing.






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NEGOTIATE Kerberos Auth

[Markus Moeller]

Hi,

 1) Yes, you should see user@DOMAIN for kerberos authentication, but if you 
use –r  the @DOMAIN will be removed. 

 2) The client in EXTERNAL.COM needs to know where to find the 
HTTP/@FATHER.COM principal.  I think your trust is not fully setup. You 
should see some cross domain TGTs.  

Cross Domain SPN Lookups with Active Directory
When Domains are within the same forest, the KDC should consult the GC (Global 
Catalog) and provide a referral if the account is in a different domain.  If 
the account is not in the same forest you would need to define Host Mapping for 
the account, unless you are using a forest trust.  Then you could define a 
Kerberos Forest Search Order


Markus


"akn ab" <drcim...@mail.com> wrote in message 
news:trinity-1231fb52-3516-493c-a2c9-b9fe1c1623c5-1458549367234@3capp-mailcom-lxa05...
Hello Markus,

firt of all thank you for your reply, today i'm having a strange issue.
KID1 and KID2 started to autenticate with kerberos correclty without any 
modification ...
This is so strange, but i'm very happy, so i started others configurations, but 
i have 2 more problems:

1)
On my squid logs, i can see users authenticated correctly, but not the domain 
users came from.
For example:
FATHER.COM\user1
KID1.FATHER.COM\user1
KID2.FATHER.COM\user1
are reported on my logs with "user1" and not in us...@kid1.father.com or 
KID1\user1 (for example)
I need to differentiate domains because i'm sending x-authenticated-user to my 
proxy peers.
Is it possible with kerberos?

2)
I have another domain EXTERNALS.COM with bidirectional trust with FATHER.COM, 
so i added it in my krb5.conf like KID1, but kerberos auth fail.
Using your instructions, i captured port 88 during handshake and i get:

eRR-C-PRINCIPAL-UNKNOWN

User's PC belonging to EXTERNALS.COM are joined to EXTERNALS.COM

Best Regards.
  
Sent: Saturday, March 19, 2016 at 12:28 AM
From: "Markus Moeller" <hua...@moeller.plus.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] NEGOTIATE Kerberos Auth
Hi,

Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ?

 Can you get a wireshark capture on your client on port 88  ?  You should 
see some TGS –REQs in the capture and I assume also TGS-REPs  with error 
messages.  Can you share these error messages ?

Regards
Markus


"akn ab" <drcim...@mail.com> wrote in message 
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos 
authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only 
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a 
definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit u...@father.com
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn 
HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth 
-r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using 
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not 
work).

Now i'm trying to add KID1 an

Re: [squid-users] NEGOTIATE Kerberos Auth

[Markus Moeller]

Hi,

Is you client a member of FATHER.COM or KID1.FATHER.COM / KID2.FATHER.COM ? 

 Can you get a wireshark capture on your client on port 88  ?  You should 
see some TGS –REQs in the capture and I assume also TGS-REPs  with error 
messages.  Can you share these error messages ? 

Regards
Markus


"akn ab"  wrote in message 
news:trinity-1aed7413-4936-4022-90fa-eac7e2d892ed-1458301713239@3capp-mailcom-lxa01...
Dear all,

i'm having a problem in configuring my squid 3.5.15 with negotiated kerberos 
authentication in my Mono Forest Multi Domains.

My FATHER.COM is a forest with 2 children: KID1 and KID2.
Like this: FATHER.COM -> KID1.FATHER.COM
-> KID2.FATHER.COM

With actual configurazion, squid negotiated kerberos auth works with only 
FATHER.COM but not when my users belongs to KID1 and KID2.
I readed some discussions on mailing list about forest, but cannot find a 
definitive advice and procedure to authenticate childern domains users.

My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FATHER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = /usr/local/squid/etc/HTTP.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
FATHER.COM = {
  kdc = dc1.father.com:88
  kdc = dc2.father.com:88
  default_domain = father.com
}
KID1.FATHER.COM = {
  kdc = dc1.kid1.father.com:88
  kdc = dc2.kid1.father.com:88
  default_domain = kid1.father.com
}
KID2.FATHER.COM = {
  kdc = dc1.kid2.father.com:88
  kdc = dc2.kid2.father.com:88
  default_domain = kid2.father.com
}
[domain_realm]
.father.com = FATHER.COM
father.com = FATHER.COM
.kid1.father.com = KID1.FATHER.COM
kid1.father.com = KID1.FATHER.COM
.kid2.father.com = KID2.FATHER.COM
kid2.father.com = KID2.FATHER.COM
[capaths]
KID1.FATHER.COM = {
   FATHER.COM = .
}
KID2.FATHER.COM = {
   FATHER.COM = .
}

To join kerberous auth with FATHER.COM i did:
# kinit u...@father.com
# msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb --upn 
HTTP/proxy1.father.com --server dc1.father.com --enctypes 28 --verbose -N

On squid config i have:
auth_param negotiate program /usr/local/squid/libexec/negotiate_kerberos_auth 
-r -k /usr/local/sq
uid/etc/HTTP.keytab -s HTTP/proxy1.father.com

Doing so, all my users belonging to FATHER.COM can negotiate kerberos using 
proxy1.father.com:8080 (this exact name. If i use an alias dns name, does not 
work).

Now i'm trying to add KID1 and KID2 users to krb auth.
As i sayed previously, i readed some posts but i cannot find correct 
configuration to support my forest.
1) Someone say to add to HTTP.keytab KID1 and KID2. To do so i did:
- kinit u...@father.com
- msktutil -c -b "CN=Computers" -s HTTP/proxy1.father.com -h proxy1.father.com 
-k /usr/local/squid/etc/HTTP.keytab --computer-name proxy1krb-kid1 --upn 
HTTP/proxy1.father.com --server dc1.kid1.father.com --enctypes 28 --verbose -N
but this configuration give my an error authentication of my keytab or 
ticketing problem. So i tryed:
- kinit u...@kid1.father.com
but my user is an Enterprise Admin form FATHER.COM, so i cannot get the ticket.

After many, many and many hours, i need some advices to complete my 
configuration.
Is there anyone that could help me?

Many thanks in advance.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.3.8 -- Authentication Problems when usingAlias Host Name

[Markus Moeller]

Hi Markus,

 When you say authentication does not work, do you mean Kerberos 
authentication or Kerberos and NTLM ?  Can you add a -d for debug to the 
Kerberos authentication helper and provide the log file messages ?


 Can you also provide the content of the keytab ?

Regards
Markus

"Markus Sonnenberg"  wrote in message news:56c1c720.5030...@rz-amper.de...

Hi,

i've set up a CentOS 7 machine with Squid 3.3.8 and kerberos/ntlm
authentication in order to replace our older Squid Proxy.
The new Squid server runs fine and authentication is working as
expected. We use group policies to set proxy server address at terminal
servers and workstations,which is "proxy.company.com". This address is
an A record and currently points to the ip address of our old proxy
server. The hostname of our old proxy server is "euprx001.company.com"
and the hostname of our new proxy server is "euprx101.company.com"

When I change the A record for "proxy.company.com" pointing to the ip
address of our new proxy server then authentication is not working.

  proxy.company.com10.222.40.106
  euprx101.company.com  10.222.40.106

Authentication work if internet explorer uses the real host name but it
does not work if uses "proxy.company.com"

Gues what, this A record is pointing currently to our old proxy server
and works fine regardless if internet explorer connects to proxy... or
euprx001

Here's the current config I'm using on our new proxy server.


#  Network Options
#
+-+
http_port 8080
icp_port 0
offline_mode off

#  Administrative Options
#
+-+
via off
cache_mgr edc.helpd...@company.com
cachemgr_passwd ap0ll0 all
cache_effective_user squid
cache_effective_group squid
# cache_dir rock /cache 4 max-size=4194304 slot-size=32768
cache_mem 6144 MB
memory_pools on
pid_filename /var/run/squid.pid
ftp_user anonymous
ftp_passive off
check_hostnames off
request_header_max_size 20 KB
snmp_port 3401
shutdown_lifetime 2 seconds
maximum_object_size 1048576 KB
maximum_object_size_in_memory 10240 KB
forwarded_for on
snmp_incoming_address 0.0.0.0
workers 4
error_directory /usr/share/squid/errors/TTI
deny_info ERR_AD_REMOVED AdServer
deny_info ERR_BLOCKED_FILES BlockedFiles
deny_info ERR_BLOCKED_SITES BlockedSites
deny_info ERR_BLOCKED_SOCIAL BlockedSocialnet
deny_info ERR_BLOCKED_WEBMAIL BlockedWebmail

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=DE.COMPANY.COM --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=10 idle=10
auth_param negotiate keep_alive on

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=DE.COMPANY.COM
auth_param ntlm children 10
auth_param ntlm keep_alive on

### provide basic authentication via ldap for clients not authenticated
via kerberos/ntlm
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b
"dc=DE,dc=COMPANY,dc=COM" -D svc_sq...@company.com -W
/etc/squid/ldappass.txt -f sAMAccountName=%s -h euads201.de.company.com
auth_param basic children 10 startup=0 idle=1
auth_param basic realm Company, Inc. European Web Proxy
auth_param basic credentialsttl 120 minute

### ldap authorisation
external_acl_type memberof %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R
-K -S -b "dc=DE,dc=COMPANY,dc=COM" -D svc_sq...@de.company.com -W
/etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)
(memberof=cn=%g,cn=Users,dc=DE,dc=COMPANY,dc=COM))" -h
euads201.de.company.com

#  Logging
#
+-+
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %http://.*\.gif$   10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.png$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.jpg$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.jpeg$ 10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.bmp$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.gif$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.ico$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.swf$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.flv$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.rar$  10080 100%   120960
reload-into-ims override-expire ignore-reload
refresh_pattern -i \.ram$

Re: [squid-users] squid auth

[Markus Moeller]

Hi,

  The issue appears if you use the same AD account for samba and the 
kerberos keytab creation.  As samba will reset the password of the AD 
account and thereby invalidate the extracted keytab.


Markus


"Alex Samad"  wrote in message 
news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qfnewm...@mail.gmail.com...


Hi

So what your saying is I should install the mskutil and let it manage
the squid krb keytab file.


Could you possible help with the changed to the squid.conf file do I
leave as is and just add kerberos first ?


On 8 December 2015 at 20:03, Amos Jeffries  wrote:

On 8/12/2015 7:44 p.m., Alex Samad wrote:

Hi

Currently using 3.1 (from centos 6)
I have setup squid to auth against MS AD

I have
# ###
# Negotiate
# ###

# http://wiki.squid-cache.org/Features/Authentication
# http://wiki.squid-cache.org/Features/NegotiateAuthentication
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 10 startup=0 idle=3
auth_param negotiate keep_alive on

# ###
# NTLM AUTH
# ###

# ntlm auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 10
#auth_param ntlm children 10 startup=0 idle=3
#auth_param ntlm keep_alive


# ###
# NTLM over basic
# ###

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours


I want to move towards using kerberos come to this page
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

worked through that, but i saw this

Do not use this method if you run winbindd or other samba services as
samba will reset the machine password every x days and thereby makes
the keytab invalid !!



As I understand it that disclaimer applies only to the "OR with Samba"
instructions for keytab creation directly above it. The other two
methods should work.

Also, it is just a disclaimer about a known problem. There is always the
option to setup a script that re-builds the keytab and reloads Squid
every X days when it changes.



I have winbindd running for my users list in linux

is there a way around this and if not how



The initial mskutil method of keytab creation is both a way around it
and the preferred method of keytab creation.

As you found elsewhere ...


then found this one
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

but I am not using msktutil, i do have samba and the krb-workstation 
installed




mskutil is just a tool to generate keytabs and link the machine to
domain. I *think* it should still be usable even if you have Sambe, the
probem is just that if you let Samba know about the keytab and account
it will do the periodic updates.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid auth

[Markus Moeller]

Hi Alex,

  Yes I talk about the AD computer account password.

Markus


"Alex Samad"  wrote in message 
news:CAJ+Q1PVw1rrSvMUjzqbp_QNUAVwN=r7rqrg0lt94hv3v3o9...@mail.gmail.com...


so when I do kinit I should use a different account to the samba one.

I'm lost sorry.

when I attach with winbind, I kinit with my personal admin account and
also do a net ads join -U .

the password on the  doesn't / hasn't changed.

are you talking about the computer account password ?

if so, then I setup a different computer account for the squid
kerberos application !


On 9 December 2015 at 07:20, Markus Moeller <hua...@moeller.plus.com> wrote:

Hi,

  The issue appears if you use the same AD account for samba and the
kerberos keytab creation.  As samba will reset the password of the AD
account and thereby invalidate the extracted keytab.

Markus


"Alex Samad"  wrote in message
news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qfnewm...@mail.gmail.com...


Hi

So what your saying is I should install the mskutil and let it manage
the squid krb keytab file.


Could you possible help with the changed to the squid.conf file do I
leave as is and just add kerberos first ?


On 8 December 2015 at 20:03, Amos Jeffries <squ...@treenet.co.nz> wrote:


On 8/12/2015 7:44 p.m., Alex Samad wrote:


Hi

Currently using 3.1 (from centos 6)
I have setup squid to auth against MS AD

I have
# ###
# Negotiate
# ###

# http://wiki.squid-cache.org/Features/Authentication
# http://wiki.squid-cache.org/Features/NegotiateAuthentication
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 10 startup=0 idle=3
auth_param negotiate keep_alive on

# ###
# NTLM AUTH
# ###

# ntlm auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 10
#auth_param ntlm children 10 startup=0 idle=3
#auth_param ntlm keep_alive


# ###
# NTLM over basic
# ###

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours


I want to move towards using kerberos come to this page
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

worked through that, but i saw this

Do not use this method if you run winbindd or other samba services as
samba will reset the machine password every x days and thereby makes
the keytab invalid !!




As I understand it that disclaimer applies only to the "OR with Samba"
instructions for keytab creation directly above it. The other two
methods should work.

Also, it is just a disclaimer about a known problem. There is always the
option to setup a script that re-builds the keytab and reloads Squid
every X days when it changes.



I have winbindd running for my users list in linux

is there a way around this and if not how



The initial mskutil method of keytab creation is both a way around it
and the preferred method of keytab creation.

As you found elsewhere ...


then found this one

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

but I am not using msktutil, i do have samba and the krb-workstation
installed



mskutil is just a tool to generate keytabs and link the machine to
domain. I *think* it should still be usable even if you have Sambe, the
probem is just that if you let Samba know about the keytab and account
it will do the periodic updates.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] negotiate_wrapper: Return 'AF = * username

[Markus Moeller]

What other output do you get when using –d ( i.e. enable debug output) ?  It 
may indicate the reason for your return message.

Markus

"Michael Pelletier"  wrote in message 
news:CAEnCSG7hVR5DQ7d8awR1ax_qvmOeXBCZOY=mkvflwgji8-+...@mail.gmail.com...
Hello,

I am building a new squid virtual template for my environment. I already have 
squid up and running and everything is well.


When building a new template and testing it I keep getting negotiate_wrapper: 
Return 'AF = * username'. I can not figure out why.


Can anyone help? All the software is the same version and I am using the same 
squid.conf that is surrently running in production. I had to miss something but 
cant think of what it might be.


Michael






Disclaimer: Under Florida law, e-mail addresses are public records. If you do 
not want your e-mail address released in response to a public records request, 
do not send electronic mail to this entity. Instead, contact this office by 
phone or in writing.






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

[Markus Moeller]

 
Hi Olivier,

  I think on some of your newer clients you have an issue with Negotiate and 
NTLM fallback. If I look at 

https://msdn.microsoft.com/en-us/library/ff468736.aspx I see this  
https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif 

If I interpret this correctly the client will try NegoEx after failing with 
Kerberos and before trying NTLM.  If on the client NegoEx is successful then 
NTLM will not be attempted.  And I think that is the case here.  Do you know if 
NegoEx is used on the client ?  


Does anybody else know about NegoEx ?

Markus


From: Olivier CALVANO 
Sent: Tuesday, November 03, 2015 9:22 AM
To: Markus Moeller 
Subject: Re: [squid-users] Squit with NTLM and Kerberos auth => a error

that's said that squid can by used with Windows AD ?




2015-11-02 22:46 GMT+01:00 Markus Moeller <hua...@moeller.plus.com>:


  Hi Olivier,

  If I decode a token I see

  /base64> hexdump -c base64_dec.out
  000   ` 201 236 006 006   + 006 001 005 005 002 240 201 223   0 201
  010 220 240 032   0 030 006  \n   + 006 001 004 001 202   7 002 002
  020 036 006  \n   + 006 001 004 001 202   7 002 002  \n 242   r 004
  030   p   N   E   G   O   E   X   T   S  \0  \0  \0  \0  \0  \0  \0
  040  \0   `  \0  \0  \0   p  \0  \0  \0 020 366   L   3   & 023 256
  050   O 271 216   4 305  \f 200   !  \t 034 340   # 327 322 177   _
  060 211 202   > 254   {   g 234 325 225 001 022 225  \f 323 276   A
  070 206 024   6 367   ;   .  \0   C 273  \0  \0  \0  \0  \0  \0  \0
  080  \0   `  \0  \0  \0 001  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
  090  \0   E   r   |   2   2   E 213   H 277 331   *   k 240   ^ 244
  0a0  \n
  0a1

  It says NEGOEXTS  which points me to 
https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396
 
  That is not supported.

  Markus


  "Olivier CALVANO" <o.calv...@gmail.com> wrote in message 
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
  Hi


  i test a authentification AD with Kerberos/Ntlm

  ### negotiate kerberos and ntlm authentication
  auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos 
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
  auth_param negotiate children 160 startup=5 idle=1
  auth_param negotiate keep_alive on

  ## Module d'authentification NTLM
  auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
  auth_param ntlm children 160 startup=5 idle=1
  auth_param ntlm keep_alive on

  ## Si echec du NTLM proposer la fenetre d'authentification
  auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
  auth_param basic children 40 startup=5 idle=1
  auth_param basic realm Company proxy-caching web server
  auth_param basic credentialsttl 2 hours



  i have a lot of user that works, but for other user, squid request Login/pass 
in loop.


  In cache.log i have:

  2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
  2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
  GENSEC login failed: NT_STATUS_LOGON_FAILURE
  2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
  2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
  2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
  2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
  2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
  2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
  2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

[Markus Moeller]

Hi Olivier,

Which Kerberos version do you use ?  MIT or Heimdal ?  

Markus

"Olivier CALVANO"  wrote in message 
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi


i test a authentification AD with Kerberos/Ntlm

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos 
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 160 startup=5 idle=1
auth_param negotiate keep_alive on

## Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 160 startup=5 idle=1
auth_param ntlm keep_alive on

## Si echec du NTLM proposer la fenetre d'authentification
auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
auth_param basic children 40 startup=5 idle=1
auth_param basic realm Company proxy-caching web server
auth_param basic credentialsttl 2 hours



i have a lot of user that works, but for other user, squid request Login/pass 
in loop.


In cache.log i have:

2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
GENSEC login failed: NT_STATUS_LOGON_FAILURE
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE





anyone know this problems ?


regards

Olivier






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squit with NTLM and Kerberos auth => a error

[Markus Moeller]

Hi Olivier,

If I decode a token I see

/base64> hexdump -c base64_dec.out
000   ` 201 236 006 006   + 006 001 005 005 002 240 201 223   0 201
010 220 240 032   0 030 006  \n   + 006 001 004 001 202   7 002 002
020 036 006  \n   + 006 001 004 001 202   7 002 002  \n 242   r 004
030   p   N   E   G   O   E   X   T   S  \0  \0  \0  \0  \0  \0  \0
040  \0   `  \0  \0  \0   p  \0  \0  \0 020 366   L   3   & 023 256
050   O 271 216   4 305  \f 200   !  \t 034 340   # 327 322 177   _
060 211 202   > 254   {   g 234 325 225 001 022 225  \f 323 276   A
070 206 024   6 367   ;   .  \0   C 273  \0  \0  \0  \0  \0  \0  \0
080  \0   `  \0  \0  \0 001  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
090  \0   E   r   |   2   2   E 213   H 277 331   *   k 240   ^ 244
0a0  \n
0a1

It says NEGOEXTS  which points me to 
https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255=-2147217396
 
That is not supported.

Markus


"Olivier CALVANO"  wrote in message 
news:cajajpefqoygt5zsyw7fwszwrttxn-r1pd-u73xdfonax9dl...@mail.gmail.com...
Hi


i test a authentification AD with Kerberos/Ntlm

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --kerberos 
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 160 startup=5 idle=1
auth_param negotiate keep_alive on

## Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 160 startup=5 idle=1
auth_param ntlm keep_alive on

## Si echec du NTLM proposer la fenetre d'authentification
auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
auth_param basic children 40 startup=5 idle=1
auth_param basic realm Company proxy-caching web server
auth_param basic credentialsttl 2 hours



i have a lot of user that works, but for other user, squid request Login/pass 
in loop.


In cache.log i have:

2015/11/02 17:37:57| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:57 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
GENSEC login failed: NT_STATUS_LOGON_FAILURE
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication validating user. 
Error returned 'BH gss_accept_sec_context() failed: An unsupported mechanism 
was requested. Unknown error'
2015/11/02 17:37:58| squid_kerb_auth: Got 'YR 
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAABgcBL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAYAEAAEVyfDIyRYtIv9kqa6BepAo='
 (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: gss_accept_sec_context() failed: An 
unsupported mechanism was requested. Unknown error
2015/11/02 17:37:58 kid1| ERROR: 

Re: [squid-users] Negotiateauthenticator processes are busy

[Markus Moeller]

What happens if you adjust the system time to be in sync with the AD server ?

Markus


"Михаил"  wrote in message 
news:1462781444845...@web15m.yandex.ru...
Hi All!
Sometime I get a error message and squid stop:
2015/10/14 14:31:51| WARNING: All 300/300 negotiateauthenticator processes are 
busy.
2015/10/14 14:31:51| WARNING: 300 pending requests queued
2015/10/14 14:31:51| WARNING: Consider increasing the number of 
negotiateauthenticator processes in your config file.
2015/10/14 14:32:24| ERROR: Negotiate Authentication validating user. Result: 
{result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS 
failure. Minor code may provide more information. Clock skew too great; }}
2015/10/14 14:32:37| Closing HTTP port 0.0.0.0:3128
2015/10/14 14:32:48| storeDirWriteCleanLogs: Starting...
2015/10/14 14:32:48| Finished. Wrote 0 entries.
2015/10/14 14:32:48| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: Too many queued negotiateauthenticator requests
Squid Cache (Version 3.5.7): Terminated abnormally.

What can I do that squid don't terminated?




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5.7 for Windows (from Diladele) and kerberosauth

[Markus Moeller]

Hi Paul,

 negotiate_kerberos_auth is for Unix only.

Regards
Markus

"MORRIS Paul [Tuart College]"  wrote in message 
news:508E8480E38F464FA0778ECCA1DB51F41FE95135@E7359SVIN1052.resources.internal...


Hi,

I am trying without success to use the "negotiate_kerberos_auth.exe" helper 
and "basic_smb_auth.exe" on a Windows 2008R2 server on a 2008R2 domain.
Previously I have used mswin_negotiate_auth.exe and mswin_auth.exe from the 
last stable 2.7 build with no issues.
Most of the instructions for setting up Kerberos authentication are for 
Linux, I am unsure which parts are applicable to Windows.


Can anyone help with the requirements for both of these new helpers in 3.5.7 
under Windows?

Can I just use the helper from 2.7 in 3.5.7?

Thank you,
Paul.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid3 Kerberos Auth works but does not update theusers group membership in the winbind cache of samba as forexamle ntlm_auth does

[Markus Moeller]

Hi Enrico,
 
   The Kerberos helper will authenticate only for now ( There is a  now code to 
get the group information, but it is not further processed).  It does not do 
anything to group membership like the winbind cache.  Also keep in mind 
Kerberos cache for about 10 hours the ticket on the client machine.  If the 
user does not lock/unlock his PC  there won’t be any update to the cached 
ticket and therefore not to the group membership information in the ticket 
either. 

Regards
Markus 


"Heine, Enrico"  wrote in message 
news:c821a938e46c6278b4cc39912760b408bb84f...@data-core.org...
Hello together,

My Issue is the following: 

Using Squid3 with Kerberos Auth works just fine but does not update the users 
group membership in the winbind cache of samba as for examle ntlm_auth does.

So when using /usr/lib/squid3/negotiate_kerberos_auth for Kerberos, the auth 
works, but group memberships for my user as example are never updated, when I 
comment this auth helper then it gets updated because then I use ntlm_auth for 
ntlmssp
So if I have a new group eg: My_Test , then I can check this like this: 

wbinfo -n My_Test -> returns SID of My_Test
wbinfo -Y SID -> returns mapped GID
wbinfo -r myuser | grep GID -> GID is not listed!!

getent group My_Test -> returns: myuser is member of that group! So just in my 
account "myuser" it is not listed (wbinfo -r myuser | grep GID -> GID is not 
listed!!) but ext_wbinfo_group_acl is checking my group membership based on the 
commands listed above.

Commenting Kerberos auth in the squid conf, so that only ntlm_auth is used and 
requesting one website to be sure to have done an auth, works. So then the GID 
is listed in the output of wbinfo -r myuser

How can I ensure that my memberships are getting updated using 
/usr/lib/squid3/negotiate_kerberos_auth as it does work with ntlm_user? Or is 
there another auth helper that can be used for Kerberos that is doing what 
ntlm_user does automatically after an successfull authentication?

My Squid Config for Auth Helpers looks like this:

# Kerberos 
#
#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -r -s 
HTTP/myserver.MYDOMAIN@MYDOMAIN
#auth_param negotiate children 300
#auth_param negotiate keep_alive on

# NTLM 
#
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive off

# BASIC 
#
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic credentialsttl 2 hours
auth_param basic realm Windows Authentication required
auth_param basic casesensitive off

Also I am using the following to check group memberships, which is working fine 
!! with all auth helpers !! and it is much faster than the slow Kerberos group 
check, I assume that this helper is updating automatically the winbind group 
cache, which is the reason that the group itself is beeing recognized and I am 
also a member of that group when I check that specific group via getent group 
My_Test

external_acl_type nt_group ttl=60 children-max=300 children-startup=50 %LOGIN 
/usr/lib/squid3/ext_wbinfo_group_acl -K

Software Versions used:
- Squid Cache: Version 3.4.8
- Samba & winbindd Version 4.1.17-Debian
- Distri: Debian Jessie


-- 
-- 
Best regards,
Enrico Heine

​This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3

[Markus Moeller]

Hi Louis,

   When you have an offline PC do you use DHCP to give an IP ?   If so can you 
also provide the PC with a WINS server via DHCP ?  If that is possible and you 
run WINS you can authenticate the user with u...@domain.com when you get the 
authentication popup. The WINS server will point the PC to the AD server of the 
domain DOMAIN.COM ( I assume you have given out some AD guest accounts to the 
none domain PC )  

Regards
Markus


L.P.H. van Belle be...@bazuin.nl wrote in message 
news:vmime.55d2d089.2ba7.1a22bdbf5ed74...@ms249-lin-003.rotterdam.bazuin.nl...
Nobody any hint where the NTLM auth is going wrong, or what i can do to fix 
this. 




--
  Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
L.P.H. van Belle
  Verzonden: maandag 17 augustus 2015 17:06
  Aan: squid-users@lists.squid-cache.org
  Onderwerp: [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) 
ERROR type NTLM type 3


  Hai all, 

  I have a Debian Jessie setup with squid 3.4 , all debian packages. 
  Im using samba 4 AD as domain controllers for my kerberos authentication. 

  I've a setup as followed here : 
  
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory 

  I have my kerberos auth working, so i dont type any password with a domain 
joined computer  when i want to internet. 
  I Have my Ldap auth working, for my Non windows, non domain joined Devices. 

  Now, i need to give users access to the internet, a non domain joined, 
windows PC. 

  Im getting :  ( with markus negotiate_wrapper 1.0.1  ) 
  2015/08/17 16:31:51 kid1| ERROR: Negotiate Authentication validating user. 
Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * 
NT_STATUS_UNSUCCESSFUL; }
  2015/08/17 16:32:03| negotiate_wrapper: Got 'YR TlR   =' from squid 
(length: 59). 
  2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR... =' (decoded length: 
40).
  2015/08/17 16:32:03| negotiate_wrapper: received type 1 NTLM token
  2015/08/17 16:32:03| negotiate_wrapper: Return 'TT TlR..  AA= * 
  2015/08/17 16:32:03| negotiate_wrapper: Got 'KK TlR  8=' from squid 
(length: 711).
  2015/08/17 16:32:03| negotiate_wrapper: Decode 'TlR.8=' (decoded length: 
530).
  2015/08/17 16:32:03| negotiate_wrapper: received type 3 NTLM token
  2015/08/17 16:32:03| negotiate_wrapper: Return 'BH NT_STATUS_UNSUCCESSFUL * 
NT_STATUS_UNSUCCESSFUL
  2015/08/17 16:32:03 kid1| ERROR: Negotiate Authentication validating user. 
Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL * 
NT_STATUS_UNSUCCESSFUL; }} 



  I know the following : ( and correct me if im thinking wrong here.) 
  ## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN 
JOINED pc's.
  ##Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
  ##NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in 
always user popup for auth.
  ##Which will always fail because of NTLM TYPE 1 and TYPE 2, 
authorisations.
  ## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated 
Windows PC's Not domain Joined.

  But i recieve a type 3 NTLM token...  


  This are the configs have tested and these 2 work. 
  For kerberos auth 
  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s 
HTTP/hostname.fqdn@REALM

  for basic auth 
  auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
  -b dc=internal,dc=domain,dc=tld \
  -D ldap-b...@internal.domain.tld -W /etc/squid3/private/ldap-bind \
  -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
  -h addc.internal.domain.tld  

  These dont work. 

  auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \
  --ntlm /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
  --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
  or 
  auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \
  --ntlm /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \
  --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

  tried here the supplied wrapper with squid.: 
/usr/lib/squid3/negotiate_wrapper_auth  
  and i have tried the negotiate_wrapper of Markus, as the wiki.squid-cache.org 
also says  here
  
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory  
 ( Install negotiate_wrapper )  

  the kerberos part works but not the ntlm . 

  when i try with only: 

  ### pure ntlm authentication
  auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
  auth_param ntlm children 10
  auth_param ntlm keep_alive off

  im also unable to authenticat on the proxy. 

  all winbind test work..  

  I googled a lot, but i didnt find any solutions so im hoping someone here 
knows more. 

  so anyone any hint 

Re: [squid-users] Squid and Kerberos problems

[Markus Moeller]

Did you compile msktutil or is it a package in centos ? 

Markus

Olivier CALVANO o.calv...@gmail.com wrote in message 
news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com...
Hi



Thanks for your answer

CentOS Linux release 7.1.1503 (Core)

krb5-workstation-1.12.2-14.el7.x86_64
krb5-libs-1.12.2-14.el7.x86_64


regards

olivier



2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:

  Which OS and Kerberos version do you have ?  There might be some issue with 
the cache used KEYRING:persistent:0:0

  Markus

  Olivier CALVANO o.calv...@gmail.com wrote in message 
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
  Hi


  I request your help because i want use NTLM/Kerberos for authenticate my user.


  For NTLM, i use Winbind, no problems, 

  [root@gw]# wbinfo -t
  checking the trust secret for domain MYADDOMAIN via RPC calls succeeded


  but for Kerberos, i can't create the .keytab


  [root@gw]# kinit MYUSERNAME
  Password for myusern...@myaddomain.fr:

  [root@gw]# klist
  Ticket cache: KEYRING:persistent:0:0
  Default principal: myusern...@myaddomain.fr

  Valid starting   Expires  Service principal
  02/05/2015 04:51:25  02/05/2015 14:51:25  krbtgt/myaddomain...@myaddomain.fr
  renew until 09/05/2015 04:51:07


  MYUSERNAME is the same account that i join the domain (net join) with winbind



  after, i put:

  msktutil -c -b CN=COMPUTERS -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k 
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn 
HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose


  and i have a error:

  [root@gw etc]# msktutil -c -b CN=COMPUTERS -s 
HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab 
--computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org 
--server adserver1 --verbose
  -- init_password: Wiping the computer password structure
  -- generate_new_password: Generating a new, random password for the computer 
account
  -- generate_new_password:  Characters read from /dev/udandom = 84
  -- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-jnxTuG
  -- reload: Reloading Kerberos Context
  -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
  -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from 
local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_keytab_princ: Trying to authenticate for 
host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with 
password.
  -- create_default_machine_password: Default machine password for 
OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
  -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not 
found in Kerberos database)
  -- try_machine_password: Authentication with password failed
  -- try_user_creds: Checking if default ticket cache has tickets...
  -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache 
found)
  -- try_user_creds: User ticket cache was not valid.
  Error: could not find any credentials to authenticate with. Neither keytab,
   default machine password, nor calling user's tickets worked. Try
   kiniting yourself some tickets with permission to create computer
   objects, or pre-creating the computer object in AD and selecting
   'reset account'.
  -- ~KRB5Context: Destroying Kerberos Context




  same error if i change gw.srv1-v4.tcy.myinternetdomain.org to 
ophtcysrv1v4.myaddomain.fr



  anyone know the origin of this error ?


  thanks

  Olivier




--
  ___
  squid-users mailing list
  squid-users@lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


  ___
  squid-users mailing list
  squid-users@lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid and Kerberos problems

[Markus Moeller]

Hi Olivier,

   You may need to check with the msktutil authors as this is not directly 
related to squid. 

Regards
Markus

Olivier CALVANO o.calv...@gmail.com wrote in message 
news:CAJajPecBcrbW+jtiwF2J=ujz4kwdtwf6opzjf56pvz+-gfn...@mail.gmail.com...
Hi


i have compiled the 1.0rc version :



[root@gw msktutil-1.0rc1]# ./msktutil -c -b CN=COMPUTERS -s 
HTTP/ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name 
OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myasdomain.fr --server 
myad.myaddomain.fr --verbose --enctypes 28
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer 
account
-- generate_new_password:  Characters read from /dev/urandom = 93
-- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-jPXQHu
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
-- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from 
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from 
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for 
host/gw.srv1-v4.tcy.sodiaal.ophelys.org from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with 
password.
-- create_default_machine_password: Default machine password for 
OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not 
found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr
SASL/GSSAPI authentication started
SASL username: myusern...@myaddomain.fr
SASL SSF: 56
SASL data security layer installed.
-- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN,dc=FR
-- ldap_check_account: Checking that a computer account for OPHTCYSRV1V4-K$ 
exists
-- ldap_check_account: Computer account not found, create the account
No computer account for OPHTCYSRV1V4-K found, creating a new one.
-- ldap_check_account_strings: Inspecting (and updating) computer account 
attributes
-- ldap_check_account_strings: Found userPrincipalName =
-- ldap_check_account_strings: userPrincipalName should be 
HTTP/ophtcysrv1v4.myaddomain...@myaddomain.fr
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x20 
to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
-- ldap_get_kvno: KVNO is 1
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776
Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication 
error
Error: set_password failed
-- ~KRB5Context: Destroying Kerberos Context







2015-05-03 13:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:

  Did you compile msktutil or is it a package in centos ? 

  Markus

  Olivier CALVANO o.calv...@gmail.com wrote in message 
news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com...
  Hi



  Thanks for your answer

  CentOS Linux release 7.1.1503 (Core)

  krb5-workstation-1.12.2-14.el7.x86_64
  krb5-libs-1.12.2-14.el7.x86_64


  regards

  olivier



  2015-05-03 0:25 GMT+02:00 Markus Moeller hua...@moeller.plus.com:

Which OS and Kerberos version do you have ?  There might be some issue with 
the cache used KEYRING:persistent:0:0

Markus

Olivier CALVANO o.calv...@gmail.com wrote in message 
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
Hi


I request your help because i want use NTLM/Kerberos for authenticate my 
user.


For NTLM, i use Winbind, no problems, 

[root@gw]# wbinfo -t
checking the trust secret for domain MYADDOMAIN via RPC calls succeeded


but for Kerberos, i can't create the .keytab


[root@gw]# kinit MYUSERNAME
Password for myusern...@myaddomain.fr:

[root@gw]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: myusern...@myaddomain.fr

Valid starting   Expires  Service principal
02/05/2015 04:51:25  02/05/2015 14:51:25  krbtgt/myaddomain...@myaddomain.fr
renew until 09/05/2015 04:51:07


MYUSERNAME is the same account that i join the domain (net join

Re: [squid-users] Squid and Kerberos problems

[Markus Moeller]

Which OS and Kerberos version do you have ?  There might be some issue with the 
cache used KEYRING:persistent:0:0

Markus

Olivier CALVANO o.calv...@gmail.com wrote in message 
news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com...
Hi


I request your help because i want use NTLM/Kerberos for authenticate my user.


For NTLM, i use Winbind, no problems, 

[root@gw]# wbinfo -t
checking the trust secret for domain MYADDOMAIN via RPC calls succeeded


but for Kerberos, i can't create the .keytab


[root@gw]# kinit MYUSERNAME
Password for myusern...@myaddomain.fr:

[root@gw]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: myusern...@myaddomain.fr

Valid starting   Expires  Service principal
02/05/2015 04:51:25  02/05/2015 14:51:25  krbtgt/myaddomain...@myaddomain.fr
renew until 09/05/2015 04:51:07


MYUSERNAME is the same account that i join the domain (net join) with winbind



after, i put:

msktutil -c -b CN=COMPUTERS -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k 
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn 
HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose


and i have a error:

[root@gw etc]# msktutil -c -b CN=COMPUTERS -s 
HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab 
--computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org 
--server adserver1 --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer 
account
-- generate_new_password:  Characters read from /dev/udandom = 84
-- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-jnxTuG
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
-- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from 
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for 
host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client 
not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with 
password.
-- create_default_machine_password: Default machine password for 
OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not 
found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache 
found)
-- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
 default machine password, nor calling user's tickets worked. Try
 kiniting yourself some tickets with permission to create computer
 objects, or pre-creating the computer object in AD and selecting
 'reset account'.
-- ~KRB5Context: Destroying Kerberos Context




same error if i change gw.srv1-v4.tcy.myinternetdomain.org to 
ophtcysrv1v4.myaddomain.fr



anyone know the origin of this error ?


thanks

Olivier






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + AD + Kerb auth question

[Markus Moeller]

Hi Joao,

   OK now you use the authentication rule. 

   How did you create the keytab ?   Does the hostname match the keytab entry ?

  Can you run the helper with –d to get more debug ? 

Markus


From: Joao Paulo Monticelli Gaspar 
Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller 
Subject: Re: [squid-users] Squid + AD + Kerb auth question

gettin access denied now 

watch the logs


== /var/log/squid/squid.out ==

== /var/log/squid/access.log ==
1426725527.219  1 192.168.1.251 TCP_DENIED/407 4509 GET 
http://www.eset.com.br/download/business - NONE/- text/html

== /var/log/squid/cache.log ==
2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating user 
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS 
failure.  Minor code may provide more information. '

guess my SOO isnt working right?

2015-03-18 20:46 GMT-03:00 Markus Moeller hua...@moeller.plus.com:

  Hi Joao

  Then you hit

  http_access allow localnet


  and not

  http_access allow ad_auth

  Comment out the following line in squid.conf 

  http_access allow localnet


  and try again.

  Markus

  From: Joao Paulo Monticelli Gaspar 
  Sent: Wednesday, March 18, 2015 11:38 PM
  To: Markus Moeller 
  Subject: Re: [squid-users] Squid + AD + Kerb auth question

  yes, I'm using localnet, this is a virtual test lab enviorment, here are some 
log entries 

  1426694349.225  59653 192.168.1.251 TCP_MISS/200 4775 CONNECT 
p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - 
DIRECT/216.58.222.35 -
  1426694352.258  62686 192.168.1.251 TCP_MISS/200 4774 CONNECT 
p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - 
DIRECT/216.58.222.46 -
  1426694613.543  58996 192.168.1.251 TCP_MISS/200 1112 CONNECT 
safebrowsing.google.com:443 - DIRECT/173.194.42.133 -

  when I looked at the access.log manual pages I saw that if squid cant get 
user info, he uses the - sign on the access, and we can see it there, but why 
he cant get the user info?


  2015-03-18 20:20 GMT-03:00 Markus Moeller hua...@moeller.plus.com: 


Hi,

  From which network do you surf ?  From localnet ? 

  Can you send sample log entries ?

Markus

From: Joao Paulo Monticelli Gaspar 
Sent: Wednesday, March 18, 2015 9:18 PM
To: Markus Moeller 
Subject: Re: [squid-users] Squid + AD + Kerb auth question

squid.conf 

visible_hostname proxy.joznet.local

auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours

acl ad_auth proxy_auth REQUIRED

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports


http_access deny CONNECT !SSL_ports


http_access allow localnet

http_access allow localhost
http_access allow ad_auth
http_access deny all


http_port 3128

hierarchy_stoplist cgi-bin ?


coredump_dir /var/spool/squid


refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320



krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = JOZNET.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

; for Windows 2008 with AES

;default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
des-cbc-crc des-cbc-md5
;default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
des-cbc-crc des-cbc-md5
;permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
des-cbc-md5

; for MIT/Heimdal kdc no need to restrict encryption type

[realms]
JOZNET.LOCAL = {
  kdc = srvjoznt.joznet.local:88
  admin_server = srvjoznt.joznet.local:749
  default_domain = joznet.local

Re: [squid-users] Squid + AD + Kerb auth question

[Markus Moeller]

How does the config file look like ?  

Markus

Joao Paulo Monticelli Gaspar jaumsh...@gmail.com wrote in message 
news:CAFjXhx=idbdxeqxbzy56tr5m3fztasu2tqgwlclydi_s-s3...@mail.gmail.com...
Hey people 

I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID 
integrate to a W2K8 AD server with kerb auth, and everything works fine, the 
main reason of chosing this setup is for the SingleSignOn capabilities of the 
configuration, but on my ACCESS.LOG I cant see the users that are visitating 
the sites...

is possible to show that info with this setup, or by any other setup use 
maintain the SOO?

Thx in advance.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logging variable question

[Markus Moeller]

Oh pretty old bug.

Thank you
Markus

Amos Jeffries  wrote in message news:54f26815.4020...@treenet.co.nz... 


On 1/03/2015 4:55 a.m., Markus Moeller wrote:

Hi,

  I wonder about the total size variables st and st for squid logs

# st   Sent reply size including HTTP headers
# st   Received request size including HTTP headers. In the
#   case of chunked requests the chunked encoding metadata
#   are not included

I have set the logformat to

logformat squid_mm  %tg %6tr %a %Ss/%03Hs %st %st %rm %ru %un
%Sh/%A %mt

and have 2 cases for which I would like to see the request/reply total
data size.

Case 1

Just receiving data.  (44073 and 35754 are local and remote ports
respectively)

28/Feb/2015:15:29:27   5887 192.168.1.17 TCP_TUNNEL/200 8895 45 CONNECT
opensuse13.suse.home:443 - HIER_DIRECT/opensuse13.suse.home -


http://bugs.squid-cache.org/show_bug.cgi?id=3069

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] benefits of usingext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl

[Markus Moeller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/01/2015 11:31 p.m., Simon Stäheli wrote:

Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to Kerberos
domain name” mappings provided by the -N option. As far as I can
tell, this mapping can also easily be done by writing you own
helper perl script which is doing the mapping and finally feeds the
more common ext_ldap_group_acl helper.



Whatever floats your boat. The point of the Addon/Plugin/helpers API
is that you can use scripts if thy serve your needs better.

All the usual Open Source benefits of many eyeballs and somebody
else doing code maintenance for you applies to using a bundled helper
over a custom written one.

Beyond that the kerberos helper also provides automatic detection of
which LDAP server to use via mutiple auto-configuration methods.



The idea of the helper was to automate most of the configuration (
ignoring
some performance ) and avoid using a username/password, support users
from
multiple domains. Secondly I wanted check for nested groups which was
not
available in the existing helper and thirdly I also check now against
the
primary group of the user.



Thank you Markus for your explanations. I played around with
ext_kerberos_ldap_group_acl and would like to go into some details:

1) it is possible to define more than one LDAP server (e.g. for high
availability reasons)? The -l parameter allows only one ldap url while
-S allows several server  realm - mappings.



I didn't see the need.  The -l was more for cases when digest or basic 
auth

is used and I do not know the domain to check against.  So a fallback
option.



2) It is correct, that compared to ext_ldap_group_acl,
ext_kerberos_ldap_group_acl does not require a groupname as input (from
stdin), because -g -t -T or -D control the group name?!



You have two options with ext_kerberos_ldap_group_acl  as input or as -g 
..

control



3) What is the use case for defining -g GROUP@? What is the difference
to -g GROUP (without @)



-g GROUP is for all users including the once with nor provided domain


The an pages describe it a bit under Note:

1) For user@REALM
  a) Query DNS for SRV record _ldap._tcp.REALM
  b) Query DNS for A record REALM
  c) Use LDAP_URL if given

2) For user
  a) Use domain -D REALM and follow step 1)
  b) Use LDAP_URL if given

The Groups to check against are determined as follows:

1) For user@REALM
  a)  Use  values  given  by -g option which contain a @REALM e.g. -g
GROUP1@REALM:GROUP2@REALM
  b) Use values given by -g option which contain a  @  only  e.g.  -g
GROUP1@:GROUP2@
  c)  Use values given by -g option which do not contain a realm e.g.
-g GROUP1:GROUP2

2) For user
  a) Use values given by -g option which do not contain a realm  e.g.
-g GROUP1:GROUP2

3) For NDOMAIN\user
  a) Use realm given by -N NDOMAIN@REALM and then use values given by
-g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM




4) The query DNS for SRV record _ldap._tcp.REALM mechanism seems no to
work for me although the DNS server is configured correctly and querying
with dig SRV _ldap._tcp.REALM works fine. Anything to consider here?
_ldap._tcp.REALM SRV query was never sent so far.



I would not see an obvious reason.   Does -d show any hints ?  I can only
imagine that REAM is not what is send by the client.


5) Similar issues with the Kerberos feature. Keytab und Kerberos config
are available and exported, but the helper only says:
support_ldap.cc(888): DEBUG: Setup Kerberos credential cache
support_ldap.cc(897): DEBUG: Kerberos is not supported. Use
username/password with ldap url instead



The message support_ldap.cc(897): DEBUG: Kerberos is not supported. means
your Kerberos installation is not fully available. It means HAVE_KRB5 is 
not

set ( maybe header files were missing).



Can you give me some further information about the requirements of the 
helper regarding kerberos? I am trying to use it with Heimdal kerberos 
(Heimdal 1.3.3). negotiate_kerberos_auth for example works very well with 
the present kerberos libraries.





Can you send the config.log file ?  For some reason HAVE_KRB5 is not set ( 
which is a bit strange as it is also used for the auth helper)





Instead of that I found a dns SRV _kerberos._udp.REALM query which was
actually answered by the dns. I assume this is related to the Kerberos
feature?


yes it is. It is a way to find the kdc.



6) It is possible to use the helper when DNS service is not reachable?
Got some error messages during testing:

kerberos_ldap_group: DEBUG: Canonicalise ldap server name
213.156.236.111:3268
kerberos_ldap_group: ERROR: Error while resolving ip address with
getnameinfo: Temporary failure in name resolution
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: Success



If you add a line to your hosts file and use the approriate nsswitch.conf 
it
should work.  You can also add a line to the 

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

[Markus Moeller]

Hi Ludovit,

  How did you create the keytab ? Usually there is an option allowing you 
to select the encryption type.  The other place to check would be 
/etc/krb5.conf. It can contain a list of supported encryption types. See 
http://www.freebsd.org/cgi/man.cgi?query=krb5.confapropos=0sektion=5manpath=FreeBSD+Ports+10.1-RELEASEarch=defaultformat=html


default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes

Markus

Ludovit Koren  wrote in message news:86h9usfpsk@gmail.com...


Markus Moeller hua...@moeller.plus.com writes:


Hi Ludovit,
 Which Kerberos library version do you use ?Is it possible that
the encryption types don't match ?  I saw in your first email the
following:

It is standard Heimdal library on FreeBSD:
# kinit --version
kinit (Heimdal 1.5.2)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-b...@h5l.org

FreeBSD 10.1-STABLE #1 r275861

Your klist shows a HTTP ticket for arcfour

Server: HTTP/squid1.mdpt.local@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket etype: arcfour-hmac-md5, kvno 8
Ticket length: 1090
Auth time:  Feb  9 14:55:18 2015
Start time: Feb  9 14:55:20 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent
Addresses: addressless

but the keytab has aes128.

# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type Principal 
Aliases

 8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local@MDPT.LOCAL


You are right... I tried to find out how to change it. Is it option on
KDC server? I am not able to find anything relevant.


lk
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

[Markus Moeller]

Hi Ludovit,

 Which Kerberos library version do you use ?Is it possible that the 
encryption types don't match ?  I saw in your first email the following:


Your klist shows a HTTP ticket for arcfour

Server: HTTP/squid1.mdpt.local@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket etype: arcfour-hmac-md5, kvno 8
Ticket length: 1090
Auth time:  Feb  9 14:55:18 2015
Start time: Feb  9 14:55:20 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent
Addresses: addressless

but the keytab has aes128.

# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type Principal  Aliases
 8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local@MDPT.LOCAL

Markus

Ludovit Koren  wrote in message news:86d25i9plr@gmail.com...


Markus Moeller hua...@moeller.plus.com writes:


Hi Ludovit,
 I haven't seen that error before either, but when you test you sould
have your own user credentials in the cache.  You should use kinit
user@MDPT.LOCAL and then try again the test. is the hostname
correctly set to squid1.mdpt.local ? If not try

  /usr/local/libexec/squid/negotiate_kerberos_auth_test
squid1.mdpt.local | awk '{sub(/Token:/,YR); print $0}END{print
QQ}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s
GSS_C_NO_NAME


Hello,

still no progress...


# klist
Credentials cache: FILE:/tmp/krb5cc_0
   Principal: xkoren@MDPT.LOCAL

 IssuedExpires   Principal
Feb 10 08:41:06 2015  Feb 10 18:41:06 2015  krbtgt/MDPT.LOCAL@MDPT.LOCAL
Feb 10 08:42:17 2015  Feb 10 18:41:06 2015 
HTTP/squid1.mdpt.local@MDPT.LOCAL


# hostname
squid1.mdpt.local

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,YR); print $0}END{print QQ}' | 
/usr/local/libexec/squid/otiate_kerberos_auth -r -s HTTP/squid1.mdpt.local
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639093 for mech unknown

BH quit command

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,YR); print $0}END{print }' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639094 for mech unknown

BH quit command

regards,

lk
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos authentication problem - squid 3.4.11

[Markus Moeller]

Hi Ludovit,

 I haven't seen that error before either, but when you test you sould have 
your own user credentials in the cache.  You should use kinit 
user@MDPT.LOCAL and then try again the test. is the hostname correctly set 
to squid1.mdpt.local ? If not try


  /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,YR); print $0}END{print QQ}' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME



Markus

Ludovit Koren  wrote in message news:86a90nxj41@gmail.com...



Hi,

I have setup kerberos according to:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

# klist
Credentials cache: FILE:/tmp/krb5cc_0
   Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL

 IssuedExpires   Principal
Feb  9 14:55:18 2015  Feb 10 00:55:18 2015  krbtgt/MDPT.LOCAL@MDPT.LOCAL
Feb  9 14:55:20 2015  Feb 10 00:55:18 2015 
HTTP/squid1.mdpt.local@MDPT.LOCAL


# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
   Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL
   Cache version: 4

Server: krbtgt/MDPT.LOCAL@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 3
Session key: aes128-cts-hmac-sha1-96
Ticket length: 1081
Auth time:  Feb  9 14:55:18 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless

Server: HTTP/squid1.mdpt.local@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket etype: arcfour-hmac-md5, kvno 8
Ticket length: 1090
Auth time:  Feb  9 14:55:18 2015
Start time: Feb  9 14:55:20 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent
Addresses: addressless



# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type Principal  Aliases
 8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local@MDPT.LOCAL


When I try to test it with the following command I get the error:

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,YR); print $0}END{print QQ}' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s 
HTTP/squid1.mdpt.local
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639093 for mech unknown

BH quit command


I cannot find anything suitable for the error code. Could you, please,
point me in the right direction? Any hint appreciated.

regards,

lk
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] benefits of using ext_kerberos_ldap_group_aclinstead of ext_ldap_group_acl

[Markus Moeller]

Amos Jeffries  wrote in message news:54BE3B5C.8040800 at
treenet.co.nz...

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/01/2015 11:31 p.m., Simon Stäheli wrote:

Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to Kerberos
domain name” mappings provided by the -N option. As far as I can
tell, this mapping can also easily be done by writing you own
helper perl script which is doing the mapping and finally feeds the
more common ext_ldap_group_acl helper.



Whatever floats your boat. The point of the Addon/Plugin/helpers API
is that you can use scripts if thy serve your needs better.

All the usual Open Source benefits of many eyeballs and somebody
else doing code maintenance for you applies to using a bundled helper
over a custom written one.

Beyond that the kerberos helper also provides automatic detection of
which LDAP server to use via mutiple auto-configuration methods.



The idea of the helper was to automate most of the configuration (
ignoring
some performance ) and avoid using a username/password, support users
from
multiple domains. Secondly I wanted check for nested groups which was
not
available in the existing helper and thirdly I also check now against
the
primary group of the user.



Thank you Markus for your explanations. I played around with
ext_kerberos_ldap_group_acl and would like to go into some details:

1) it is possible to define more than one LDAP server (e.g. for high
availability reasons)? The -l parameter allows only one ldap url while
-S allows several server  realm - mappings.



I didn't see the need.  The -l was more for cases when digest or basic auth 
is used and I do not know the domain to check against.  So a fallback 
option.




2) It is correct, that compared to ext_ldap_group_acl,
ext_kerberos_ldap_group_acl does not require a groupname as input (from
stdin), because -g -t -T or -D control the group name?!



You have two options with ext_kerberos_ldap_group_acl  as input or as -g .. 
control




3) What is the use case for defining -g GROUP@? What is the difference
to -g GROUP (without @)



-g GROUP is for all users including the once with nor provided domain


The an pages describe it a bit under Note:

1) For user@REALM
  a) Query DNS for SRV record _ldap._tcp.REALM
  b) Query DNS for A record REALM
  c) Use LDAP_URL if given

2) For user
  a) Use domain -D REALM and follow step 1)
  b) Use LDAP_URL if given

The Groups to check against are determined as follows:

1) For user@REALM
  a)  Use  values  given  by -g option which contain a @REALM e.g. -g
GROUP1@REALM:GROUP2@REALM
  b) Use values given by -g option which contain a  @  only  e.g.  -g
GROUP1@:GROUP2@
  c)  Use values given by -g option which do not contain a realm e.g.
-g GROUP1:GROUP2

2) For user
  a) Use values given by -g option which do not contain a realm  e.g.
-g GROUP1:GROUP2

3) For NDOMAIN\user
  a) Use realm given by -N NDOMAIN@REALM and then use values given by
-g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM




4) The query DNS for SRV record _ldap._tcp.REALM mechanism seems no to
work for me although the DNS server is configured correctly and querying
with dig SRV _ldap._tcp.REALM works fine. Anything to consider here?
_ldap._tcp.REALM SRV query was never sent so far.



I would not see an obvious reason.   Does -d show any hints ?  I can only 
imagine that REAM is not what is send by the client.



5) Similar issues with the Kerberos feature. Keytab und Kerberos config
are available and exported, but the helper only says:
support_ldap.cc(888): DEBUG: Setup Kerberos credential cache
support_ldap.cc(897): DEBUG: Kerberos is not supported. Use
username/password with ldap url instead



The message support_ldap.cc(897): DEBUG: Kerberos is not supported. means 
your Kerberos installation is not fully available. It means HAVE_KRB5 is not 
set ( maybe header files were missing).



Instead of that I found a dns SRV _kerberos._udp.REALM query which was
actually answered by the dns. I assume this is related to the Kerberos
feature?


yes it is. It is a way to find the kdc.



6) It is possible to use the helper when DNS service is not reachable?
Got some error messages during testing:

kerberos_ldap_group: DEBUG: Canonicalise ldap server name
213.156.236.111:3268
kerberos_ldap_group: ERROR: Error while resolving ip address with
getnameinfo: Temporary failure in name resolution
kerberos_ldap_group: DEBUG: Error during initialisation of ldap
connection: Success



If you add a line to your hosts file and use the approriate nsswitch.conf it 
should work.  You can also add a line to the hosts file for the domain for 
the case the SRV record fails.




Beside this tiny issues the helper works excellent (tested with basic,
NTLM and Kerberos authentication). I am just trying to discover the
whole potential. Thank you very much for any responses.

Regards
Simon



Regards
Markus


If you can demonstrate 

Re: [squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

[Markus Moeller]

Amos Jeffries  wrote in message news:54be3b5c.8040...@treenet.co.nz...

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/01/2015 11:31 p.m., Simon Stäheli wrote:

Are there any other benefits in using ext_kerberos_ldap_group_acl
instead of ext_ldap_group_acl except the Netbios name to Kerberos
domain name” mappings provided by the -N option. As far as I can
tell, this mapping can also easily be done by writing you own
helper perl script which is doing the mapping and finally feeds the
more common ext_ldap_group_acl helper.



Whatever floats your boat. The point of the Addon/Plugin/helpers API
is that you can use scripts if thy serve your needs better.

All the usual Open Source benefits of many eyeballs and somebody
else doing code maintenance for you applies to using a bundled helper
over a custom written one.

Beyond that the kerberos helper also provides automatic detection of
which LDAP server to use via mutiple auto-configuration methods.



The idea of the helper was to automate most of the configuration ( ignoring 
some performance ) and avoid using a username/password, support users from 
multiple domains. Secondly I wanted check for nested groups which was not 
available in the existing helper and thirdly I also check now against the 
primary group of the user.



If you can demonstrate that the ext_kerberos_ldap_group_acl does
provides a superset of the functionality of ext_ldap_group_acl helper
then I can de-duplicate the two helpers.

Amos


Regards
Markus



-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUvjtbAAoJELJo5wb/XPRjb1sH/2mO/l+k7jTdFr5CBfrBjXr8
hp8ECHtKkpHvhiinKadcQd69ZYz0bqYmKQ4AX44XaTKTgc2ctKeywuDBRtSVnMwH
KrSFY+YUhxpje7hRIwtoloVtPcT+JawUbnvGaAGtcbLNypkT1VEICBA/5QJbSWUH
Uc+6szgksFWbDldl7kGYd42e7ZE8CdfcjzYqROaFxTglTKgEpqNvaY7KrNx2cZ+c
5Kx4C6LzKrHML28TsWurWBpS3NVkUveFBLqkD8hY8QULolKleSFkHfuHn/S4gXGf
IkyNDtEBbdFPKIQw5bkBvzpAWKxSn2fWsq4GW2AJeCcKiJVHDLqwTVQ4vIddsY8=
=BbhE
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

[Markus Moeller]

Amos Jeffries  wrote in message news:54be53b2.9070...@treenet.co.nz...

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 21/01/2015 1:38 a.m., Simon Staeheli wrote:

Whatever floats your boat. The point of the Addon/Plugin/helpers
API is that you can use scripts if thy serve your needs better.

All the usual Open Source benefits of many eyeballs and
somebody else doing code maintenance for you applies to using a
bundled helper over a custom written one.

Beyond that the kerberos helper also provides automatic detection
of which LDAP server to use via mutiple auto-configuration
methods.

If you can demonstrate that the ext_kerberos_ldap_group_acl does
provides a superset of the functionality of ext_ldap_group_acl
helper then I can de-duplicate the two helpers.

Amos


Thanks for the hint regarding automatic detection of LDAP servers.
I am just trying to find what the differences between the two
helpers are and which one does fit my needs better. Any others?



Nothing I can pick out easily.


Do you know anything about the feature in
ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
earlier post?

I have a new method in my squid 3.4 patch which uses the Group
Information MS is putting in the ticket. This would eliminate the
ldap lookup completely.
(http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html)



I think that refers to a work in progress. Markus maintains the
un-bundled version of his helpers a little in advance of what has made
it into the Squid stable branch. Some of what is available in his
helper downloads is only in the Squid-3.HEAD alpha development code so
far.

I am working on obsoleting the need for external group helpers. From
3.5 auth helpers can deliver to Squid a set of group= kv-pair in their
response. Those can be used with the note ACL type to check group
names without any external_acl_type helper lookup (making group checks
possible in 'fast' access controls).

Markus joined me in this project and his latest kerberos auth helper
(in 3.HEAD and his versions - *not* the 3.5 bundled version) produces
group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry
ID format MS uses. The external_acl_type helper interface cannot yet
be passed notes to decipher that to a known group name.



The Kerberos authentication helper extracts the Microsoft authorisation data 
from the Kerberos ticket. This so called  PAC data contains the AD Security 
Groups a user belongs too ( even over a forest/domain as far as I recall and 
nested groups).   The format of the authorisation data is the AD objectsid 
which the helper returns in base64  encoding.  So now instead of querying 
LDAP an external helper just need to compare the base64 encoded SID with a 
predefined SID.  You just have to know the SID when you setup the 
configuration in the same way as you have to know the AD group name with an 
ldap helper.


From a Unix system you can easily get the object sid if you know the 
groupname. e.g.


# kinit mar...@win2003r2.home
# ldapsearch -LLL -H ldap://w2k3r2.win2003r2.home -s sub -b 
DC=WIN2003R2,DC=HOME (CN=SOCKS_ALLOW) objectsid

SASL/GSSAPI authentication started
SASL username: mar...@win2003r2.home
SASL SSF: 56
SASL data security layer installed.
dn: CN=SOCKS_ALLOW,OU=Groups,DC=win2003r2,DC=home
objectSid:: AQUAAAUVploCbWTufUFPWoiaiwQAAA==

Any ldap browser like ldapadmin can also show the objectsid.

I have also a tool which I can provide to convert a SID into a base64 value

Examples:

# ./convert_sid S-1-5-21-1828870822-1098772068-2592627279-1163
base64 encoded: AQUAAAUVploCbWTufUFPWoiaiwQAAA==
hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 
5a 88 9a 8b 04 00 00

SID: S-1-5-21-1828870822-1098772068-2592627279-1163

# ./convert_sid AQUAAAUVploCbWTufUFPWoiaiwQAAA==
base64 encoded: AQUAAAUVploCbWTufUFPWoiaiwQAAA==
hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 
5a 88 9a 8b 04 00 00

SID: S-1-5-21-1828870822-1098772068-2592627279-1163

# ./convert_sid 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 
4f 5a 88 9a 8b 04 00 00

base64 encoded: AQUAAAUVploCbWTufUFPWoiaiwQAAA==
hexadecimal: 01 05 00 00 00 00 00 05 15 00 00 00 a6 5a 02 6d 64 ee 7d 41 4f 
5a 88 9a 8b 04 00 00

SID: S-1-5-21-1828870822-1098772068-2592627279-1163


Please let me know if you have questions, comments or ideas

Regards
Markus



Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUvlOyAAoJELJo5wb/XPRjZskH/3VQdCv4juTHZ0QAOyQvCdLP
L1ZRDF/ix4MkVIsblsPL20G1KznKRbDBdDZ+DWM4lHDp7m1rwXD972GUmI7JZQDV
VvjQVMrXfZ3h8VcwpzPXKKiIOJp3+P5e7XpVDQGYAzOBJjnvs2OsIKGGsGwo4kXE
lElRU9WbspurY4ic07hjSCcM3VAdWMtIy8FVoq2bdegH6qor1dGeoVIMYVnSOBUG
9gTqWBYxkltI5S19f6zWjk2Kscn7ZYWvPezN38NHouL4ueM0rAHxvUNP2ueudUwR
tZBavBNpiCJ08dXbhU1nUivyTQX99w8t0VMmYeomTc2Q7znofsX0FefFRFZ1GcY=
=Yg6k
-END PGP SIGNATURE-
___
squid-users

Re: [squid-users] Proxy to proxy authentication

[Markus Moeller]

I thought it wasn't trivial, otherwise it would have been already done.  ;-)

Thank you
Markus

Amos Jeffries  wrote in message news:54a3416f.9060...@treenet.co.nz... 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 31/12/2014 7:59 a.m., Markus Moeller wrote:

Hi Amos,


On 30/12/2014 3:31 p.m., Markus Moeller wrote:

Hi,

Can squid authenticate to an upstream proxy using digest ?  If
I saw it right cache_peer allows basic and negotiate only (or
passthrough)

Thank you Markus



Not yet.

Amos


Is it planned to add or no real interest in it ?


Mostly lack of interest. As usual if you are interested please feel
free to code. :-)

The biggest issue is that Digest like NTLM does not permit the initial
challenge step to be avoided. So Squid has to be made to handle
request retry when fetching the first nonce. The peer is supposed to
supply a next-nonce before the old one expires so further retries
*should* not be necessary, but may also happen on persistent connections.

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUo0FvAAoJELJo5wb/XPRjyjIIAMLwnM/JkZAvRjClivoJUIXC
vZ9a3Z/r69pBMNM1snZ1ep4C+hg7jNYsBjennl03u8Fr+kQ4BhhoaAsqjuOAVeWb
boR1MtOpmkt2dhf+U2js9Y3tSd/tY6QSNoCboVDNEUoZDyowHBovdqL9Ei3gFr1t
lqRNoW39K/vvbWRwB6/WflH4xHiX595Wywshh9Hec7a6nhjwdGvZzeeBvDhG1eVj
ECHcIkBICfTydazIFulyCiDTvUgspC1YpcIV2+P//PKGQEDJ/ds6KwxjKqYix9JU
8pnAnm423O11RzUh7qq8NixACPkOjkP7IDXbvJPG2YrKGVFQj8Fi2gEeEcJ/sgU=
=rq6Y
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

[Markus Moeller]

Hi Pedro,

  Did you try the –s GSS_C_NO_NAME option ? 

Markus

Pedro Lobo pal...@gmail.com wrote in message 
news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com...
Hey Everybody,

Seems as though I celebrated too soon on Saturday. Today things are back to not 
working for Windows 7+ machines and XP/2003 machines are working just fine.

I've also checked the permissions on the keytab file and they haven't changed 
since Saturday, so it's not that... ARGH 

Craving ideas and solutions right now... Pilot users are less than satisfied ;)

Cheers,
Pedro 

On 25 Oct 2014, at 14:13, Markus Moeller wrote:

  Hi Pedro,

  I wonder if he upper case in the name is a problem. Can you try

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s 
GSS_C_NO_NAME

  instead of

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s 
HTTP/proxy01tst.fake.net

  Markus

  Pedro Lobo pal...@gmail.com wrote in message 
news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com...
  Hi Markus,

  I used msktutil to create the keytab.

  msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k 
/etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn 
HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
  Output of klist -ekt:

  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (arcfour-hmac)
  2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net 
(aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net 
(aes256-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (arcfour-hmac)
  2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net 
(aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net 
(aes256-cts-hmac-sha1-96)
  Yep, using MIT Kerberos

  Thanks in advance for any help.

  Cheers,
  Pedro

  On 25 Oct 2014, at 1:26, Markus Moeller wrote:

  Hi Pedro,

  How did you create your keytab ? What does klist –ekt squid.keytab show ( I 
assume you use MIT Kerberos) ?

  Markus

  Pedro Lobo pal...@gmail.com wrote in message 
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
  Hi Squid Gurus,

  I'm at my wit's end and in dire need of some squid expertise.

  We've got a production environment with a couple of squid 2.7 servers using 
NTLM and basic authentication. Recently though, we decided to upgrade and I'm 
now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just 
about every guide I could find and in my testing environment, things were 
working great. Now that I've hooked it up to the main domain, things are awry.

  If I use a machine that's not part of the domain, NTLM kicks in and I can 
surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works 
just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep 
getting a popup asking me to authenticate and even then, it's and endless loop 
until it fails. My cache.log is littered with:

  negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| 
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified 
GSS failure. Minor code may provide more information.
  2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error 
returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor 
code may provide more information. '
  The odd thing, is that this has worked before. Help me Obi Wan... You're my 
only hope! :)

  Current Setup
  Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server 
with function level 2000 (I know, we're trying to fase out the older servers).

  krb5.conf

  [libdefaults]
  default_realm = FAKE.NET
  dns_lookup_kdc = yes
  dns_lookup_realm = yes
  ticket_lifetime = 24h
  default_keytab_name = /etc/squid3/PROXY.keytab

  ; for Windows 2003
  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

  [realms]
  FAKE.NET = {
  kdc = srv01.fake.net
  kdc = srv02.fake.net
  kdc = srv03.fake.net
  admin_server = srv01.fake.net
  default_domain = fake.net
  }

  [domain_realm]
  .fake.net = FAKE.NET
  fake.net = FAKE.NET

  [logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log
  squid.conf

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s 
HTTP/proxy01tst.fake.net
  auth_param negotiate children 20 startup=0 idle=1
  auth_param negotiate keep_alive off

  auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
  auth_param ntlm children 10
  auth_param ntlm keep_alive off
  Cheers,
  Pedro

  Cumprimentos
  Pedro Lobo

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

[Markus Moeller]

Hi Pedro,

   Can you capture the traffic from one Windows 7 on XP client on port 88 ( 
just after the login before access a website via squid until successful or 
unsuccessful accessing the website) using wireshark ?   Send me the .cap files 
to check.

Markus

Pedro Lobo pal...@gmail.com wrote in message 
news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone...
Hi Markus Moeller,


Hi Markus,

Yeah, I'm currently using that option and permissions are correct too. 

On 27 Oct 2014 19:47, Markus Moeller wrote: 


  Hi Pedro,

Did you try the –s GSS_C_NO_NAME option ?

  Markus

  Pedro Lobo pal...@gmail.com wrote in message 
news:94f74226-f24b-4910-95b7-b86ace815...@gmail.com...
  Hey Everybody,

  Seems as though I celebrated too soon on Saturday. Today things are back to 
not working for Windows 7+ machines and XP/2003 machines are working just fine.

  I've also checked the permissions on the keytab file and they haven't changed 
since Saturday, so it's not that... ARGH

  Craving ideas and solutions right now... Pilot users are less than satisfied 
;)

  Cheers,
  Pedro

  On 25 Oct 2014, at 14:13, Markus Moeller wrote:

Hi Pedro,

I wonder if he upper case in the name is a problem. Can you try

auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r 
-s GSS_C_NO_NAME

instead of

auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r 
-s HTTP/proxy01tst.fake.net

Markus

Pedro Lobo pal...@gmail.com wrote in message 
news:fd6832b9-3f1f-48c6-a76f-47a224f16...@gmail.com...
Hi Markus,

I used msktutil to create the keytab.

msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k 
/etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn 
HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
Output of klist -ekt:

2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net (arcfour-hmac)
2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net 
(aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 HTTP/proxy01tst.fake@fake.net 
(aes256-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net (arcfour-hmac)
2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net 
(aes128-cts-hmac-sha1-96)
2 10/24/2014 22:59:50 host/proxy01tst.fake@fake.net 
(aes256-cts-hmac-sha1-96)
Yep, using MIT Kerberos

Thanks in advance for any help.

Cheers,
Pedro

On 25 Oct 2014, at 1:26, Markus Moeller wrote:

Hi Pedro,

How did you create your keytab ? What does klist –ekt squid.keytab show ( 
I assume you use MIT Kerberos) ?

Markus

Pedro Lobo pal...@gmail.com wrote in message 
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,

I'm at my wit's end and in dire need of some squid expertise.

We've got a production environment with a couple of squid 2.7 servers using 
NTLM and basic authentication. Recently though, we decided to upgrade and I'm 
now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just 
about every guide I could find and in my testing environment, things were 
working great. Now that I've hooked it up to the main domain, things are awry.

If I use a machine that's not part of the domain, NTLM kicks in and I can 
surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works 
just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep 
getting a popup asking me to authenticate and even then, it's and endless loop 
until it fails. My cache.log is littered with:

negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| 
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified 
GSS failure. Minor code may provide more information.
2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error 
returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor 
code may provide more information. '
The odd thing, is that this has worked before. Help me Obi Wan... You're my 
only hope! :)

Current Setup
Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server 
with function level 2000 (I know, we're trying to fase out the older servers).

krb5.conf

[libdefaults]
default_realm = FAKE.NET
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/PROXY.keytab

; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
FAKE.NET = {
kdc = srv01.fake.net
kdc = srv02.fake.net
kdc = srv03.fake.net
admin_server = srv01.fake.net

Re: [squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

[Markus Moeller]

Hi Pedro,

How did you create your keytab ?  What does klist –ekt squid.keytab show ( I 
assume you use MIT Kerberos) ? 

Markus

Pedro Lobo pal...@gmail.com wrote in message 
news:40e1e0e7-50c6-4117-94aa-50b065734...@gmail.com...
Hi Squid Gurus,

I'm at my wit's end and in dire need of some squid expertise.

We've got a production environment with a couple of squid 2.7 servers using 
NTLM and basic authentication. Recently though, we decided to upgrade and I'm 
now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just 
about every guide I could find and in my testing environment, things were 
working great. Now that I've hooked it up to the main domain, things are awry.

If I use a machine that's not part of the domain, NTLM kicks in and I can surf 
the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just 
fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a 
popup asking me to authenticate and even then, it's and endless loop until it 
fails. My cache.log is littered with:

negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| 
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified 
GSS failure.  Minor code may provide more information.
2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error 
returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.  Minor 
code may provide more information. '
The odd thing, is that this has worked before. Help me Obi Wan... You're my 
only hope! :)

Current Setup
Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with 
function level 2000 (I know, we're trying to fase out the older servers).

krb5.conf

 [libdefaults]
default_realm = FAKE.NET
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/PROXY.keytab

; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

[realms]
FAKE.NET = {
kdc = srv01.fake.net
kdc = srv02.fake.net
kdc = srv03.fake.net
admin_server = srv01.fake.net
default_domain = fake.net
}

[domain_realm]
.fake.net = FAKE.NET
fake.net = FAKE.NET


[logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log
squid.conf

auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s 
HTTP/proxy01tst.fake.net
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
auth_param ntlm children 10
auth_param ntlm keep_alive off
Cheers,
Pedro

Cumprimentos 
Pedro Lobo 
Solutions Architect | System Engineer 

pedro.l...@pt.clara.net 
Tlm.: +351 939 528 827 | Tel.: +351 214 127 314 

Claranet Portugal 
Ed. Parque Expo 
Av. D. João II, 1.07-2.1, 4º Piso 
1998-014 Lisboa 
www.claranet.pt 

  

 

Empresa certificada ISO 9001, ISO 2 e ISO 27001 





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

[Markus Moeller]

Hi Victor,

  That sounds a bit strange. Can you capture with wireshark the traffic on 
port 88  on the system which has squiduser in the cache ( best after a clear 
the cache with kerbtray first) when accessing squid and send it to me as cap 
file ?


Markus

Victor Sudakov  wrote in message 
news:20141016161928.ga49...@admin.sibptus.tomsk.ru...


This question is neither exactly squid-related nor Heimdal-related, but
maybe someone guru could shed some light.

I configure MSIE to use the proxy server proxy.sibptus.transneft.ru.
On starting MSIE, some Windows hosts request a ticket for the
principal  HTTP/proxy.sibptus.transneft.ru and receive it from the DC
and get authenticated successfully by squid. So far so good.

However, some other Windows hosts when requesting a ticket for
HTTP/proxy.sibptus.transneft.ru, in fact receive a ticket for
squidu...@sibptus.transneft.ru (kerbtray.exe shows this) and therefore
fail to get authenticated by squid.

squidu...@sibptus.transneft.ru is the AD account to which the SPN
HTTP/proxy.sibptus.transneft.ru is bound. But why do they receive a
ticket for a different name than requested, is beyond me.

Has anyone seen anything like this?

The KDC involved is the w2k AD.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos auth not working

[Markus Moeller]

Can you capture the traffic on port 88 from the PC to AD after a clean boot 
and when you access squid ?


Markus


masterx81  wrote in message 
news:1412360733691-4667648.p...@n4.nabble.com...


All solved!
Seem that kerberos is ALWAYS not working only on a specific worstation.
If i use kerberos from any other pc it works as excepted.
What can cause the error on that specific workstation? I've reinstalled the
os due to this problem, and it's still there (os preinstalled, so i've used
the recovery procedure from hp, maybe the problem is in the recovery os
image)



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-auth-not-working-tp4667646p4667648.html

Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users