Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi Louis, I know a user and machine account can be used and they work the same. What my concern is, is that many companies deploy password policies for users in AD. You would need to create exceptions for user accounts which have SPNs with associated keytabs as a password change will make the keytab invalid. Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl... Hello Markus, Thank you for the explanation, that helped a lot. I use the TLS_CACERTFILE in the init script now and that works for me . ( in debian the /etc/default/squid ) >>The helper tries to “authenticate” squid to AD as a user with the found SPN >>name, so the UPN must be the same as the SPN. There is no easy way to query >>what the UPN for the SPN is. Ah, this helped identify-ing so other small things to. >>msktutil (my preferred tool) Since i try to use only debian packages the msktutil is not available for me. >>Also msktutil (my preferred tool) creates a machine account not a user >>account in AD. >>The reason I prefer this is that often user accounts have a global password >>policy e.g. change every 60 days otherwise it will be locked. >>machine accounts do not have that limitation. But as I said it is just my >>preference. Thats not correct in my optionion. A the computer account, works the (almost) same an user account. Like a computer account = a user account. some pointers : https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx https://adsecurity.org/?p=280 I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing, thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and add the UPN/SPN on the computer account where needed. Which maybe even a better option. Thanks again for you replies. Best regards, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:52 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hello Markus, Thank you for the explanation, that helped a lot. I use the TLS_CACERTFILE in the init script now and that works for me . ( in debian the /etc/default/squid ) >>The helper tries to “authenticate” squid to AD as a user with the found SPN >>name, so the UPN must be the same as the SPN. There is no easy way to query >>what the UPN for the SPN is. Ah, this helped identify-ing so other small things to. >>msktutil (my preferred tool) Since i try to use only debian packages the msktutil is not available for me. >>Also msktutil (my preferred tool) creates a machine account not a user >>account in AD. >>The reason I prefer this is that often user accounts have a global password >>policy e.g. change every 60 days otherwise it will be locked. >>machine accounts do not have that limitation. But as I said it is just my >>preference. Thats not correct in my optionion. A the computer account, works the (almost) same an user account. Like a computer account = a user account. some pointers : https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx https://adsecurity.org/?p=280 I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing, thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and add the UPN/SPN on the computer account where needed. Which maybe even a better option. Thanks again for you replies. Best regards, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Markus Moeller Verzonden: zaterdag 27 augustus 2016 16:52 Aan: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe ) Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle" <be...@bazuin.nl> wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i f
Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi, I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set. Kind regards Markus "L.P.H. van Belle"wrote in message news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl... Ok reply to myself so other users know this also. if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. Read : http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. and the clue was this line for me. Squid "login" to Windows Active Directory or Unix kdc as user @DOMAIN.COM>. This requires Active Directory to have an attribute userPrincipalname set to @DOMAIN.COM> for the associated acount. This is usaully done by using msktutil. But this is not done by samba-tools samba-tool setup fro squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the usern...@internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld@YOUR.REALM.T Now i changed my UPN from usern...@internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld@REALM Solved my initial problem. This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group. Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE) Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt Which contains the needed certs. Did i find 2 small bugs here? Or is this a “Debian” related thing? Debug output. /usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined. testuser internet-mail kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group@domain internet-m...@your.realm.tld support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group@domain internet-m...@your.realm.tld support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902 support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: