Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

2016-08-29 Thread Markus Moeller 
Hi Louis,

I know a user and machine account can be used and they work the same. What 
my concern is, is that many companies deploy password policies for users in AD. 
 You would need to create exceptions for user accounts which have SPNs with 
associated keytabs as a password change will make the keytab invalid.

Markus 


"L.P.H. van Belle" <be...@bazuin.nl> wrote in message 
news:vmime.57c3e5ca.28ab.73ab0c8662c33...@ms249-lin-003.rotterdam.bazuin.nl...
Hello Markus, 

 

Thank you for the explanation, that helped a lot. 

 

I use the TLS_CACERTFILE in the init script now and that works for me . 

( in debian the /etc/default/squid  )

 

>>The helper tries to “authenticate” squid to AD as a user with the found SPN 
>>name, so the UPN must be the same as the SPN.  There is no easy way to query 
>>what the UPN for the SPN is. 

Ah, this helped identify-ing so other small things to. 

 

>>msktutil (my preferred tool)

Since i try to use only debian packages the msktutil is not available for me. 

 

>>Also msktutil (my preferred tool) creates a machine account not a user 
>>account in AD. 

>>The reason I prefer this is that often user accounts have a global password 
>>policy e.g. change every 60 days otherwise it will be locked. 

>>machine accounts do not have that limitation. But as I said it is just my 
>>preference.

 

Thats not correct in my optionion. A the computer account, works the (almost) 
same an user account. 

Like a computer account = a user account. 

 

some pointers :

https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx

https://adsecurity.org/?p=280 

 

I used a seperated user since i wanted to have 2 proxy on 1 service account, 
but due to the UPS/SPN thing,

thats not options anymore, not thats a problem, I’ll change to add the computer 
to the samba domain and 

add the UPN/SPN on the computer account where needed.

Which maybe even a better option.

 

Thanks again for you replies. 

 

 

Best regards, 

 

Louis

 

 

 




Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe )

 

Hi,

 

   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 

 

  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 

 

   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.

 

 

Kind regards

Markus

 

 

"L.P.H. van Belle" <be...@bazuin.nl> wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...

Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

2016-08-29 Thread L . P . H . van Belle 
Hello Markus, 

 

Thank you for the explanation, that helped a lot. 

 

I use the TLS_CACERTFILE in the init script now and that works for me . 

( in debian the /etc/default/squid  )

 

>>The helper tries to “authenticate” squid to AD as a user with the found SPN 
>>name, so the UPN must be the same as the SPN.  There is no easy way to query 
>>what the UPN for the SPN is. 

Ah, this helped identify-ing so other small things to. 

 

>>msktutil (my preferred tool)

Since i try to use only debian packages the msktutil is not available for me. 

 

>>Also msktutil (my preferred tool) creates a machine account not a user 
>>account in AD. 

>>The reason I prefer this is that often user accounts have a global password 
>>policy e.g. change every 60 days otherwise it will be locked. 

>>machine accounts do not have that limitation. But as I said it is just my 
>>preference.

 

Thats not correct in my optionion. A the computer account, works the (almost) 
same an user account. 

Like a computer account = a user account. 

 

 some pointers :

https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx

https://adsecurity.org/?p=280 

 

I used a seperated user since i wanted to have 2 proxy on 1 service account, 
but due to the UPS/SPN thing,

thats not options anymore, not thats a problem, I’ll change to add the computer 
to the samba domain and 

add the UPN/SPN on the computer account where needed.

Which maybe even a better option.

 

Thanks again for you replies. 

 

 

Best regards, 

 

Louis

 

 

 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 
minorbugsmaybe )


 

Hi,


 


   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 


 


  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 


 


   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.


 


 


Kind regards


Markus


 


 


"L.P.H. van Belle" <be...@bazuin.nl> wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...




Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the (SPN name)   
HTTP/proxyserver.internal.domain.tld@REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in 
ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but 
i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable 
through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT  /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i f

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

2016-08-27 Thread Markus Moeller 
Hi,

   I would say they are bugs. The first “issue” is as you say more about 
understanding the difference between UPN and SPN and how the tools use them.  
The helper tries to “authenticate” squid to AD as a user with the found SPN 
name, so the UPN must be the same as the SPN.  There is no easy way to query 
what the UPN for the SPN is. 

  Also msktutil (my preferred tool) creates a machine account not a user 
account in AD. The reason I prefer this is that often user accounts have a 
global password policy e.g. change every 60 days otherwise it will be locked. 
machine accounts do not have that limitation. But as I said it is just my 
preference. 

   Regarding the certifcate check I do not use any ldap.conf settings. I 
require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file. 
 Maybe in the next version I see how I can determine the right ldap.conf file 
and check if the CACERTFILE variable is already set.


Kind regards
Markus


"L.P.H. van Belle"  wrote in message 
news:vmime.57bdb617.37c8.575130a1134f9...@ms249-lin-003.rotterdam.bazuin.nl...
Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the (SPN name)   
HTTP/proxyserver.internal.domain.tld@REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in 
ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but 
i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable 
through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT  /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i find 2 small bugs here?  

Or is this a “Debian” related thing? 

 

 

Debug output. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D 
YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d

kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
INFO: Group list internet-m...@your.realm.tld

support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: Netbios list internet-mail@NTDOMAIN

support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: ldap server list NULL

support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: No ldap servers defined.

testuser internet-mail

kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| 
kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| 
kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: User domain loop: group@domain internet-m...@your.realm.tld

support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Found group@domain internet-m...@your.realm.tld

support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Set credential cache to MEMORY:squid_ldap_6902

support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: