Re: [squid-users] Problems with Squid Authentication
Hi, 1) Here is the result of the command-line: /usr/lib/squid/negotiate_kerberos_auth -s HTTP/ proxy.empresa.com...@empresa.com.br –d –i mary abc@12345 negotiate_kerberos_auth.cc(258): pid=1421 :2016/08/19 23:44:33| negotiate_kerberos_auth: DEBUG: Got 'mary abc@12345' from squid (length: 14). negotiate_kerberos_auth.cc(295): pid=1421 :2016/08/19 23:44:33| negotiate_kerberos_auth: ERROR: Invalid request [mary abc@12345] BH invalid request 2) Bellow are my keytabs: Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/pr...@empresa.com.br 1 host/pr...@empresa.com.br 1 host/pr...@empresa.com.br 1 host/pr...@empresa.com.br 1 host/pr...@empresa.com.br 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR Keytab name: FILE:/etc/squid3/HTTP.keytab KVNO Principal -- 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy.empresa.com...@empresa.com.br 1 host/proxy$EMPRESA.COM.BR 1 host/proxy$EMPRESA.COM.BR 1 host/proxy$EMPRESA.COM.BR 1 host/proxy$EMPRESA.COM.BR 1 host/proxy$EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 proxy$@EMPRESA.COM.BR 1 HTTP/proxy.empresa.com...@empresa.com.br 1 HTTP/proxy.empresa.com...@empresa.com.br 1 HTTP/proxy.empresa.com...@empresa.com.br 1 HTTP/proxy.empresa.com...@empresa.com.br 1 HTTP/proxy.empresa.com...@empresa.com.br 1 HTTP/proxy$EMPRESA.COM.BR 1 HTTP/proxy$EMPRESA.COM.BR 1 HTTP/proxy$EMPRESA.COM.BR 1 HTTP/proxy$EMPRESA.COM.BR 1 HTTP/proxy$EMPRESA.COM.BR OBS: I left and joined in the domain again 3) Here is the result: /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME mary abc@12345 BH invalid request 4) DNS Recors are OK. The proxy servername exist in dns and have A (proxy IN A 192.168.200.7) and PTR record (7 IN PTR proxy.empresa.com.br.) 5) cat /etc/hosts 127.0.0.1 localhost 192.168.200.7 proxy.empresa.com.br proxy 6) Time is sync with the AD server (The time is identical) 7) My /etc/krb5.conf file: [libdefaults] default_realm = EMPRESA.COM.BR dns_lookup_kdc = yes dns_lookup_realm = yes default_keytab_name = /etc/krb5.keytab [realms] EMPRESA.COM.BR = { kdc = dc1.empresa.com.br:88 admin_server = dc1.empresa.com.br default_domain = EMPRESA.COM.BR } [domain_realm] .empresa.com.br = EMPRESA.COM.BR empresa.com.br = EMPRESA.COM.BR [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log 8) Bellow is my /etc/nsswitch.conf file: passwd: compat winbind group: compat winbind shadow: compat gshadow:files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis 9) Bellow is my /etc/pam.d/common-session file: session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so sessionoptional pam_winbind.so 10) Following my /etc/samba/smb.conf file: [global] netbios name = proxy workgroup = EMPRESA security = ads realm = EMPRESA.COM.BR encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab password server = dc1.empresa.com.br preferred master = no idmap config *:backend = tdb idmap config *:range = 1000-3000 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 1-999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = yes winbind refresh tickets = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user.map 11) Other Informations: >> Samba4 and Winbind services are enable >> In my DC there is a Squid account (call "proxy") >> wbinfo -g, wbinfo -u, wbinfo -t, getent passwd are OK >> kinit is OK >> klist -l is OK Do you have any other idea? Regards, Márcio 2016-08-19 7:02 GMT-03:00 L.P.H. van Belle: > Hai, > > > > Yes, all new things are hard.. > > I need some extra info because there are lots of things that can be wrong. > > > > post what you see here : > >
Re: [squid-users] Problems with Squid Authentication
Hai, Yes, all new things are hard.. I need some extra info because there are lots of things that can be wrong. post what you see here : /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com...@empresa.com.br ?d ?i >> kinit and klist are ok >> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP spn. And in the krb5.keytab i have the host SPN and netbios_name($) How to test the kerberos auth.. hmm, thats a difficult one for me. I know lot but not all.. :-( . But what i do iknow, you can test with /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME If that works its probely an SPN or dns problem. If that isnt working, then do check the time on the ad server and proxy server. I can only say. The proxy servername must exist in dns and must have A and PTR record. ( add this in the samba AD ) The reverse zone is ( maybe ) created, if not, create it yourself and add the ptr records. Cat /etc/hosts file may NOT contain any. 127.0.1.1 yourhostname.. .. if its in there, you installed with dhcp ip. It should contain 127.0.0.1 localhost IP_OF_SERVER hostname.domain.tld hostname The is there if you install with a static ip. Time must be in sync with the AD server ( max difference i allow is 1 min. ) If needed install ntp on the proxy and point the server to the ad dc. And post what you now have in krb5.conf These are the most common pitfalls, i?ll see what i can do to help out. Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens Marcio Demetrio Bacci Verzonden: vrijdag 19 augustus 2016 3:50 Aan: Squid Users Onderwerp: [squid-users] Problems with Squid Authentication My Kerberos Authentication doesn't work. This is very hard! My Squid3 is join in the Domain kinit and klist are ok wbinfo -g and wbinfo -u are ok too. I have created the squid3 file in /etc/default with the following content: KRB5_KTNAME=/etc/squid3/HTTP.keytab export KRB5_KTNAME I have two keytab files: /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical) I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined Squid server in the Domain (net ads join -U administrator) How can I debbug the problem? How can I test kerberos authentication in terminal (command line)? Below is my squid.conf file: ### Configuracoes Basicas cache_mgr administra...@empresa.com.br http_port 3128 #debug_options ALL,111,2 29,9 84,6 cache_mem 512 MB cache_swap_low 80 cache_swap_high 90 maximum_object_size 512 MB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA #Para não bloquear downloads quick_abort_min -1 KB #Resolve um problema com conexoes persistentes detect_broken_pconn on fqdncache_size 1024 ### Parametros de atualizacao da memoria cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ### Localizacao dos logs access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e subdiretorios cache_dir aufs /var/spool/squid3 600 16 256 auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy.empresa.com...@empresa.com.br auth_param negotiate children 20 auth_param negotiate keep_alive on visible_hostname proxy.empresa.com.br ### acls #acl manager proto cache_object acl localhost src MailScanner warning: numerical links are often malicious: 192.168.200.7/32 acl to_localhost dst MailScanner warning: numerical links are often malicious: 192.168.200.7/32 acl SSL_ports port 22 443 563 7071 1 # ssh, https, snews, zimbra, webmin acl Safe_ports port 21 # ftp acl Safe_ports port 70 # gopher acl Safe_ports port 80 # http acl Safe_ports port 88 # kerberos acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 389 # ldap acl Safe_ports port 443 # https acl Safe_ports port 488 # gss-http acl Safe_ports port 563 # snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3001 # imprenssa nacional acl Safe_ports port 8080 # http acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT ### Regras iniciais do Squid http_access allow