subject:"Re\: \[squid\-users\] Problems with Squid Authentication"

Re: [squid-users] Problems with Squid Authentication

2016-08-19 Thread Marcio Demetrio Bacci

Hi,

1) Here is the result of the command-line:
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/
proxy.empresa.com...@empresa.com.br –d –i
mary abc@12345
negotiate_kerberos_auth.cc(258): pid=1421 :2016/08/19 23:44:33|
negotiate_kerberos_auth: DEBUG: Got 'mary abc@12345' from squid (length:
14).
negotiate_kerberos_auth.cc(295): pid=1421 :2016/08/19 23:44:33|
negotiate_kerberos_auth: ERROR: Invalid request [mary abc@12345]
BH invalid request

2) Bellow are my keytabs:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/pr...@empresa.com.br
   1 host/pr...@empresa.com.br
   1 host/pr...@empresa.com.br
   1 host/pr...@empresa.com.br
   1 host/pr...@empresa.com.br
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR


Keytab name: FILE:/etc/squid3/HTTP.keytab
KVNO Principal

--
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy.empresa.com...@empresa.com.br
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 HTTP/proxy.empresa.com...@empresa.com.br
   1 HTTP/proxy.empresa.com...@empresa.com.br
   1 HTTP/proxy.empresa.com...@empresa.com.br
   1 HTTP/proxy.empresa.com...@empresa.com.br
   1 HTTP/proxy.empresa.com...@empresa.com.br
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR

OBS: I left and joined in the domain again

3) Here is the result:
/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
mary abc@12345
BH invalid request



4) DNS Recors are OK.
The proxy servername exist in dns and have A (proxy IN A 192.168.200.7) and
PTR record (7 IN PTR proxy.empresa.com.br.)


5) cat /etc/hosts
127.0.0.1  localhost
192.168.200.7 proxy.empresa.com.br   proxy



6) Time is sync with the AD server (The time is identical)


7) My /etc/krb5.conf file:
[libdefaults]
   default_realm = EMPRESA.COM.BR
   dns_lookup_kdc = yes
   dns_lookup_realm = yes
   default_keytab_name = /etc/krb5.keytab

[realms]
EMPRESA.COM.BR = {
kdc = dc1.empresa.com.br:88
admin_server = dc1.empresa.com.br
default_domain = EMPRESA.COM.BR
}


[domain_realm]
.empresa.com.br = EMPRESA.COM.BR
empresa.com.br = EMPRESA.COM.BR

[logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log


8) Bellow is my /etc/nsswitch.conf file:
passwd: compat winbind
group:  compat winbind
shadow: compat
gshadow:files
hosts:  files dns
networks:   files
protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis


9) Bellow is my /etc/pam.d/common-session file:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
sessionoptional pam_winbind.so


10) Following my /etc/samba/smb.conf file:
[global]
  netbios name = proxy
  workgroup = EMPRESA
  security = ads
  realm = EMPRESA.COM.BR
  encrypt passwords = yes
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  password server = dc1.empresa.com.br
  preferred master = no
  idmap config *:backend = tdb
  idmap config *:range = 1000-3000
  idmap config EMPRESA:backend = ad
  idmap config EMPRESA:schema_mode = rfc2307
  idmap config EMPRESA:range = 1-999
  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind offline logon = yes
  winbind refresh tickets = yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
  username map = /etc/samba/user.map


11) Other Informations:
>> Samba4 and Winbind services are enable
>> In my DC there is a Squid account (call "proxy")
>> wbinfo -g, wbinfo -u, wbinfo -t, getent passwd are OK
>> kinit  is OK
>> klist -l is OK

Do you have any other idea?

Regards,

Márcio

2016-08-19 7:02 GMT-03:00 L.P.H. van Belle :

> Hai,
>
>
>
> Yes, all new things are hard..
>
> I need some extra info because there are lots of things that can be wrong.
>
>
>
> post what you see here :
>
>

Re: [squid-users] Problems with Squid Authentication

2016-08-19 Thread L . P . H . van Belle

Hai,

 

Yes, all new things are hard..

I need some extra info because there are lots of things that can be wrong. 

 

post what you see here : 

/usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/proxy.empresa.com...@empresa.com.br ?d ?i 

 

 

>> kinit and klist are ok

>> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)

These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP spn. 

And in the krb5.keytab i  have the host SPN and netbios_name($)  

 

How to test the kerberos auth.. hmm, thats a difficult one for me. 

I know lot but not all..  :-(  .

 

But what i do iknow, you can test with

/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME 

If that works its probely an SPN or dns problem.

If that isnt working, then do check the time on the ad server and proxy server.

 

I can only say. 

The proxy servername must exist in dns and must have A and PTR record.  ( add 
this in the samba AD ) 

The reverse zone is ( maybe ) created, if not, create it yourself and add the 
ptr records. 

 

Cat /etc/hosts file may NOT contain any. 

127.0.1.1    yourhostname.. ..  

if its in there, you installed with dhcp ip. 

 

It should contain 

127.0.0.1      localhost 

IP_OF_SERVER   hostname.domain.tld hostname

The is there if you install with a static ip. 

 

Time must be in sync with the AD server ( max difference i allow is 1 min. ) 

If needed install ntp on the proxy and point the server  to the ad dc. 

 

And post what you now have in krb5.conf 

 

These are the most common pitfalls, i?ll see what i can do to help out. 

 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Marcio Demetrio Bacci
Verzonden: vrijdag 19 augustus 2016 3:50
Aan: Squid Users
Onderwerp: [squid-users] Problems with Squid Authentication


 

My Kerberos Authentication doesn't work. This is very hard!


 


My Squid3 is join in the Domain


kinit and klist are ok


wbinfo -g and wbinfo -u are ok too.


 


I have created the squid3 file in /etc/default with the following content: 


KRB5_KTNAME=/etc/squid3/HTTP.keytab


export KRB5_KTNAME


 


I have two keytab files:


/etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)


 


I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages because 
my Squid server is Debian 8. But I didn't use msktutil tool. I have only joined 
Squid server in the Domain (net ads join -U administrator)


 


How can I debbug the problem?


How can I test kerberos authentication in terminal (command line)?


 


Below is my squid.conf file:


 


### Configuracoes Basicas


 


cache_mgr administra...@empresa.com.br


 


http_port 3128


 


#debug_options ALL,111,2 29,9 84,6


 


cache_mem 512 MB


cache_swap_low 80


cache_swap_high 90


 


maximum_object_size 512 MB


minimum_object_size 0 KB


 


maximum_object_size_in_memory 4096 KB


 


cache_replacement_policy heap LFUDA


memory_replacement_policy heap LFUDA


 


#Para não bloquear downloads


quick_abort_min -1 KB


 


 


#Resolve um problema com conexoes persistentes


detect_broken_pconn on


 


fqdncache_size 1024


 


### Parametros de atualizacao da memoria cache


refresh_pattern ^ftp:   1440   20%   10080


refresh_pattern ^gopher:   1440   0%   1440


refresh_pattern -i (/cgi-bin/|\?) 0 0%    0


refresh_pattern .  0   20%   4320


 


### Localizacao dos logs


access_log /var/log/squid3/access.log


cache_log /var/log/squid3/cache.log


 


 


### define a localizacao do cache de disco, tamanho, qtd de diretorios pai e 
subdiretorios


cache_dir aufs /var/spool/squid3 600 16 256


 


auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s 
HTTP/proxy.empresa.com...@empresa.com.br


auth_param negotiate children 20


auth_param negotiate keep_alive on


 


visible_hostname proxy.empresa.com.br


 


### acls


#acl manager proto cache_object


acl localhost src MailScanner warning: numerical links are often malicious: 
192.168.200.7/32


acl to_localhost dst MailScanner warning: numerical links are often malicious: 
192.168.200.7/32


acl SSL_ports port 22 443 563 7071 1 # ssh, https, snews, zimbra, webmin


acl Safe_ports port 21   # ftp


acl Safe_ports port 70   # gopher


acl Safe_ports port 80   # http


acl Safe_ports port 88   # kerberos


acl Safe_ports port 210   # wais


acl Safe_ports port 280   # http-mgmt


acl Safe_ports port 389   # ldap


acl Safe_ports port 443    # https


acl Safe_ports port 488   # gss-http


acl Safe_ports port 563   # snews


acl Safe_ports port 591   # filemaker


acl Safe_ports port 777   # multiling http


acl Safe_ports port 3001         # imprenssa nacional


acl Safe_ports port 8080    # http


acl Safe_ports port 1025-65535    # unregistered ports


 


acl purge method PURGE


acl CONNECT method CONNECT


 


 


### Regras iniciais do Squid


http_access allow

Re: [squid-users] Problems with Squid Authentication

Re: [squid-users] Problems with Squid Authentication

2 matches

Site Navigation

Mail list logo

Footer information