Re: [squid-users] generic kerberos support in 2.6?
Hi Henrik and Brian, and happy new year to the squid mailing list ! Hrm. Firefox seems to disagree, at least in it's implementation. Squid sends Negotiate as the authentication mechanism and Firefox responds with Kerberos. The Negotiate HTTP scheme is defined by Internet RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows, which specifies Kerberos within GSS-API as applied by SPNEGO.. Quote: The Negotiate auth-scheme calls for the use of SPNEGO GSSAPI tokens that the specific mechanism type specifies. Relevant RFCs: RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows (Negotiate) RFC4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism (SPNEGO) RFC2743 Generic Security Service Application Program Interface Version 2, Update 1. (GSS-API) Now I am not an expert on how this translates to wire format so I leave it to you to read and consider if what your Firefox does is sufficient to meet the specifications or not.. I have been looking for the same setup as you are (transparent authentication proxy in a full linux environment, ie linux/firefox + linux/heimdal kerberos + linux/squid) for some time already, and I asked the same question a few month ago with the same answer (need of a helper). So I have read this thread with much interest, and think I may add a few bits of information here. You have mentionned in a previous post that your firefox was doing native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original implementation that can be found at http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html : quoteSince we don't have any SPNEGO implementation we are using directly Kerberos implementation of GSS API. /quote . I don't know if spnego has been added since then. The interesting bit is that the same people have developped an apache authentication module corresponding to the mozilla negotiation implementation (http://modauthkerb.sourceforge.net/index.html) . Please correct me if I'm wrong, but a apache auth module and a squid auth helper should be quite similar, shouldn't it? Current maintainer of the apache kerberos auth module is Daniel Kouril, who is working/studying in a Czesk university. He is working on the myproxy project, whose goal is to ease the authentication/authorization management using certificates, especially in grid computing environement. I'll drop him an email to see if he is interested to collaborate with the squid community. Cheers, Denis Regards Henrik -- Denis Cardon Tranquil IT Systems 10 rue du Docteur Bouchard 49400 Saumur tel : +33 (0) 2.41.67.56.99 fax : +33 (0) 2.40.56.09.81 mob : +33 (0) 6 81 66 27 62 http://www.tranquil-it-systems.fr
Re: [squid-users] generic kerberos support in 2.6?
Hi again, I have been looking for the same setup as you are (transparent authentication proxy in a full linux environment, ie linux/firefox + linux/heimdal kerberos + linux/squid) for some time already, and I asked the same question a few month ago with the same answer (need of a helper). So I have read this thread with much interest, and think I may add a few bits of information here. You have mentionned in a previous post that your firefox was doing native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original implementation that can be found at http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html : quoteSince we don't have any SPNEGO implementation we are using directly Kerberos implementation of GSS API. /quote . I don't know if spnego has been added since then. I answer to my own question here. According to the tutorial http://www.grolmsnet.de/kerbtut/ (Using mod_auth_kerb and Windows 2000/2003 as KDC), mod_auth_kerb can serve IE clients. So I guess it must be able to handle SPNEGO. Cheers, Denis The interesting bit is that the same people have developped an apache authentication module corresponding to the mozilla negotiation implementation (http://modauthkerb.sourceforge.net/index.html) . Please correct me if I'm wrong, but a apache auth module and a squid auth helper should be quite similar, shouldn't it? Current maintainer of the apache kerberos auth module is Daniel Kouril, who is working/studying in a Czesk university. He is working on the myproxy project, whose goal is to ease the authentication/authorization management using certificates, especially in grid computing environement. I'll drop him an email to see if he is interested to collaborate with the squid community. Cheers, Denis Regards Henrik -- Denis Cardon Tranquil IT Systems 10 rue du Docteur Bouchard 49400 Saumur tel : +33 (0) 2.41.67.56.99 fax : +33 (0) 2.40.56.09.81 mob : +33 (0) 6 81 66 27 62 http://www.tranquil-it-systems.fr
Re: [squid-users] newer kerberos breaks ntlm
Hi Chris, Which versions of kerberos are compatible with ntlm authentication in squid 2.5? Up to now, I have compiled samba with kerberos 1.3.6, as more recent versions appear to break ntlm authentication. Running the command wbinfo -t after compiling samba with the newer kerberos version returns a working response. However, as my organisation is now adopting x86_64 based servers, this has become an issue, as 1.3.6 will not compile on this architecture. Any suggestions? I have no answer for your problem (yet :-), but I am quite interested to know how you set up a working kerberos ntlm authentication, both on server side and client side. If you could describe your configuration in a few lines, I think it would be very interesting for all the linux users that would like to achieve transparent authentication (or windows users that would like to avoid standard ntlm auth). What version of samba did you use? It seems that you use MIT kerberos implementation, so it is probably not samba 4. Would it be possible for you to provide a few sample configuration files, and a few hints on how to achieve this? Thanks a lot Denis Chris Vaughan Department of Lands *** This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the Department of Lands. This email message has been swept by MIMEsweeper for the presence of computer viruses. *** -- Denis Cardon Tranquil IT Systems 10 rue du Docteur Bouchard 49400 Saumur tel : +33 (0) 2.41.67.56.99 fax : +33 (0) 2.40.56.09.81 mob : +33 (0) 6 81 66 27 62 http://www.tranquil-it-systems.fr