Re: [squid-users] Kerberos authentication with MIT KDC

2010-12-08 Thread Rob Asher 
 Rolf Loudon r...@ses.tas.gov.au 12/06/10 7:46 PM  
Hello

I've done this but against AD.  As far as I can see the squid helpers 
squid_kerb_auth and squidkerb_ldap are not AD specific and implement pure 
kerberos authentication.  The former comes with squid 2.7 but getting the 
latest and compiling provides a few extra features. (like the -r switch which 
I like).  You will need these helpers and you will need to create a service 
principal. 

http://squidkerbauth.sourceforge.net/  is where the files are.

Markus Moeller is the author of these helpers and is very helpful - and is 
active on this list.

I found this helpful 
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/

regards

rolf.



Thanks Rolf,

I'd already downloaded the latest squidkerbauth 1.0.7 from sourceforge and 
compiled it.  Mostly just to test with squid_kerb_auth_test since it wasn't 
included in the binary package for CentOS I used.  Squid was compiled with all 
the required helpers though I believe:

Squid Cache: Version 2.7.STABLE9
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' 
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' 
'--bindir=/usr/sbin' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' 
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' 
'--enable-snmp' '--enable-removal-policies=heap,lru' 
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' 
'--with-openssl=/usr/kerberos' '--enable-delay-pools' 
'--enable-linux-netfilter' '--with-pthreads' 
'--enable-ntlm-auth-helpers=SMB,fakeauth' 
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' 
'--enable-auth=basic,digest,ntlm,negotiate' 
'--enable-digest-auth-helpers=password' '--enable-useragent-log' 
'--enable-referer-log' '--disable-dependency-tracking' 
'--enable-cachemgr-hostname=localhost' 
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
 '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' 
'--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2' 
'--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 
'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'LDFLAGS=-pie'

I've actually loosely followed the link you provided for Klaubert's guide 
setting this up.  Also referenced the guide on the wiki here 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos  The one 
thread in the mailing list archives most closely to what I'm trying to do was 
this one: http://www.squid-cache.org/mail-archive/squid-users/201009/0405.html  
 I've added a HTTP service principal to the KDC on the mac server but nothing 
else.  Hopefully I exported the keytab and copied it to the squid server 
correctly since I couldn't find any documentation specific for that.  I'm sure 
I've missed a step somewhere here or there that was implied or I've hosed 
something making changes along the way.  I'm at a loss now as to what to look 
for or change.  

Best Regards,
Rob






Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169



-- 

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.

[squid-users] Kerberos authentication with MIT KDC

2010-12-06 Thread Rob Asher 
I've looked through some of the mailing list archives and can't find anything 
specific on kerberos authentication to a MIT KDC for windows clients.  
Everything I've found mentions AD.  What I'd like, if possible, is to have 
single sign on capabilities to between OS X server's Open Directory, squid 
2.7stable9 on CentOS 5.5, and Windows XP clients.  With pGina and kerberos for 
windows installed on the XP clients, I successfully get a ticket from the OD 
server.  What I'm having problems with is getting firefox or IE to use the 
ticket for negotiation with the squid server.  I'm guessing that I've missed 
setting up a principal correctly, copied keytab, or possibly a DNS issue but 
I'm not familiar enough with kerberos to know what's wrong.  Packet captures 
for kerberos return KRB-ERROR like this after the TGS_REQ when opening a 
browser session with FF:

Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
ctime: 2010-12-03 21:05:34 (UTC)
stime: 2010-12-03 21:05:26 (UTC)
susec: 714271
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Client Realm: XSERVE.PARAGOULD.PSD
Client Name (Principal): HTTP/proxyserver.paragould.psd
Name-type: Principal (1)
Name: HTTP
Name: proxyserver.paragould.psd
Realm: XSERVE.PARAGOULD.PSD
Server Name (Unknown): krbtgt/xserve.paragould.psd
Name-type: Unknown (0)
Name: krbtgt
Name: xserve.paragould.psd
e-text: UNKNOWN_SERVER

If anyone has any ideas or what to look for, I'd appreciate any help.  If this 
isn't enough information from the capture to make an educated guess as to where 
I need to look further, I have the entire sequence I could post as well.  

Thanks,
Rob




Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169



-- 

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.