[squid-users] Problems setting up Kerberos authentication

2011-09-21 Thread Nikolaos Milas 

Hello,

I am setting up Kerberos auth on squid (3.1.15), but it won't work. 
Browser (IE 8) keeps on poping up the username/password window, but 
authentication is never successful. Yet, I don't see any logging of 
failed authentication attempts in kerberos logs at all! It's as if squid 
is not communicating with kerberos server. Yet, kinit from the command 
line works fine (see details below).


What am I doing wrong? Am I missing something?

I need your help.

Thanks,
Nick

Details of the setup follow (true names/IP addresses have been changed):

I have a working Kerberos Server (MIT Kerberos 5 on CentOS 5.6) on 
kerb.example.com and I am setting up squid on squid.example.com; it's 
Squid 3.1.15.x86_64 as RPM on CentOS 5.6 (from here: 
ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/squid3-3.1.15-1.el5.pp.x86_64.rpm).


Host squid.example.com is also setup as a kerberos client.

So, I have added to kerberos a host:

   host/squid.example@example.com

and a service:

   HTTP/squid.example@example.com

Then, I created a keytab file (httpsquid.keytab) for the latter:

[root@squid]# kadmin.local
Authenticating as principal userx/ad...@example.com with password.
kadmin.local:  addprinc HTTP/squid.example@example.com
WARNING: no policy specified for HTTP/squid.example@example.com; 
defaulting to no policy

Enter password for principal "HTTP/squid.example@example.com":
Re-enter password for principal "HTTP/squid.example@example.com":
Principal "HTTP/squid.example@example.com" created.
kadmin.local:  ktadd -k /etc/krb5kdc/httpsquid.keytab HTTP/squid.example.com
Entry for principal HTTP/squid.example.com with kvno 2, encryption type 
AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab 
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type 
AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type 
Triple DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type 
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type 
DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type 
DES cbc mode with RSA-MD5 added to keytab 
WRFILE:/etc/krb5kdc/httpsquid.keytab.


...moved it to /etc/squid and changed ownership to root:squid and 
permissions: 640.


I have checked that the keytab file works:

   [root@squid]# kinit -V -k -t httpsquid.keytab HTTP/squid.example.com
   Authenticated to Kerberos v5

I also added to the start of /etc/init.d/squid the lines:

   KRB5_KTNAME=/etc/squid/httpsquid.keytab
   export KRB5_KTNAME

Then, I checked that kerberos authentication is enabled (as explained 
e.g. here: 
http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html), 
then I specified (in IE, Internet Options / Connections / LAN Settings) 
squid.example.com as a Proxy on port 3128 and I have tried to visit any 
page. As I explained, browser (IE 8) keeps on poping up the 
username/password window, but authentication is never successful. I have 
tried the following as username, without success:

userx
EXAMPLE.COM\userx
us...@example.com
us...@example.com

On the other hand, Firefox 6 (with similar settings) doesn't show any 
pop up window; it just fails.


I have tried the three following configuration alternatives, but it 
didn't make any difference:

auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth-d -s 
HTTP/squid.example.com

auth_param negotiate program /usr/libexec/squid/squid_kerb_auth


Here is /etc/squid/squid.conf:
---
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.10.10.0/24

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow localhost

auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth
#http_

Re: [squid-users] Problems setting up Kerberos authentication

2010-04-22 Thread Fabian Hugelshofer 

Hi all,

Fabian Hugelshofer wrote:

Markus Moeller wrote:
Continuation needed means that the GSSAPI exchange has not finished 
and the server needs more data from the client. Can you see in 
wireshark if the token length is the one squid_kerb_auth says it is

 > squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)



Update: I could find the reason for the error message. Even though it 
was a hierarchical domain structure, the proxy server performed a 
transit domain path verification. One domain of the path was not in the 
transited domains list. Not sure whether this is a Microsoft or Heimdal 
issue.


As a workaround I manually spefified the list of transit domains in the 
[capatsh] section of krb5.conf. This made it work.


For details see my posts on the Heimdal mailing list: 
https://list.sics.se/sympa/arc/heimdal-discuss/2010-03/msg00096.html


Regards,

Fabian

Re: [squid-users] Problems setting up Kerberos authentication

2010-03-08 Thread Fabian Hugelshofer 

Markus Moeller wrote:
Can you download kerbtray from microsoft and list the tickets you have 
on XP on a working and failing machine. Can you alos capture with 
wireshark the traffic on port 88 ?


Using kerbtray did not show a difference. Capturing the traffic on port 
88 shows that in both cases the client walks through the domain 
hierarchy and at the end gets a ticket for the proxy service.


Comparing the tickets that are sent in the HTTP request with Wireshark 
did not show any difference at all. For what I can see there


I used debug_options ALL,1 29,9. Both cases start with:

2010/03/04 13:39:49| authenticateValidateUser: Validating Auth_user 
request '(nil)'.

2010/03/04 13:39:49| authenticateValidateUser: Auth_user_request was NULL!
2010/03/04 13:39:49| authenticateAuthenticate: broken auth or no 
proxy_auth header. Requesting auth header.

2010/03/04 13:39:49| authenticateFixHeader: headertype:38 authuser:(nil)
2010/03/04 13:39:49| authenticateNegotiateFixErrorHeader: Sending 
type:38 header: 'Negotiate'

2010/03/04 13:39:50| authenticateAuthenticate: header Negotiate YII...
2010/03/04 13:39:50| authenticateAuthenticate: This is a new checklist 
test on FD:71
2010/03/04 13:39:50| authenticateAuthenticate: no connection 
authentication type
2010/03/04 13:39:50| authenticateAuthUserRequestLock auth_user request 
'0x8552f98'.
2010/03/04 13:39:50| authenticateAuthUserRequestLock auth_user request 
'0x8552f98' now at '1'.

2010/03/04 13:39:50| authenticateDecodeAuth: header = 'Negotiate YII...
2010/03/04 13:39:50| authenticateAuthUserLock auth_user '0x8593128'.
2010/03/04 13:39:50| authenticateAuthUserLock auth_user '0x8593128' now 
at '1'.
2010/03/04 13:39:50| authenticateDecodeNegotiateAuth: Negotiate 
authentication
2010/03/04 13:39:50| authenticateValidateUser: Validating Auth_user 
request '0x8552f98'.
2010/03/04 13:39:50| authenticateValidateUser: Validated Auth_user 
request '0x8552f98'.
2010/03/04 13:39:50| authenticateValidateUser: Validating Auth_user 
request '0x8552f98'.
2010/03/04 13:39:50| authenticateValidateUser: Validated Auth_user 
request '0x8552f98'.

2010/03/04 13:39:50| User not fully authenticated.
2010/03/04 13:39:50| authenticateNegotiateAuthenticateUser: auth state 
negotiate none. Negotiate YII...
2010/03/04 13:39:50| authenticateNegotiateAuthenticateUser: Locking 
auth_user from the connection.
2010/03/04 13:39:50| authenticateAuthUserRequestLock auth_user request 
'0x8552f98'.
2010/03/04 13:39:50| authenticateAuthUserRequestLock auth_user request 
'0x8552f98' now at '2'.
2010/03/04 13:39:50| authenticateValidateUser: Validating Auth_user 
request '0x8552f98'.
2010/03/04 13:39:50| authenticateValidateUser: Validated Auth_user 
request '0x8552f98'.

2010/03/04 13:39:50| User not fully authenticated.
2010/03/04 13:39:50| authenticateValidateUser: Validating Auth_user 
request '0x8552f98'.
2010/03/04 13:39:50| authenticateValidateUser: Validated Auth_user 
request '0x8552f98'.

2010/03/04 13:39:50| authenticateStart: auth_user_request '0x8552f98'
2010/03/04 13:39:50| authenticateNegotiateStart: auth state '1'
2010/03/04 13:39:50| authenticateNegotiateStart: state '1'
2010/03/04 13:39:50| authenticateNegotiateStart: 'YII...
2010/03/04 13:39:50| authenticateAuthUserRequestLock auth_user request 
'0x8552f98'.
2010/03/04 13:39:50| authenticateAuthUserRequestLock auth_user request 
'0x8552f98' now at '3'.
2010/03/04 13:39:50| squid_kerb_auth: Got 'YR YII... ' from squid 
(length: 3607).


Then for the non-working case:

2010/03/04 13:39:50| squid_kerb_auth: continuation needed
2010/03/04 13:39:50| authenticateNegotiateHandleReply: Helper: 
'0x82d5d40' {TT oRUwE6ADCgEBoQwGCisGAQQBgjcCAgo=}
2010/03/04 13:39:50| authenticateNegotiateHandleReply: Need to challenge 
the client with a server blob 'oRUwE6ADCgEBoQwGCisGAQQBgjcCAgo='


The only difference that I can see is that in the non-working case the 
ticket length is 3607 and in the working case 2643.




## With a user from non-working domain B1.B.EXAMPLE.COM
# kinit us...@b1.b.example.com
us...@b1.b.example.com's Password:
# squid_kerb_auth_test proxy.d1.d.example.com
2010/03/04 15:26:51| squid_kerb_auth_test: gss_init_sec_context() 
failed: An unsupported mechanism was requested. unknown mech-code 0 
for mech unknown

Token: NULL
# kinit -S HTTP/proxy.d1.d.example@a.example.com
us...@b1.b.example.com's Password:
kinit: krb5_get_init_creds: Server 
(HTTP/proxy.d1.d.example@b1.b.example.com) unknown




This is correct  it should not work as there is no 
HTTP/proxy.d1.d.example@b1.b.example.com principal.  You need to use 
another call to get a TGT for HTTP/proxy.d1.d.example.com like:


kinit us...@b1.b.example.com
kgetcred HTTP/proxy.d1.d.example@a.example.com
klist


At the moment I don't have kgetcred available. I will try this later. 
Thanks for the hint.



Using a user from the domain that is not working on a computer of the 
domain that is, did not help. Is definitely somehow domain-related. The 
tickets ar

Re: [squid-users] Problems setting up Kerberos authentication

2010-03-04 Thread Fabian Hugelshofer 

Markus Moeller wrote:
Continuation needed means that the GSSAPI exchange has not finished and 
the server needs more data from the client. Can you see in wireshark if 
the token length is the one squid_kerb_auth says it is

 > squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)


I could confirm that the data that the client sends in the HTTP request 
is the same that is received by squid_kerb_auth. "YR " is added by squid 
(the space in the log of my last post got lost).


Further, I discovered that authentication is working for users from 
certain domains, but not for those at whose location the proxy is 
standing at. I describe the AD domain setup in more details:


The computer account that is associated with the service principal in 
the keytab file is from domain A.EXAMPLE.COM. Users, for who access is 
not working, are from domain B1.B.EXAMPLE.COM. Access is working for 
users from C.EXAMPLE.COM and a few others. The users from these "other" 
domains have been tested by starting IE as a user from that domain on a 
computer in domain C.EXAMPLE.COM. I forgot to mention that all the 
clients are Windows XP with IE7.


The FQDN of the proxy is not in the Windows domain hierarchy. It is 
proxy.d1.d.example.com.


I compiled squid_kerb_auth_test from Squid 3.1. On the proxy:

## With a user from non-working domain B1.B.EXAMPLE.COM
# kinit us...@b1.b.example.com
us...@b1.b.example.com's Password:
# squid_kerb_auth_test proxy.d1.d.example.com
2010/03/04 15:26:51| squid_kerb_auth_test: gss_init_sec_context() 
failed:  An unsupported mechanism was requested. unknown mech-code 0 for 
mech unknown

Token: NULL
# kinit -S HTTP/proxy.d1.d.example@a.example.com
us...@b1.b.example.com's Password:
kinit: krb5_get_init_creds: Server 
(HTTP/proxy.d1.d.example@b1.b.example.com) unknown


## With a user from the domain of the proxy (A.EXAMPLE.COM)
# kinit us...@a.example.com
us...@a.example.com's Password:
# squid_kerb_auth_test proxy.d1.d.example.com
Token: YIIF...
# kinit -S HTTP/proxy.d1.d.example@a.example.com
us...@a.example.com's Password:

Tomorrow I will try with a user from another domain that is working and 
that is outside A.EXAMPLE.COM. The content of my krb5.conf is:


[libdefaults]
  default_realm = A.EXAMPLE.COM

[realms]
  A.EXAMPLE.COM = {
kdc = 10.0.0.1
kdc = 10.0.0.2
  }
  B1.b.EXAMPLE.COM = {
kdc = 10.1.0.1
kdc = 10.1.0.2
  }

[domain_realm]
 .example.com = A.EXAMPLE.COM
 example.com = A.EXAMPLE.COM
 .d1.d.example.com = A.EXAMPLE.COM
 d1.d.example.com = A.EXAMPLE.COM



Fabian

[squid-users] Problems setting up Kerberos authentication

2010-03-03 Thread Fabian Hugelshofer 

Hi all,

I am trying to set up Kerberos authentication with Squid 2.7.stable7 on 
Linux. I use Heimdal 1.3.1. I already had success doing so on two 
proxies, but in a third environment, authentication fails.


In squid.conf I have the following entries:
auth_param negotiate program /opt/squid/libexec/squid_kerb_auth -d -s 
HTTP/proxy.example@example.com

acl REQUIRE_AUTH proxy_auth REQUIRED
http_access allow src_localhost
http_access deny !REQUIRE_AUTH
http_access allow all

Environmental variables KRB5_CONFIG and KRB5_KTNAME are set. By using 
kinit on the proxy it is possible to obtain a user ticket (auth with a 
password) and obtaining the service principal ticket 
(HTTP/proxy.example@example.com, auth with the keytab file) works 
fine, too.


When a client tries to use the proxy, the conversation is as following:

* User requests website

* Proxy responds with 407 and sets header "Proxy-Authenticate: Negotiate"

* User sends another request for the website and sends the ticket. From 
Wireshark:

OID: 1.3.6.1.5.5.2 (SPNEGO)
negTokenInit
MechTypes: 1.2.840.48018.1.2.2 (MS KRB5), 1.2.840.113554.1.2.2 (KRB5), 
1.3.6.1.4.1.311.2.2.10 (NTLMSSP)

krb5_blob:
  Kerberos AP-REQ
  Realm: EXAMPLE.COM
  Server Name (type 2, service and instance): HTTP/proxy.domain.com

* squid_kerb_auth reports:
squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
squid_kerb_auth: parseNegTokenInit failed with rc=102
squid_kerb_auth: continuation needed.

* Proxy replies with 407:
GSS-API:SPNEGO:negTokenTarg
negResult: accept-incomplete
supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP)

* Client gets an authentication pop-up where he can enter a username and 
password, but this does not work. This is probably related to the 
suggested NTLMSSP.


* User requests URL again, this time with an NTLM authenticator
GSS-API:SNPEGO:negTokenTarg
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE

* squid_kerb_auth reports:
squid_kerb_auth: Got 'KKoS...' from squid (length: 67)
squid_kerb_auth: parseNegTokenInit failed with rc=300
squid_kerb_auth: Invalid GSS-SPNEGO  query [KKoS...].
NA Invalid GSS-SPNEGO query.

* Server replies to client with "Proxy-Authenticate: Negotiate Invalid"


Does anyone have an idea what is going wrong, i.e. why the 
authentication helper replies with "continuation needed" and what I 
should try to debug?


Best regards,

Fabian