[squid-users] cygwin (running on Win2K3 and 2K8) + squid 3.3.3 + negotiate_kerberos_auth

Mirza Dedic mirza.dedic at outlook.com
Mon Oct 13 00:47:06 UTC 2014 

I've got a Squid 3.3.3 running on Windows 2003 (and 2008) box via CYGWIN,
works with the basic config.

 

My next step is to put in some authentication in place, in this case
Kerberos using..

 

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s
HTTP/vis-squid.VAND1.OPPY.COM

auth_param negotiate children 10

auth_param negotiate keep_alive on

 

Before I can do this, I need to get a keytab file and setup the proper SPNs,
on CYGWIN we don't have Samba so I am using  msktutil to create the computer
account and keytab/SPNs; specifically one that works under CYGWIN
(https://github.com/fd00/yacp/tree/master/msktutil).

 

When I try to create the keytab as per
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos by
running...



msktutil -c -b "CN=computers" -s HTTP/xxx-squid.MY.DOMAIN.COM -k
/etc/squid/PROXY.keytab --computer-name xxx-squid --upn HTTP/
xxx-squid.MY.DOMAIN.COM--server DCSRV02 --enctypes 28 -verbose

 

It runs but dies at..

 

-- ldap_get_pwdLastSet: pwdLastSet is 130576191605205669

-- set_password: Successfully set password, waiting for it to be reflected
in LDAP.

-- ldap_get_pwdLastSet: pwdLastSet is 130576191607895789

-- set_password: Successfully reset computer's password

-- set_password: Setting samba machine trust account password

The syntax of this command is:

 

 

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |

      HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |

      SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

 

Setting samba secret failed with error code 256

Error: set_password failed

Hint: Does your password policy allow to change vis-squid's password?

      For example, there could be a "Minimum password age" policy preventing

      passwords from being changed too frequently. If so, you can reset the

      password instead of changing it using the --user-creds-only option.

      Be aware that you need a ticket of a user with administrative
privileges

      for that.

-- ~msktutil_exec: Destroying msktutil_exec

-- ldap_cleanup: Disconnecting from LDAP server

-- init_password: Wiping the password structure

-- ~KRB5Context: Destroying Kerberos Context

 

Looks like it is trying to use Samba's "net" command which is different than
the net command above (windows). So I edited
http://repo.or.cz/w/msktutil.git/blob/9f22f3ec6efa0a6f8bb122fb14095a1ab50d3d
6c:/msktpass.cpp and commented out the block of code that tries to run "net
changesecretpw" samba cmd (I thought the whole purpose of msktutil was an
alternative way to perform net ads keytab create so why is it  running that
cmdlet.) then re-compiled msktutil and re-ran it..

 

It went through this time with..

 

-- ldap_get_pwdLastSet: pwdLastSet is 130576324675479078

-- set_password: Successfully reset computer's password

-- set_password: Setting samba machine trust account password

-- set_password: Successfully set samba machine trust account password

-- ldap_add_principal: Checking that adding principal
HTTP/xxx-squid.MY.DOMAIN.COM to vis-squid won't cause a conflict

-- ldap_add_principal: Adding principal HTTP/xxx-squid.MY.DOMAIN.COM to LDAP
entry

-- execute: Updating all entries for rmt-server01.MY.DOMAIN.COM in the
keytab WRFILE:/etc/squid/PROXY.keytab

 

-- update_keytab: Updating all entires for vis-squid

-- ldap_get_kvno: KVNO is 4

-- add_principal_keytab: Adding principal to keytab: vis-squid

-- add_principal_keytab:     Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x17

-- add_principal_keytab:     Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x11

-- add_principal_keytab:     Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x12

-- add_principal_keytab: Adding principal to keytab:
HTTP/xxx-squid.MY.DOMAIN.COM

-- add_principal_keytab: Removing entries with kvno < 0

-- add_principal_keytab:     Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x17

-- add_principal_keytab:     Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x11

-- add_principal_keytab:     Using salt of
MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM

-- add_principal_keytab:   Adding entry of enctype 0x12

-- ~msktutil_exec: Destroying msktutil_exec

-- ldap_cleanup: Disconnecting from LDAP server

-- init_password: Wiping the password structure

-- ~KRB5Context: Destroying Kerberos Context

 

In AD I can see a new user account named "xxx-squid" (should this not be a
computer object instead of a user object?), so now back to Squid
(stop/start) and try hitting google.com via IE9/IE10/IE11 I get..

 

2014/10/12 17:37:14 kid1| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. Key version number for principal in
key table is incorrect'

 

So.. something is still not right with my setup.. any suggestions? Can I
create the keytab file on my Active Directory server and copy the file and
use it instead?

 

With the recent release of SQUID 3.3.3 to CYGWIN
(http://sourceware.mirrors.tds.net/pub/sourceware.org/cygwin/x86/release/squ
id/) I've been at it for a few days trying to make it work but stuck at
getting SSO with negotiate_kerberos_auth..

 

Any ideas?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141012/6ca78cd3/attachment.html>

More information about the squid-users mailing list