[squid-users] Squid + AD + Kerb auth question

Markus Moeller huaraz at moeller.plus.com
Thu Mar 19 22:19:15 UTC 2015 

Hi Joao,

   OK now you use the authentication rule. 

   How did you create the keytab ?   Does the hostname match the keytab entry ?

  Can you run the helper with –d to get more debug ? 

Markus


From: Joao Paulo Monticelli Gaspar 
Sent: Thursday, March 19, 2015 12:41 AM
To: Markus Moeller 
Subject: Re: [squid-users] Squid + AD + Kerb auth question

gettin access denied now 

watch the logs


==> /var/log/squid/squid.out <==

==> /var/log/squid/access.log <==
1426725527.219      1 192.168.1.251 TCP_DENIED/407 4509 GET http://www.eset.com.br/download/business - NONE/- text/html

==> /var/log/squid/cache.log <==
2015/03/18 21:38:47| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. '

guess my SOO isnt working right?

2015-03-18 20:46 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:

  Hi Joao

  Then you hit

  http_access allow localnet


  and not

  http_access allow ad_auth

  Comment out the following line in squid.conf 

  http_access allow localnet


  and try again.

  Markus

  From: Joao Paulo Monticelli Gaspar 
  Sent: Wednesday, March 18, 2015 11:38 PM
  To: Markus Moeller 
  Subject: Re: [squid-users] Squid + AD + Kerb auth question

  yes, I'm using localnet, this is a virtual test lab enviorment, here are some log entries 

  1426694349.225  59653 192.168.1.251 TCP_MISS/200 4775 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i2-v6exp3-ds.metric.gstatic.com:443 - DIRECT/216.58.222.35 -
  1426694352.258  62686 192.168.1.251 TCP_MISS/200 4774 CONNECT p5-ib4juqow2smme-qg5sbffb457kogr5-505177-i1-v6exp3-v4.metric.gstatic.com:443 - DIRECT/216.58.222.46 -
  1426694613.543  58996 192.168.1.251 TCP_MISS/200 1112 CONNECT safebrowsing.google.com:443 - DIRECT/173.194.42.133 -

  when I looked at the access.log manual pages I saw that if squid cant get user info, he uses the - sign on the access, and we can see it there, but why he cant get the user info?


  2015-03-18 20:20 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>: 


    Hi,

      From which network do you surf ?  From localnet ? 

      Can you send sample log entries ?

    Markus

    From: Joao Paulo Monticelli Gaspar 
    Sent: Wednesday, March 18, 2015 9:18 PM
    To: Markus Moeller 
    Subject: Re: [squid-users] Squid + AD + Kerb auth question

    squid.conf 

    visible_hostname proxy.joznet.local

    auth_param negotiate program /usr/lib64/squid/squid_kerb_auth
    auth_param negotiate children 10
    auth_param negotiate keep_alive on
    auth_param basic credentialsttl 2 hours

    acl ad_auth proxy_auth REQUIRED

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    http_access allow manager localhost
    http_access deny manager

    http_access deny !Safe_ports


    http_access deny CONNECT !SSL_ports


    http_access allow localnet

    http_access allow localhost
    http_access allow ad_auth
    http_access deny all


    http_port 3128

    hierarchy_stoplist cgi-bin ?


    coredump_dir /var/spool/squid


    refresh_pattern ^ftp: 1440 20% 10080

    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    ****************************************************************************************
    krb5.conf

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = JOZNET.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

    ; for Windows 2008 with AES

    ;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    ; for MIT/Heimdal kdc no need to restrict encryption type

    [realms]
    JOZNET.LOCAL = {
      kdc = srvjoznt.joznet.local:88
      admin_server = srvjoznt.joznet.local:749
      default_domain = joznet.local 
    }

    [domain_realm]
    .joznet.local= JOZNET.LOCAL
    joznet.local= JOZNET.LOCAL

    [pam]
    debuf = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false


    2015-03-18 17:54 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:

      How does the config file look like ?  

      Markus

      "Joao Paulo Monticelli Gaspar" <jaumshock at gmail.com> wrote in message news:CAFjXhx=idbdXEQxbZy56tr5m3FZTasu2tqGwLcLYdi_S-s3eQg at mail.gmail.com...
      Hey people 

      I have a doubt and couldn't find the answer anywhere yet, I'm using SQUID integrate to a W2K8 AD server with kerb auth, and everything works fine, the main reason of chosing this setup is for the SingleSignOn capabilities of the configuration, but on my ACCESS.LOG I cant see the users that are visitating the sites...

      is possible to show that info with this setup, or by any other setup use maintain the SOO?

      Thx in advance.

--------------------------------------------------------------------------
      _______________________________________________
      squid-users mailing list
      squid-users at lists.squid-cache.org
      http://lists.squid-cache.org/listinfo/squid-users


      _______________________________________________
      squid-users mailing list
      squid-users at lists.squid-cache.org
      http://lists.squid-cache.org/listinfo/squid-users




    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users




  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150319/9440ac21/attachment-0001.html>

More information about the squid-users mailing list