[squid-users] Squid will not authenticate NTLM/Kerberos when behind a haproxy load balancer

Samuel Anderson sam at idsdoc.com
Fri Mar 20 01:32:16 UTC 2015 

Hey, I actually just figured it out. literally about 2 minutes ago.

I changed the mode from (http) to (tcp) in the HAPROXY.CFG

It looks like its able to authenticate again. Thanks for the response.

On Thu, Mar 19, 2015 at 7:27 PM, Brendan Kearney <bpk678 at gmail.com> wrote:

> On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote:
> > Hello All,
> >
> >
> > I have 2 squid servers that authenticate correctly when you point your
> > browser to either of them. I'm using a negotiate_wrapper. I set it up
> > following this
> > (
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
> )
> >
> >
> > I would like to set both servers behind a haproxy load balancer,
> > however when you try to utilize the haproxy load balancer, it will not
> > authenticate anymore. It just gives an error asking to authenticate.
> >
> >
> > Any ideas?
> >
> >
> > Thanks in advance.
> >
> >
> >
> >
> >
> >
> > ##HAPROXY.CFG##
> >
> >
> > global
> > log /dev/log local0
> > log /dev/log local1 notice
> > chroot /var/lib/haproxy
> > user haproxy
> > group haproxy
> > daemon
> >
> >
> > defaults
> > log global
> > mode http
> > option httplog
> > option dontlognull
> >         contimeout 5000
> >         clitimeout 50000
> >         srvtimeout 50000
> >
> >
> > # reverse proxy-squid
> > listen  proxy 10.10.0.254:3128
> > mode http
> >         cookie  SERVERID insert indirect nocache
> >         balance roundrobin
> >         option httpclose
> >         option forwardfor header X-Client
> >         server  squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5
> >         server  squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5
> >
> >
> >
> >
> >
> >
> >
> >
> > ##SQUID.CONF##
> >
> >
> >
> >
> > #Kerberos and NTLM authentication
> > auth_param negotiate program /usr/local/bin/negotiate_wrapper
> > --ntlm /usr/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL
> > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> > auth_param negotiate children 30
> > auth_param negotiate keep_alive off
> >
> >
> > # LDAP authentication
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
> > "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local"
> > -w "****" -f sAMAccountName=%s -h
> > 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193
> > auth_param basic children 150
> > auth_param basic realm Please enter your Domain credentials to
> > continue
> > auth_param basic credentialsttl 1 hour
> >
> >
> > # AD group membership commands
> > external_acl_type ldap_group ttl=60 children-startup=10
> > children-max=50 children-idle=2 %
> > LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b
> > "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local"
> > -w "****" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%
> > a,OU=PROXY,ou=ALL  Groups,DC=****,DC=local))" -h
> > dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local
> >
> >
> > acl auth proxy_auth REQUIRED
> >
> >
> >
> > acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE
> > PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED
> > PROXY-DEV PROXY-SALES
> >
> >
> > http_access deny !auth all
> > http_access deny !REQGROUPS all
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Samuel Anderson  |  Information Technology Administrator  |
> >  International Document Services
> >
> >
> > IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607
> >
> >
> >
> > CONFIDENTIALITY NOTICE:
> > This e-mail and any attachments are confidential. If you are not an
> > intended recipient, please contact the sender to report the error and
> > delete all copies of this message from your system.  Any unauthorized
> > review, use, disclosure or distribution is prohibited.
>
> how did you create and distribute the keytab for the proxies?  you must
> create one keytab and put the same exact one on each of the proxies.
> the KVNO numbers must match on every proxy.  run "klist
> -Kket /path/to/the.keytab" on the proxies to check.
>
> kerberos is heavily dependent on DNS.  the keytab should contain
> PRIMARY/instance.domain.tld at REALM where PRIMARY is HTTP,
> instance.domain.tld is the FQDN of the 10.10.0.254 IP, not either or
> both of the individual proxies, and REALM should be the Kerberos REALM.
>
> did you export the environment variable for the keytab?  on fedora, i
> put the following in /etc/sysconfig/squid:
>
> KRB5_KTNAME=/etc/squid/squid.keytab
> export KRB5_KTNAME
>
> do you get a HTTP ticket from the directory?  from a command prompt,
> what does "klist tickets" show?  you can also install the XP resource
> kit and run kerbtray.exe to get that info.  win7 and newer may have it
> built in.
>
>


-- 
Samuel Anderson  |  Information Technology Administrator  |  International
Document Services

IDS  |  11629 South 700 East, Suite 200  |  Draper, UT 84020-4607

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.  Any unauthorized 
review, use, disclosure or distribution is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150319/361ede3b/attachment-0001.html>

More information about the squid-users mailing list