[squid-users] Problems with Squid Authentication

Marcio Demetrio Bacci marciobacci at gmail.com
Sat Aug 20 03:50:26 UTC 2016 

Hi,

1) Here is the result of the command-line:
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/
proxy.empresa.com.br at EMPRESA.COM.BR –d –i
mary abc at 12345
negotiate_kerberos_auth.cc(258): pid=1421 :2016/08/19 23:44:33|
negotiate_kerberos_auth: DEBUG: Got 'mary abc at 12345' from squid (length:
14).
negotiate_kerberos_auth.cc(295): pid=1421 :2016/08/19 23:44:33|
negotiate_kerberos_auth: ERROR: Invalid request [mary abc at 12345]
BH invalid request

2) Bellow are my keytabs:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy at EMPRESA.COM.BR
   1 host/proxy at EMPRESA.COM.BR
   1 host/proxy at EMPRESA.COM.BR
   1 host/proxy at EMPRESA.COM.BR
   1 host/proxy at EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR


Keytab name: FILE:/etc/squid3/HTTP.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy.empresa.com.br at EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 host/proxy$EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 proxy$@EMPRESA.COM.BR
   1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
   1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
   1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
   1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
   1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR
   1 HTTP/proxy$EMPRESA.COM.BR

OBS: I left and joined in the domain again

3) Here is the result:
/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
mary abc at 12345
BH invalid request



4) DNS Recors are OK.
The proxy servername exist in dns and have A (proxy IN A 192.168.200.7) and
PTR record (7 IN PTR proxy.empresa.com.br.)


5) cat /etc/hosts
127.0.0.1              localhost
192.168.200.7     proxy.empresa.com.br   proxy



6) Time is sync with the AD server (The time is identical)


7) My /etc/krb5.conf file:
[libdefaults]
       default_realm = EMPRESA.COM.BR
       dns_lookup_kdc = yes
       dns_lookup_realm = yes
       default_keytab_name = /etc/krb5.keytab

[realms]
EMPRESA.COM.BR = {
kdc = dc1.empresa.com.br:88
admin_server = dc1.empresa.com.br
default_domain = EMPRESA.COM.BR
}


[domain_realm]
.empresa.com.br = EMPRESA.COM.BR
empresa.com.br = EMPRESA.COM.BR

[logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log


8) Bellow is my /etc/nsswitch.conf file:
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


9) Bellow is my /etc/pam.d/common-session file:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session    optional pam_winbind.so


10) Following my /etc/samba/smb.conf file:
[global]
  netbios name = proxy
  workgroup = EMPRESA
  security = ads
  realm = EMPRESA.COM.BR
  encrypt passwords = yes
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  password server = dc1.empresa.com.br
  preferred master = no
  idmap config *:backend = tdb
  idmap config *:range = 1000-3000
  idmap config EMPRESA:backend = ad
  idmap config EMPRESA:schema_mode = rfc2307
  idmap config EMPRESA:range = 10000-9999999
  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind offline logon = yes
  winbind refresh tickets = yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
  username map = /etc/samba/user.map


11) Other Informations:
>> Samba4 and Winbind services are enable
>> In my DC there is a Squid account (call "proxy")
>> wbinfo -g, wbinfo -u, wbinfo -t, getent passwd are OK
>> kinit <user> is OK
>> klist -l is OK

Do you have any other idea?

Regards,

Márcio

2016-08-19 7:02 GMT-03:00 L.P.H. van Belle <belle at bazuin.nl>:

> Hai,
>
>
>
> Yes, all new things are hard..
>
> I need some extra info because there are lots of things that can be wrong.
>
>
>
> post what you see here :
>
> /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br@
> EMPRESA.COM.BR –d –i
>
>
>
>
>
> >> kinit and klist are ok
>
> >> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)
>
> These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP
> spn.
>
> And in the krb5.keytab i  have the host SPN and netbios_name($)
>
>
>
> How to test the kerberos auth.. hmm, thats a difficult one for me.
>
> I know lot but not all..  :-(  .
>
>
>
> But what i do iknow, you can test with
>
> /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
>
> If that works its probely an SPN or dns problem.
>
> If that isnt working, then do check the time on the ad server and proxy
> server.
>
>
>
> I can only say.
>
> The proxy servername must exist in dns and must have A and PTR record.  (
> add this in the samba AD )
>
> The reverse zone is ( maybe ) created, if not, create it yourself and add
> the ptr records.
>
>
>
> Cat /etc/hosts file may NOT contain any.
>
> 127.0.1.1        yourhostname.. ..
>
> if its in there, you installed with dhcp ip.
>
>
>
> It should contain
>
> 127.0.0.1              localhost
>
> IP_OF_SERVER   hostname.domain.tld hostname
>
> The is there if you install with a static ip.
>
>
>
> Time must be in sync with the AD server ( max difference i allow is 1 min.
> )
>
> If needed install ntp on the proxy and point the server  to the ad dc.
>
>
>
> And post what you now have in krb5.conf
>
>
>
> These are the most common pitfalls, i’ll see what i can do to help out.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> *Van:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org] *Namens
> *Marcio Demetrio Bacci
> *Verzonden:* vrijdag 19 augustus 2016 3:50
> *Aan:* Squid Users
> *Onderwerp:* [squid-users] Problems with Squid Authentication
>
>
>
> My Kerberos Authentication doesn't work. This is very hard!
>
>
>
> My Squid3 is join in the Domain
>
> kinit and klist are ok
>
> wbinfo -g and wbinfo -u are ok too.
>
>
>
> I have created the squid3 file in /etc/default with the following content:
>
> KRB5_KTNAME=/etc/squid3/HTTP.keytab
>
> export KRB5_KTNAME
>
>
>
> I have two keytab files:
>
> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)
>
>
>
> I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages
> because my Squid server is Debian 8. But I didn't use msktutil tool. I have
> only joined Squid server in the Domain (net ads join -U administrator)
>
>
>
> How can I debbug the problem?
>
> How can I test kerberos authentication in terminal (command line)?
>
>
>
> Below is my squid.conf file:
>
>
>
> ### Configuracoes Basicas
>
>
>
> cache_mgr administrator at empresa.com.br
>
>
>
> http_port 3128
>
>
>
> #debug_options ALL,111,2 29,9 84,6
>
>
>
> cache_mem 512 MB
>
> cache_swap_low 80
>
> cache_swap_high 90
>
>
>
> maximum_object_size 512 MB
>
> minimum_object_size 0 KB
>
>
>
> maximum_object_size_in_memory 4096 KB
>
>
>
> cache_replacement_policy heap LFUDA
>
> memory_replacement_policy heap LFUDA
>
>
>
> #Para não bloquear downloads
>
> quick_abort_min -1 KB
>
>
>
>
>
> #Resolve um problema com conexoes persistentes
>
> detect_broken_pconn on
>
>
>
> fqdncache_size 1024
>
>
>
> ### Parametros de atualizacao da memoria cache
>
> refresh_pattern ^ftp:   1440   20%   10080
>
> refresh_pattern ^gopher:   1440   0%   1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0%    0
>
> refresh_pattern .      0   20%   4320
>
>
>
> ### Localizacao dos logs
>
> access_log /var/log/squid3/access.log
>
> cache_log /var/log/squid3/cache.log
>
>
>
>
>
> ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
> e subdiretorios
>
> cache_dir aufs /var/spool/squid3 600 16 256
>
>
>
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
> HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
>
> auth_param negotiate children 20
>
> auth_param negotiate keep_alive on
>
>
>
> visible_hostname proxy.empresa.com.br
>
>
>
> ### acls
>
> #acl manager proto cache_object
>
> acl localhost src * MailScanner heeft een e-mail met mogelijk een poging
> tot fraude gevonden van "192.168.200.7" * *MailScanner warning: numerical
> links are often malicious:* 192.168.200.7/32 <http://192.168.200.7/32>
>
> acl to_localhost dst * MailScanner heeft een e-mail met mogelijk een
> poging tot fraude gevonden van "192.168.200.7" * *MailScanner warning:
> numerical links are often malicious:* 192.168.200.7/32
> <http://192.168.200.7/32>
>
> acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra,
> webmin
>
> acl Safe_ports port 21       # ftp
>
> acl Safe_ports port 70       # gopher
>
> acl Safe_ports port 80       # http
>
> acl Safe_ports port 88       # kerberos
>
> acl Safe_ports port 210       # wais
>
> acl Safe_ports port 280       # http-mgmt
>
> acl Safe_ports port 389       # ldap
>
> acl Safe_ports port 443    # https
>
> acl Safe_ports port 488       # gss-http
>
> acl Safe_ports port 563       # snews
>
> acl Safe_ports port 591       # filemaker
>
> acl Safe_ports port 777       # multiling http
>
> acl Safe_ports port 3001         # imprenssa nacional
>
> acl Safe_ports port 8080    # http
>
> acl Safe_ports port 1025-65535    # unregistered ports
>
>
>
> acl purge method PURGE
>
> acl CONNECT method CONNECT
>
>
>
>
>
> ### Regras iniciais do Squid
>
> http_access allow localhost
>
> http_access allow purge localhost
>
> http_access deny purge
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
>
>
> ### Exige autenticacao
>
> acl autenticados proxy_auth REQUIRED
>
> http_access allow autenticados
>
>
>
>
>
>
>
> ### Rede do Local #####
>
> acl rede_local src * MailScanner heeft een e-mail met mogelijk een poging
> tot fraude gevonden van "192.168.200.0" * *MailScanner warning: numerical
> links are often malicious:* 192.168.200.0/22 <http://192.168.200.0/22>
>
>
>
>
>
> ### Nega acesso de quem nao esta na rede local
>
> http_access allow rede_local
>
>
>
> #negando o acesso para todos que nao estiverem nas regras anteriores
>
> http_access deny all
>
>
>
> ### Erros em portugues
>
> error_directory /usr/share/squid3/errors/pt-br
>
>
>
> #cache_effective_user proxy
>
> coredump_dir /var/spool/squid3
>
>
>
>
>
> Regards,
>
>
>
> Márcio
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160820/a9dc2db6/attachment-0001.html>

More information about the squid-users mailing list