[squid-users] please, can someone help me with the negotiate kerberos?

Rafael Akchurin rafael.akchurin at diladele.com
Mon Feb 17 10:06:22 UTC 2020 

Hello Rafael,

There is an easier option *without* joining the Squid machine to the domain,
See tutorial at https://docs.diladele.com/administrator_guide_stable/active_directory/index.html (it also applies to vanilla Squid without our UI - just you would need to do more manual steps).

Raf

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Rafael Silva Daniel
Sent: Saturday, 15 February 2020 21:08
To: squid-users at lists.squid-cache.org
Subject: [squid-users] please, can someone help me with the negotiate kerberos?

Helo! i think i did almost everything right, firstly i made it in a test enviroment with debian stretch running squid 3.5 and a windows server 2008 based domain controller, and it worked!

but when i tried to deploy it in the production enviroment running debian stretch, squid 3.5 and windows server 2012 as the domain controller the authentication never works, the file /var/log/squid/cache.log shows this:

2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information. No principal in keytab matches desired name; }}
negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from squid
(length: 2439).
negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' (decoded
length: 1826).

Obs1:I replaced a big string with letters and numbers by "(LETTERS AND NUMBERS)"
Obs2: i posted more of the file in this link https://pastebin.com/Z2fe98dB

well, the results of running: kinit -kt /etc/squid/HTTP.keytab
HTTP/squid2.domain.local at DOMAIN.LOCAL:
root at SERVER:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/squid2.domain.local at DOMAIN.LOCAL

Valid starting       Expires              Service principal
02/15/2020 10:55:32  02/15/2020 20:55:32  krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
        renew until 02/16/2020 09:55:32



The results of running:klist -kte /etc/squid/HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp           Principal
---- -------------------
------------------------------------------------------
   1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
(arcfour-hmac)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
(arcfour-hmac)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)

And the results of running: root at SERVER:~# /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
Token: (Alonglinewithnumbersandletters)

the configs of the /etc/krb5.conf:

[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/HTTP.keytab

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]
    DOMAIN.LOCAL = {
        kdc = dc01.domain.local
        admin_server = dc01.domain.local
        default_domain = domain.local
    }

[domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL

and the /etc/squid/squid.conf:

http_port 3128
dns_nameservers 200.198.5.4 200.198.5.5
visible_hostname PROXY
cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid

url_rewrite_program /usr/bin/squidGuard

#auth parameter NEGOTIATE
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/squid.domain.local -k /etc/squid/HTTP.keytab auth_param negotiate children 30 auth_param negotiate keep_alive on

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 90 # metodo
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access allow auth



In the domain controller i created in the two zones the proper dns records, the host with squid can have his ip resolved to its right hostname, and its hostname resolved to its right ip, in the clients i setted the proxy as server.domain.local, and in the squid access.log the requests came but are all denied and a prompt for user and password are showed to the user

Obs: the only data edited while posting was that i replaced our domain by domain.local, the name of the host by SERVER, and long strings of data in the cache log  and negotiate kerberos test out, all the rest is what is really running in the files.

please someone help me, i tried to read everything i could find but i am not finding how to understand what i am doing wrong, thanks in advance, D:





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list