[squid-users] please, can someone help me with the negotiate kerberos?

Rafael Akchurin rafael.akchurin at diladele.com
Mon Feb 17 10:48:34 UTC 2020 

Thanks will do!
When you say outdated you means cyphers? Or instructions?

Raf

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of L.P.H. van Belle
Sent: Monday, 17 February 2020 11:23
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] please, can someone help me with the negotiate kerberos?

Hai Rafeal, 

Yes, i agree, this is the other most simple way, but i suggest, you remove/change on this page:

https://docs.diladele.com/administrator_guide_stable/active_directory/kerberos/keytab.html
The generated Kerberos configuration file will usually look like:

[libdefaults]
default_realm = EXAMPLE.LAN
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 default_tkt_enctypes = rc4-hmac des3-hmac-sha1 

These are really outdated. ;-) 


To ( just the default )

[libdefaults]
    default_realm = EXAMPLE.LAN
    dns_lookup_kdc = true
    dns_lookup_realm = false


Keytabs and samba, read: 
https://wiki.samba.org/index.php/Generating_Keytabs

https://wiki.samba.org/index.php/Keytab_Extraction 



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens Rafael 
> Akchurin
> Verzonden: maandag 17 februari 2020 11:06
> Aan: Rafael Silva Daniel; squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] please, can someone help me with the 
> negotiate kerberos?
> 
> Hello Rafael,
> 
> There is an easier option *without* joining the Squid machine to the 
> domain, See tutorial at 
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory/index.html (it also applies to vanilla Squid without our UI - 
> just you would need to do more manual steps).
> 
> Raf
> 
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org>
> On Behalf Of Rafael Silva Daniel
> Sent: Saturday, 15 February 2020 21:08
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] please, can someone help me with the negotiate 
> kerberos?
> 
> Helo! i think i did almost everything right, firstly i made it in a 
> test enviroment with debian stretch running squid 3.5 and a windows 
> server 2008 based domain controller, and it worked!
> 
> but when i tried to deploy it in the production enviroment running 
> debian stretch, squid 3.5 and windows server 2012 as the domain 
> controller the authentication never works, the file 
> /var/log/squid/cache.log shows this:
> 
> 2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating 
> user.
> Result: {result=BH, notes={message: gss_acquire_cred()
> failed: Unspecified GSS failure.  Minor code may provide more 
> information. No principal in keytab matches desired name; }}
> negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from 
> squid
> (length: 2439).
> negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
> negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' 
> (decoded
> length: 1826).
> 
> Obs1:I replaced a big string with letters and numbers by "(LETTERS AND 
> NUMBERS)"
> Obs2: i posted more of the file in this link 
> https://pastebin.com/Z2fe98dB
> 
> well, the results of running: kinit -kt /etc/squid/HTTP.keytab
> HTTP/squid2.domain.local at DOMAIN.LOCAL:
> root at SERVER:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/squid2.domain.local at DOMAIN.LOCAL
> 
> Valid starting       Expires              Service principal
> 02/15/2020 10:55:32  02/15/2020 20:55:32 
> krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
>         renew until 02/16/2020 09:55:32
> 
> 
> 
> The results of running:klist -kte /etc/squid/HTTP.keytab
> 
> Keytab name: FILE:/etc/squid/HTTP.keytab
> KVNO Timestamp           Principal
> ---- -------------------
> ------------------------------------------------------
>    1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (arcfour-hmac)
>    1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
>    1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (arcfour-hmac)
>    3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
>    3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL
> (aes128-cts-hmac-sha1-96)
>    3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL
> (aes256-cts-hmac-sha1-96)
> 
> And the results of running: root at SERVER:~# 
> /usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
> Token: (Alonglinewithnumbersandletters)
> 
> the configs of the /etc/krb5.conf:
> 
> [libdefaults]
>     default_realm = DOMAIN.LOCAL
>     dns_lookup_kdc = no
>     dns_lookup_realm = no
>     ticket_lifetime = 24h
>     default_keytab_name = /etc/squid/HTTP.keytab
> 
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc
> des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc
> des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> 
> [realms]
>     DOMAIN.LOCAL = {
>         kdc = dc01.domain.local
>         admin_server = dc01.domain.local
>         default_domain = domain.local
>     }
> 
> [domain_realm]
>     .domain.local = DOMAIN.LOCAL
>     domain.local = DOMAIN.LOCAL
> 
> and the /etc/squid/squid.conf:
> 
> http_port 3128
> dns_nameservers 200.198.5.4 200.198.5.5 visible_hostname PROXY 
> cache_dir ufs /var/spool/squid 100 16 256 coredump_dir 
> /var/spool/squid
> 
> url_rewrite_program /usr/bin/squidGuard
> 
> #auth parameter NEGOTIATE
> auth_param negotiate program
> /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/squid.domain.local 
> -k /etc/squid/HTTP.keytab auth_param negotiate children 30 auth_param 
> negotiate keep_alive on
> 
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Safe_ports port 90 # metodo
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method 
> CONNECT acl auth proxy_auth REQUIRED
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !Safe_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny !auth
> http_access allow auth
> 
> 
> 
> In the domain controller i created in the two zones the proper dns 
> records, the host with squid can have his ip resolved to its right 
> hostname, and its hostname resolved to its right ip, in the clients i 
> setted the proxy as server.domain.local, and in the squid access.log 
> the requests came but are all denied and a prompt for user and 
> password are showed to the user
> 
> Obs: the only data edited while posting was that i replaced our domain 
> by domain.local, the name of the host by SERVER, and long strings of 
> data in the cache log  and negotiate kerberos test out, all the rest 
> is what is really running in the files.
> 
> please someone help me, i tried to read everything i could find but i 
> am not finding how to understand what i am doing wrong, thanks in 
> advance, D:
> 
> 
> 
> 
> 
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users
> -f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list