[squid-users] Ubuntu server 14.04 - Squid 3.3.8 - Active directory sync problem !
Yassin CHOUCHANE
frechdesign at gmail.com
Fri Oct 17 19:38:43 UTC 2014
Hello all,
I have installed an ubuntu 14.04 x64 with squid v3.3.8, and i need to make sso
with Windows microsoft active directory 2008 server r2.
so i make this :
i used the official how to here --> http://wiki.squid-cache.org/ConfigExamp …
e/Kerberos
SO after a frech install of ubuntu :
1> Pre-requisites for Active Directory integration
Serveur active directory :
ip active directory : 192.168.1.60
hostname : ws2008
Nom de domaine : sonsofanarchy.fr
Utilisateur de l'active directory :
- administrateur password
- jteller P at ssword1
Serveur squid :
ip : 192.168.1.62
hostname : srv-proxy-01
user administrateur
password : password
Config du serveur proxy :
1.1> Install des prérequis :
sudo apt-get install krb5-user msktutil squid samba-common-bin
- Vérification configuration DNS :
sudo nano /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
domain sonsofanarchy.fr
search sonsofanarchy.fr
nameserver 192.168.1.60
- Synchronisation de la date avec l'Active directory :
sudo nano /etc/default/ntpdate
# The settings in this file are used by the program ntpdate-debian, but not
# by the upstream program ntpdate.
# Set to "yes" to take the server list from /etc/ntp.conf, from package ntp,
# so you only have to keep it in one place.
NTPDATE_USE_NTP_CONF=yes
# List of NTP servers to use (Separate multiple servers with spaces.)
# Not used if NTPDATE_USE_NTP_CONF is yes.
NTPSERVERS="ws2008.sonsofanarchy.fr"
# Additional options to pass to ntpdate
NTPOPTIONS=""
root at srv-proxy-01:~# ntpdate ws2008.sonsofanarchy.fr
13 Oct 18:16:27 ntpdate[1632]: adjust time server 192.168.1.60 offset 0.032533
sec
-Création du keytab : (If no message it will be good)
root at srv-proxy-01:~# kinit administrateur
Password for administrateur at SONSOFANARCHY.FR:
root at srv-proxy-01:~#
root at srv-proxy-01:~# msktutil -c -b "CN=COMPUTERS" -s
HTTP/srv-proxy-01.sonsofanarchy.fr -k /etc/squid3/PROXY.keytab --computer-name
SRV-PROXY-01-K --upn HTTP/srv-proxy-01.sonsofanarchy.fr --server
ws2008.sonsofanarchy.fr --verbose --enctypes 28
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer
account
-- generate_new_password: Characters read from /dev/udandom = 85
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-p1Stna
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: SRV-PROXY-01-K$
-- try_machine_keytab_princ: Trying to authenticate for SRV-PROXY-01-K$ from
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/srv-proxy-01 from
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for SRV-PROXY-01-K$ with
password.
-- create_default_machine_password: Default machine password for
SRV-PROXY-01-K$ is srv-proxy-01-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not
found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: ws2008.sonsofanarchy.fr
try_tls=YES
-- ldap_connect: Connecting to LDAP server: ws2008.sonsofanarchy.fr try_tls=NO
SASL/GSSAPI authentication started
SASL username: administrateur at SONSOFANARCHY.FR
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=SONSOFANARCHY,dc=FR
-- ldap_check_account: Checking that a computer account for SRV-PROXY-01-K$
exists
-- ldap_check_account: Computer account not found, create the account
No computer account for SRV-PROXY-01-K found, creating a new one.
dn: cn=SRV-PROXY-01-K,CN=COMPUTERS,dc=SONSOFANARCHY,dc=FR
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to
srv-proxy-01
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to
HTTP/srv-proxy-01.sonsofanarchy.fr at SONSOFANARCHY.FR
-- ldap_set_supportedEncryptionTypes: DEE
dn=cn=SRV-PROXY-01-K,CN=COMPUTERS,dc=SONSOFANARCHY,dc=FR old=7 new=28
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
msDs-supportedEncryptionTypes to 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 130576908153384910
-- set_password: Successfully set password, waiting for it to be reflected in
LDAP.
-- ldap_get_pwdLastSet: pwdLastSet is 130576908153853660
-- set_password: Successfully reset computer's password
-- ldap_add_principal: Checking that adding principal
HTTP/srv-proxy-01.sonsofanarchy.fr to SRV-PROXY-01-K$ won't cause a conflict
-- ldap_add_principal: Adding principal HTTP/srv-proxy-01.sonsofanarchy.fr to
LDAP entry
-- ldap_add_principal: Checking that adding principal host/srv-proxy-01 to
SRV-PROXY-01-K$ won't cause a conflict
-- ldap_add_principal: Adding principal host/srv-proxy-01 to LDAP entry
-- execute: Updating all entries for srv-proxy-01 in the keytab
WRFILE:/etc/squid3/PROXY.keytab
-- update_keytab: Updating all entires for SRV-PROXY-01-K$
-- ldap_get_kvno: KVNO is 2
-- add_principal_keytab: Adding principal to keytab: SRV-PROXY-01-K$
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3,
enctype=23
-- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3,
enctype=17
-- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3,
enctype=18
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab:
HTTP/srv-proxy-01.sonsofanarchy.fr
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Deleting
HTTP/srv-proxy-01.sonsofanarchy.fr at SONSOFANARCHY.FR kvno=3, enctype=23
-- add_principal_keytab: Deleting
HTTP/srv-proxy-01.sonsofanarchy.fr at SONSOFANARCHY.FR kvno=3, enctype=17
-- add_principal_keytab: Deleting
HTTP/srv-proxy-01.sonsofanarchy.fr at SONSOFANARCHY.FR kvno=3, enctype=18
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: host/srv-proxy-01
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x12
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
root at srv-proxy-01:~#
Good rights on files :
root at srv-proxy-01:~# chgrp proxy /etc/squid3/PROXY.keytab
root at srv-proxy-01:~# chmod g+r /etc/squid3/PROXY.keytab
squid.conf files :
# Listen on Port 8080
http_port 8080
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -i -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all
and now i have always a popup with login/password, but nothig work and i have
this on the log :
/var/log/squid/cache.log
2014/10/13 19:15:52| ERROR: Negotiate Authentication validating user. Error
returned 'BH received type 1 NTLM token'
negotiate_kerberos_auth.cc(315): pid=3418 :2014/10/13 19:15:52|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length:
59).
negotiate_kerberos_auth.cc(378): pid=3418 :2014/10/13 19:15:52|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length:
40).
negotiate_kerberos_auth.cc(388): pid=3418 :2014/10/13 19:15:52|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/13 19:15:52| ERROR: Negotiate Authentication validating user. Error
returned 'BH received type 1 NTLM token'
can someone can help me to fix this problem please
thanks to all.
More information about the squid-users
mailing list