[squid-users] Problems with Squid Authentication
Marcio Demetrio Bacci
marciobacci at gmail.com
Sat Aug 20 03:50:26 UTC 2016
Hi,
1) Here is the result of the command-line:
/usr/lib/squid/negotiate_kerberos_auth -s HTTP/
proxy.empresa.com.br at EMPRESA.COM.BR –d –i
mary abc at 12345
negotiate_kerberos_auth.cc(258): pid=1421 :2016/08/19 23:44:33|
negotiate_kerberos_auth: DEBUG: Got 'mary abc at 12345' from squid (length:
14).
negotiate_kerberos_auth.cc(295): pid=1421 :2016/08/19 23:44:33|
negotiate_kerberos_auth: ERROR: Invalid request [mary abc at 12345]
BH invalid request
2) Bellow are my keytabs:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy at EMPRESA.COM.BR
1 host/proxy at EMPRESA.COM.BR
1 host/proxy at EMPRESA.COM.BR
1 host/proxy at EMPRESA.COM.BR
1 host/proxy at EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
Keytab name: FILE:/etc/squid3/HTTP.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy.empresa.com.br at EMPRESA.COM.BR
1 host/proxy$EMPRESA.COM.BR
1 host/proxy$EMPRESA.COM.BR
1 host/proxy$EMPRESA.COM.BR
1 host/proxy$EMPRESA.COM.BR
1 host/proxy$EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 proxy$@EMPRESA.COM.BR
1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
1 HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
1 HTTP/proxy$EMPRESA.COM.BR
1 HTTP/proxy$EMPRESA.COM.BR
1 HTTP/proxy$EMPRESA.COM.BR
1 HTTP/proxy$EMPRESA.COM.BR
1 HTTP/proxy$EMPRESA.COM.BR
OBS: I left and joined in the domain again
3) Here is the result:
/usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
mary abc at 12345
BH invalid request
4) DNS Recors are OK.
The proxy servername exist in dns and have A (proxy IN A 192.168.200.7) and
PTR record (7 IN PTR proxy.empresa.com.br.)
5) cat /etc/hosts
127.0.0.1 localhost
192.168.200.7 proxy.empresa.com.br proxy
6) Time is sync with the AD server (The time is identical)
7) My /etc/krb5.conf file:
[libdefaults]
default_realm = EMPRESA.COM.BR
dns_lookup_kdc = yes
dns_lookup_realm = yes
default_keytab_name = /etc/krb5.keytab
[realms]
EMPRESA.COM.BR = {
kdc = dc1.empresa.com.br:88
admin_server = dc1.empresa.com.br
default_domain = EMPRESA.COM.BR
}
[domain_realm]
.empresa.com.br = EMPRESA.COM.BR
empresa.com.br = EMPRESA.COM.BR
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
8) Bellow is my /etc/nsswitch.conf file:
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
9) Bellow is my /etc/pam.d/common-session file:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
10) Following my /etc/samba/smb.conf file:
[global]
netbios name = proxy
workgroup = EMPRESA
security = ads
realm = EMPRESA.COM.BR
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
password server = dc1.empresa.com.br
preferred master = no
idmap config *:backend = tdb
idmap config *:range = 1000-3000
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map
11) Other Informations:
>> Samba4 and Winbind services are enable
>> In my DC there is a Squid account (call "proxy")
>> wbinfo -g, wbinfo -u, wbinfo -t, getent passwd are OK
>> kinit <user> is OK
>> klist -l is OK
Do you have any other idea?
Regards,
Márcio
2016-08-19 7:02 GMT-03:00 L.P.H. van Belle <belle at bazuin.nl>:
> Hai,
>
>
>
> Yes, all new things are hard..
>
> I need some extra info because there are lots of things that can be wrong.
>
>
>
> post what you see here :
>
> /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.empresa.com.br@
> EMPRESA.COM.BR –d –i
>
>
>
>
>
> >> kinit and klist are ok
>
> >> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)
>
> These are normaly not identical. In the HTTPkeytab i have ONLY the HTTP
> spn.
>
> And in the krb5.keytab i have the host SPN and netbios_name($)
>
>
>
> How to test the kerberos auth.. hmm, thats a difficult one for me.
>
> I know lot but not all.. :-( .
>
>
>
> But what i do iknow, you can test with
>
> /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
>
> If that works its probely an SPN or dns problem.
>
> If that isnt working, then do check the time on the ad server and proxy
> server.
>
>
>
> I can only say.
>
> The proxy servername must exist in dns and must have A and PTR record. (
> add this in the samba AD )
>
> The reverse zone is ( maybe ) created, if not, create it yourself and add
> the ptr records.
>
>
>
> Cat /etc/hosts file may NOT contain any.
>
> 127.0.1.1 yourhostname.. ..
>
> if its in there, you installed with dhcp ip.
>
>
>
> It should contain
>
> 127.0.0.1 localhost
>
> IP_OF_SERVER hostname.domain.tld hostname
>
> The is there if you install with a static ip.
>
>
>
> Time must be in sync with the AD server ( max difference i allow is 1 min.
> )
>
> If needed install ntp on the proxy and point the server to the ad dc.
>
>
>
> And post what you now have in krb5.conf
>
>
>
> These are the most common pitfalls, i’ll see what i can do to help out.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> *Van:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org] *Namens
> *Marcio Demetrio Bacci
> *Verzonden:* vrijdag 19 augustus 2016 3:50
> *Aan:* Squid Users
> *Onderwerp:* [squid-users] Problems with Squid Authentication
>
>
>
> My Kerberos Authentication doesn't work. This is very hard!
>
>
>
> My Squid3 is join in the Domain
>
> kinit and klist are ok
>
> wbinfo -g and wbinfo -u are ok too.
>
>
>
> I have created the squid3 file in /etc/default with the following content:
>
> KRB5_KTNAME=/etc/squid3/HTTP.keytab
>
> export KRB5_KTNAME
>
>
>
> I have two keytab files:
>
> /etc/krb5.keytab and /etc/squid3/HTTP.keytab (both are identical)
>
>
>
> I have installed libsasl2-modules-gssapi-mit libsasl2-modules packages
> because my Squid server is Debian 8. But I didn't use msktutil tool. I have
> only joined Squid server in the Domain (net ads join -U administrator)
>
>
>
> How can I debbug the problem?
>
> How can I test kerberos authentication in terminal (command line)?
>
>
>
> Below is my squid.conf file:
>
>
>
> ### Configuracoes Basicas
>
>
>
> cache_mgr administrator at empresa.com.br
>
>
>
> http_port 3128
>
>
>
> #debug_options ALL,111,2 29,9 84,6
>
>
>
> cache_mem 512 MB
>
> cache_swap_low 80
>
> cache_swap_high 90
>
>
>
> maximum_object_size 512 MB
>
> minimum_object_size 0 KB
>
>
>
> maximum_object_size_in_memory 4096 KB
>
>
>
> cache_replacement_policy heap LFUDA
>
> memory_replacement_policy heap LFUDA
>
>
>
> #Para não bloquear downloads
>
> quick_abort_min -1 KB
>
>
>
>
>
> #Resolve um problema com conexoes persistentes
>
> detect_broken_pconn on
>
>
>
> fqdncache_size 1024
>
>
>
> ### Parametros de atualizacao da memoria cache
>
> refresh_pattern ^ftp: 1440 20% 10080
>
> refresh_pattern ^gopher: 1440 0% 1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> refresh_pattern . 0 20% 4320
>
>
>
> ### Localizacao dos logs
>
> access_log /var/log/squid3/access.log
>
> cache_log /var/log/squid3/cache.log
>
>
>
>
>
> ### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
> e subdiretorios
>
> cache_dir aufs /var/spool/squid3 600 16 256
>
>
>
> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
> HTTP/proxy.empresa.com.br at EMPRESA.COM.BR
>
> auth_param negotiate children 20
>
> auth_param negotiate keep_alive on
>
>
>
> visible_hostname proxy.empresa.com.br
>
>
>
> ### acls
>
> #acl manager proto cache_object
>
> acl localhost src * MailScanner heeft een e-mail met mogelijk een poging
> tot fraude gevonden van "192.168.200.7" * *MailScanner warning: numerical
> links are often malicious:* 192.168.200.7/32 <http://192.168.200.7/32>
>
> acl to_localhost dst * MailScanner heeft een e-mail met mogelijk een
> poging tot fraude gevonden van "192.168.200.7" * *MailScanner warning:
> numerical links are often malicious:* 192.168.200.7/32
> <http://192.168.200.7/32>
>
> acl SSL_ports port 22 443 563 7071 10000 # ssh, https, snews, zimbra,
> webmin
>
> acl Safe_ports port 21 # ftp
>
> acl Safe_ports port 70 # gopher
>
> acl Safe_ports port 80 # http
>
> acl Safe_ports port 88 # kerberos
>
> acl Safe_ports port 210 # wais
>
> acl Safe_ports port 280 # http-mgmt
>
> acl Safe_ports port 389 # ldap
>
> acl Safe_ports port 443 # https
>
> acl Safe_ports port 488 # gss-http
>
> acl Safe_ports port 563 # snews
>
> acl Safe_ports port 591 # filemaker
>
> acl Safe_ports port 777 # multiling http
>
> acl Safe_ports port 3001 # imprenssa nacional
>
> acl Safe_ports port 8080 # http
>
> acl Safe_ports port 1025-65535 # unregistered ports
>
>
>
> acl purge method PURGE
>
> acl CONNECT method CONNECT
>
>
>
>
>
> ### Regras iniciais do Squid
>
> http_access allow localhost
>
> http_access allow purge localhost
>
> http_access deny purge
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
>
>
> ### Exige autenticacao
>
> acl autenticados proxy_auth REQUIRED
>
> http_access allow autenticados
>
>
>
>
>
>
>
> ### Rede do Local #####
>
> acl rede_local src * MailScanner heeft een e-mail met mogelijk een poging
> tot fraude gevonden van "192.168.200.0" * *MailScanner warning: numerical
> links are often malicious:* 192.168.200.0/22 <http://192.168.200.0/22>
>
>
>
>
>
> ### Nega acesso de quem nao esta na rede local
>
> http_access allow rede_local
>
>
>
> #negando o acesso para todos que nao estiverem nas regras anteriores
>
> http_access deny all
>
>
>
> ### Erros em portugues
>
> error_directory /usr/share/squid3/errors/pt-br
>
>
>
> #cache_effective_user proxy
>
> coredump_dir /var/spool/squid3
>
>
>
>
>
> Regards,
>
>
>
> Márcio
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160820/a9dc2db6/attachment-0001.html>
More information about the squid-users
mailing list