[squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Markus Moeller
huaraz at moeller.plus.com
Mon Aug 29 13:59:02 UTC 2016
Hi Louis,
I know a user and machine account can be used and they work the same. What my concern is, is that many companies deploy password policies for users in AD. You would need to create exceptions for user accounts which have SPNs with associated keytabs as a password change will make the keytab invalid.
Markus
"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.57c3e5ca.28ab.73ab0c8662c3316a at ms249-lin-003.rotterdam.bazuin.nl...
Hello Markus,
Thank you for the explanation, that helped a lot.
I use the TLS_CACERTFILE in the init script now and that works for me .
( in debian the /etc/default/squid )
>>The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Ah, this helped identify-ing so other small things to.
>>msktutil (my preferred tool)
Since i try to use only debian packages the msktutil is not available for me.
>>Also msktutil (my preferred tool) creates a machine account not a user account in AD.
>>The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked.
>>machine accounts do not have that limitation. But as I said it is just my preference.
Thats not correct in my optionion. A the computer account, works the (almost) same an user account.
Like a computer account = a user account.
some pointers :
https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx
https://adsecurity.org/?p=280
I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing,
thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and
add the UPN/SPN on the computer account where needed.
Which maybe even a better option.
Thanks again for you replies.
Best regards,
Louis
--------------------------------------------------------------------------------
Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )
Hi,
I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem in the squid startup file. Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set.
Kind regards
Markus
"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.57bdb617.37c8.575130a1134f9a07 at ms249-lin-003.rotterdam.bazuin.nl...
Ok reply to myself so other users know this also.
if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else.
Read :
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully.
and the clue was this line for me.
Squid "login" to Windows Active Directory or Unix kdc as user <HTTP/<fqdn-squid>@DOMAIN.COM>.
This requires Active Directory to have an attribute userPrincipalname set to <HTTP/<fqdn-squid>@DOMAIN.COM>
for the associated acount. This is usaully done by using msktutil.
But this is not done by samba-tools
samba-tool setup fro squid i used, was as followed.
samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password
samba-tool user setexpiry squid1-service –noexpiry
samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service
Now this results in :
My UPN was set to the username at internal.domain.tld ( as it should ).
My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should )
samba-tool spn list squid1-service
squid1-service
User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:
HTTP/proxy.internal.domain.tld
HTTP/proxy.internal.domain.tld at YOUR.REALM.T
Now i changed my UPN from username at internal.domain.tld to the (SPN name) HTTP/proxyserver.internal.domain.tld at REALM
Solved my initial problem.
This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group.
Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting :
Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)
Im already having : TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Which contains the needed certs.
Did i find 2 small bugs here?
Or is this a “Debian” related thing?
Debug output.
/usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-mail at YOUR.REALM.TLD -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -s -i -d
kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD
support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail Domain YOUR.REALM.TLD
support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN
support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail Domain NTDOMAIN
support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined.
testuser internet-mail
kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD
kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD
support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD
support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902
support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP
support_krb5.cc(158): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP
support_krb5.cc(169): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
support_krb5.cc(181): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
support_krb5.cc(196): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
support_krb5.cc(260): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(927): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(931): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap servers
support_ldap.cc(933): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain YOUR.REALM.TLD
support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.YOUR.REALM.TLD with res_search
support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.YOUR.REALM.TLD
support_resolv.cc(379): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YOUR.REALM.TLD record to samba-dc2.internal.domain.tld
support_resolv.cc(379): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YOUR.REALM.TLD record to samba-dc1.internal.domain.tld
support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld
support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld
support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld
support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld
support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld
support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld
support_resolv.cc(407): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD to list
support_resolv.cc(443): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain YOUR.REALM.TLD:
support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:389
support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.
support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)
support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server
support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:389
support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.
support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)
support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server
support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server YOUR.REALM.TLD:389
support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults
support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.
support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)
support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server
support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(979): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No such file or directory
support_ldap.cc(1048): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No such file or directory
support_member.cc(76): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(91): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD
support_member.cc(119): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD
--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160829/1e22a04c/attachment-0001.html>
More information about the squid-users
mailing list