[squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

Markus Moeller huaraz at moeller.plus.com
Mon Aug 29 13:59:02 UTC 2016 

Hi Louis,

    I know a user and machine account can be used and they work the same. What my concern is, is that many companies deploy password policies for users in AD.  You would need to create exceptions for user accounts which have SPNs with associated keytabs as a password change will make the keytab invalid.

Markus 


"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.57c3e5ca.28ab.73ab0c8662c3316a at ms249-lin-003.rotterdam.bazuin.nl...
Hello Markus, 

 

Thank you for the explanation, that helped a lot. 

 

I use the TLS_CACERTFILE in the init script now and that works for me . 

( in debian the /etc/default/squid  )

 

>>The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN.  There is no easy way to query what the UPN for the SPN is. 

Ah, this helped identify-ing so other small things to. 

 

>>msktutil (my preferred tool)

Since i try to use only debian packages the msktutil is not available for me. 

 

>>Also msktutil (my preferred tool) creates a machine account not a user account in AD. 

>>The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. 

>>machine accounts do not have that limitation. But as I said it is just my preference.

 

Thats not correct in my optionion. A the computer account, works the (almost) same an user account. 

Like a computer account = a user account. 

 

some pointers :

https://technet.microsoft.com/en-us/library/cc731641(v=ws.11).aspx

https://adsecurity.org/?p=280 

 

I used a seperated user since i wanted to have 2 proxy on 1 service account, but due to the UPS/SPN thing,

thats not options anymore, not thats a problem, I’ll change to add the computer to the samba domain and 

add the UPN/SPN on the computer account where needed.

Which maybe even a better option.

 

Thanks again for you replies. 

 

 

Best regards, 

 

Louis

 

 

 


--------------------------------------------------------------------------------

Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:52
Aan: squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minorbugsmaybe )

 

Hi,

 

   I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them.  The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN.  There is no easy way to query what the UPN for the SPN is. 

 

  Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. 

 

   Regarding the certifcate check I do not use any ldap.conf settings. I require an export TLS_CACERTFILE=/mydir/myfile.pem   in the squid startup file.  Maybe in the next version I see how I can determine the right ldap.conf file and check if the CACERTFILE variable is already set.

 

 

Kind regards

Markus

 

 

"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.57bdb617.37c8.575130a1134f9a07 at ms249-lin-003.rotterdam.bazuin.nl...

Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user <HTTP/<fqdn-squid>@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to <HTTP/<fqdn-squid>@DOMAIN.COM>

for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the username at internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:

         HTTP/proxy.internal.domain.tld

         HTTP/proxy.internal.domain.tld at YOUR.REALM.T

 

 

Now i changed my UPN from username at internal.domain.tld  to the (SPN name)   HTTP/proxyserver.internal.domain.tld at REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i find 2 small bugs here?  

Or is this a “Debian” related thing? 

 

 

Debug output. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-mail at YOUR.REALM.TLD -D YOUR.REALM.TLD -N internet-mail at NTDOMAIN -s -i -d

kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group list internet-mail at YOUR.REALM.TLD

support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios list internet-mail at NTDOMAIN

support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: ldap server list NULL

support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: DEBUG: No ldap servers defined.

testuser internet-mail

kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: User domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found group at domain internet-mail at YOUR.REALM.TLD

support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_6902

support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get default keytab file name

support_krb5.cc(144): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD

support_krb5.cc(196): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD

support_krb5.cc(260): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Stored credentials

support_ldap.cc(927): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Initialise ldap connection

support_ldap.cc(931): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable SSL to ldap servers

support_ldap.cc(933): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain YOUR.REALM.TLD

support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.YOUR.REALM.TLD with res_search

support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.YOUR.REALM.TLD

support_resolv.cc(379): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YOUR.REALM.TLD record to samba-dc2.internal.domain.tld

support_resolv.cc(379): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.YOUR.REALM.TLD record to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 1 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 2 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 3 of YOUR.REALM.TLD to samba-dc1.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 4 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 5 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld

support_resolv.cc(207): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Resolved address 6 of YOUR.REALM.TLD to samba-dc2.internal.domain.tld

support_resolv.cc(407): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Adding YOUR.REALM.TLD to list

support_resolv.cc(443): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain YOUR.REALM.TLD:

support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc1.internal.domain.tld Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: samba-dc2.internal.domain.tld Port: 389 Priority: 0 Weight: 100

support_resolv.cc(445): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Host: YOUR.REALM.TLD Port: -1 Priority: -2 Weight: -2

support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:389

support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:389

support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(942): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Setting up connection to ldap server YOUR.REALM.TLD:389

support_ldap.cc(786): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(979): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No such file or directory

support_ldap.cc(1048): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No such file or directory

support_member.cc(76): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: INFO: User testuser is not member of group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(91): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default domain loop: group at domain internet-mail at YOUR.REALM.TLD

support_member.cc(119): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: DEBUG: Default group loop: group at domain internet-mail at YOUR.REALM.TLD

 

 


--------------------------------------------------------------------------------

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160829/1e22a04c/attachment-0001.html>

More information about the squid-users mailing list