[squid-users] missing negotiate_kerberos_auth on my squid

L.P.H. van Belle belle at bazuin.nl
Wed Jun 1 14:18:28 UTC 2016


Hai. 

 

First before you read through all. 

 

Please check if the squid user kan read the keytab file.

This can be a thing. And check the KVNO with the auth here can be a mismatch also. 

 

Second, test with in the negotiate wrapper. 

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME 

 

I did read. 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

This is not entry correct anymore due to last changed in samba, dont know how this applies to Win 2012 ADDC these patches also applied to windows. 

Sorry no windows here anymore, only samba.

 

Now, below is all tested on debian with samba 4.4.3 AD and squid 3.5.19. 

 

 

This needed te be added in smb.conf to make sure all auth is done over encrypted layers. 

 

    server signing = mandatory

    ntlm auth = no

 

    #Add and Update TLS Key of your proxy and Root ) 

    tls enabled = yes

    tls keyfile = /etc/ssl/local/private/-proxy.key.pem

    tls certfile = /etc/ssl/local/certs/proxy.cert.pem

    tls cafile = /etc/ssl/certs/INTERNALROOT-ca.pem

 

Extra info  on  tls cafile = /etc/ssl/certs/INTERNALROOT-ca.pem. 

The original file is located in /usr/local/ca-certificates/companyname/ 

When the “correct” ca setup is done, then you see a simlink in /etc/ssl/certs. 

 

The “correct” way to setup the ROOT CA  Look here. 

http://ram.kossboss.com/debian-install-trusted-ssl/ 

works fine also with own certs, thats what i use internal here also.

 

In /etc/ldap/ldap.conf

Make sure you have al least. 

# TLS certificates (needed for GnuTLS)

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT allow 

 

 

This is what i now use in squid auth. 

Kerberos , fallback to NTLM , fallback to basic LDAP(S) auth.

 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.dnsdomain.tld at REALM \

    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOMAIN

 

# A NOT SSL HOST format –h setup. 

#auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \

#    -b "ou=Office,dc=internal,dc=domain,dc=tld" \

#    -D bind-user at REALM \

#    -W /etc/squid/private/bind-user \

#    -f (sAMAccountName=%s) \

#    -h dc2.internal.dnsdomain.tld \

#    -h dc1.internal.dnsdomain.tld

 

## A SSL enabled URI format -H  setup

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \

    -b "ou=Office,dc=internal,dc=domain,dc=tld" \

    -D bind-user at REALM \

    -W /etc/squid/private/bind-user \

    -f sAMAccountName=%s \

    -H ldaps:// dc2.internal.dnsdomain.tld \

    -H ldaps://dc1.internal.dnsdomain.tld \

 

For /etc/krb5.conf  i only have 

[libdefaults]

    default_realm = REALM

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

If above does not help, well then ask for more help here.  

 

 

Greetz, 

 

Louis

 

 

 

 


Van: Nilesh Gavali [mailto:nilesh.gavali at tcs.com] 
Verzonden: woensdag 1 juni 2016 14:45
Aan: L.P.H. van Belle
CC: squid-users at squid-cache.org
Onderwerp: RE: missing negotiate_kerberos_auth on my squid


 

Hi Louise; 
refer the comment on below questions. 

  
1)       is the time in sync with the proxy and AD server?  - YES 
2)       Did you set the krb5.conf  with or without the enctypes types? it is set with enctypes 
3)       Which browser are you using? we tried using IE and chorme. 
4)       Did you configure the browser to use the kerberos auth? YES. 
5)       Did the PC join the domain, and are u using a domain user login? YES. 
6)       Does kinit user at REALM work?  ( kdestroy to remove the user ticket ) YES. it shows the desire O/P 
7)       Last, does the proxy server have an A and PTR record? YES. 

below error got in cache.log 

negotiate_kerberos_auth:ERROR: gss_accept_sec_context() failed: Unsepecified GSS failure. Minor code may provide more information. 
Kid1 | ERROR: negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context_() failed: Unspecified GSS failure. Minor code may provide more information. 


Thanks & Regards
Nilesh Suresh Gavali






From:        L.P.H. van Belle <belle at bazuin.nl> 
To:        Nilesh Gavali <nilesh.gavali at tcs.com> 
Cc:        squid-users at squid-cache.org <squid-users at squid-cache.org> 
Date:        01/06/2016 09:53 
Subject:        RE: missing negotiate_kerberos_auth on my squid 





Wel first, great, you made it to install it, 
  
Yes, but your auth pop-up can be normal, but we need more info, this can be multple things. 
  
So, few small questions. 
  
1)       is the time in sync with the proxy and AD server? 
2)       Did you set the krb5.conf  with or without the enctypes types? 
3)       Which browser are you using? 
4)       Did you configure the browser to use the kerberos auth? 
5)       Did the PC join the domain, and are u using a domain user login? 
6)       Does kinit user at REALM work?  ( kdestroy to remove the user ticket ) 
7)       Last, does the proxy server have an A and PTR record? 
  
Also check this site, review your settings. 
https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM 
  
And last tip your auth line. 
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.domain.org at DOMAIN.ORG 
  
Can also be a problem so test, if the upn is setup incorrectly, then above does not work, below the should work. 
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME 
  
add  -d to get more debug info. 
  
greetz, 
  
Louis 
  



Van: Nilesh Gavali [mailto:nilesh.gavali at tcs.com] 
Verzonden: dinsdag 31 mei 2016 21:20
Aan: squid-users at lists.squid-cache.org
CC: L.P.H. van Belle
Onderwerp: missing negotiate_kerberos_auth on my squid 
  
Hello All; 

Configured the steps require for kerberos authentication as given at http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 
but instead of SSO to work when we try to open url; it is prompt for username and password, when passing credential it is not authenticating. 
attached is our squid config for your reference. 

Kindly let us know what went wrong. 

we are using windows 2012 AD. 



Thanks & Regards
Nilesh Suresh Gavali




From:        Nilesh Gavali/MUM/TCS 
To:        squid-users at lists.squid-cache.org, belle at bazuin.nl 
Date:        27/05/2016 15:07 
Subject:         missing negotiate_kerberos_auth on my squid 





Thanks louise for reply. 

but 

Should be include imo. -- not sure what is imo



Shoud be in any Squid-3.2 and later.



And on my debian server its locate here. 

/usr/lib/squid/negotiate_kerberos_auth - check the path but it is not there on my linux box.



Did you enable : --enable-auth-negotiate=kerberos,wrapper on compile ?  ---- NO didn't gave this option while compilation



Run squid –v to check it. -- we have"--enable-auth-negotiate" only and some other configured option. 

can you help me how to get hit recomipled with reuqire options. 


Thanks & Regards
Nilesh Suresh Gavali

----- Forwarded by Nilesh Gavali/MUM/TCS on 27/05/2016 15:01 ----- 

From:        squid-users-request at lists.squid-cache.org 
To:        squid-users at lists.squid-cache.org 
Date:        27/05/2016 12:42 
Subject:        squid-users Digest, Vol 21, Issue 101 
Sent by:        "squid-users" <squid-users-bounces at lists.squid-cache.org> 






Send squid-users mailing list submissions to
               squid-users at lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
               http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
               squid-users-request at lists.squid-cache.org

You can reach the person managing the list at
               squid-users-owner at lists.squid-cache.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

 1. NULL characters (joe)
 2. Re: Looking for a way to route into cache_peer traffic
    dynamically. (Alex Rousskov)
 3. The system returned: (111) Connection refused; (deepa ganu)
 4. Re: NULL characters (Eliezer Croitoru)
 5. missing negotiate_kerberos_auth on my squid (Nilesh Gavali)
 6. Re: missing negotiate_kerberos_auth on my squid (L.P.H. van Belle)


----------------------------------------------------------------------

Message: 1
Date: Thu, 26 May 2016 07:30:16 -0700 (PDT)
From: joe <chip_pop at hotmail.com>
To: squid-users at lists.squid-cache.org
Subject: [squid-users] NULL characters
Message-ID: <1464273016183-4677691.post at n4.nabble.com>
Content-Type: text/plain; charset=us-ascii

2016/05/26 06:41:28 kid1| ctx: enter level  0:
'http://js.advert.mirtesen.ru/data/js/82090.js'
2016/05/26 06:41:28 kid1| WARNING: HTTP header contains NULL characters
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/javascript;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid}
NULL
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/javascript;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid
2016/05/26 06:41:28 kid1| ctx: exit level  0

is it bad ?????



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/NULL-characters-tp4677691.html
Sent from the Squid - Users mailing list archive at Nabble.com.


------------------------------

Message: 2
Date: Thu, 26 May 2016 09:16:52 -0600
From: Alex Rousskov <rousskov at measurement-factory.com>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Looking for a way to route into cache_peer
               traffic dynamically.
Message-ID: <57471364.4030007 at measurement-factory.com>
Content-Type: text/plain; charset=utf-8

On 05/26/2016 03:52 AM, Eliezer Croitoru wrote:

> I think that the best way is to use an ICAP meta header instead of altering
> the request itself 

Agreed.


> but I am not sure if it is possible

It is not possible today: Converting ICAP headers into annotations
understood by Squid ACLs is only supported for eCAP services.

IIRC, somebody posted a patch (on squid-dev) with a similar feature for
ICAP, but that implementation needed to be redone to be officially
accepted (IMO). I do not know whether the author will adjust their code
to follow my recommendations. Perhaps you can do it for them.

Alex.



------------------------------

Message: 3
Date: Fri, 27 May 2016 14:25:19 +0530
From: deepa ganu <deepaganu at gmail.com>
To: squid-users at lists.squid-cache.org
Subject: [squid-users] The system returned: (111) Connection refused;
Message-ID:
               <CA+qV5k+cSUThvZYCS1JLcNuXsFCA8Vnk1Rmc5opK1w15W6asyg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi
I am using squid as a reverse.

#http_port  80 accel defaultsite=202.53.13.19
https_port 443 accel  cert=/var/www/html/webrtc/imp/teleuniv.net.crt
key=/var/www/html/webrtc/imp/teleuniv.net.key
cafile=/var/www/html/webrtc/imp/intermediate.crt defaultsite=202.53.13.19
no-vhost


#this ACL is url path specific which accepts only portal urls and deny
others.
acl portal urlpath_regex ^/portal6may
cache_peer 172.20.36.144 parent 80 0 no-query originserver name=portalserver
cache_peer_access portalserver allow portal
cache_peer_access portalserver deny all
http_access allow portal


cache_peer 172.20.36.150 parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER login=PASS connection-auth=off name=teleuniv
acl our_sites dstdomain 202.53.13.19
http_access allow our_sites
cache_peer_access teleuniv allow our_sites
cache_peer_access teleuniv deny all

SO when i try to access the url MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "202.53.13.19" MailScanner warning: numerical links are often malicious: https://202.53.13.19/ I get the following
error
"The following error was encountered while trying to retrieve the URL: The
system returned: (111) Connection refused; The remote host or network may
be down. Please try the request again."

It only gives for 172.20.36.144 not for the urlpath acl. But this happens
only sometimes. When I physically go to that server (172.20.36.150) and
click on the wired connection (one of the LAN options using linux). It
works again. I am very confused

-- 
Regards
Deepa Ganu
R&D Head(CSE) KMIT
Ph no : 9908036660
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160527/998e60f3/attachment-0001.html>

------------------------------

Message: 4
Date: Fri, 27 May 2016 14:17:17 +0300
From: "Eliezer Croitoru" <eliezer at ngtech.co.il>
To: "'joe'" <chip_pop at hotmail.com>,
               <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] NULL characters
Message-ID: <33b501d1b809$541a9620$fc4fc260$@ngtech.co.il>
Content-Type: text/plain;                 charset="utf-8"

If it ended with some kind of server issues else then the logs, then it would be considered not nice.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of joe
Sent: Thursday, May 26, 2016 5:30 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] NULL characters

2016/05/26 06:41:28 kid1| ctx: enter level  0:
'http://js.advert.mirtesen.ru/data/js/82090.js'
2016/05/26 06:41:28 kid1| WARNING: HTTP header contains NULL characters
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/javascript;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid}
NULL
{Server: nginx
Date: Thu, 26 May 2016 03:46:52 GMT
Content-Type: application/javascript;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-MaxSize: 5
X-MaxShm: 5
X-ShmTol: 2
X-Loc: 2347
X-MID: 16
X-Node: ssel6
X-ChosenReserve: 2
X-TotalPrimary: 290
X-ExclByGeo: 266
X-TotalPrimaryPayable: 219
X-ChosenPrimary: 3
X-ExclByTime: 18
X-ShmNews: 1989237,2010118,2009700,
X-TotalPrimaryExchange: 0
X-TotalReserve: 332
X-ChosenPayable: 3
X-ShmCnt: 3
Set-Cookie: nid
2016/05/26 06:41:28 kid1| ctx: exit level  0

is it bad ?????



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/NULL-characters-tp4677691.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



------------------------------

Message: 5
Date: Fri, 27 May 2016 12:32:15 +0100
From: Nilesh Gavali <nilesh.gavali at tcs.com>
To: squid-users at lists.squid-cache.org
Subject: [squid-users] missing negotiate_kerberos_auth on my squid
Message-ID:
               <OF9C6F8F89.5CF2ECB1-ON80257FC0.003EE232-80257FC0.003F5EF7 at tcs.com>
Content-Type: text/plain; charset="utf-8"

Hello ;
I have installed latest squid 3.5.19 on red hat Linux yesterday. That 
means I am new to squid and linux. 
able to start the squid and its working fine. 
now we are trying to authenticate user via Kerberos with windows AD. but 
facing issues.
followed the steps provided on 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
But unable to find negotiate_kerberos_auth  on my Linux box at any 
location. 
now I need to know where i can find/download  negotiate_kerberos_auth  and 
compile it to make authentication successful.

Thanks & Regards
Nilesh Suresh Gavali
Tata Consultancy Services
3rd Floor, Tithebarn House
Tithebarn Street
Liverpool - L2 2NZ
United Kingdom
Mailto: nilesh.gavali at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                      Business Solutions
                      Consulting
____________________________________________

Tata Consultancy Services Limited , incorporated  with limited liability 
and registered with Registrar of Companies, Mumbai, India - No: 11-84781
HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India - 
Registered  in UK : 18 Grosvenor Place, London SW1X 7HS - BR :007627
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160527/b812d6ac/attachment-0001.html>

------------------------------

Message: 6
Date: Fri, 27 May 2016 13:41:34 +0200
From: L.P.H. van Belle <belle at bazuin.nl>
To: squid-users at squid-cache.org  <squid-users at squid-cache.org>
Subject: Re: [squid-users] missing negotiate_kerberos_auth on my squid
Message-ID:
               <vmime.5748326e.63bf.32264d027089be4e at ms249-lin-003.rotterdam.bazuin.nl>
               
Content-Type: text/plain; charset="windows-1252"

Should be include imo. 



Shoud be in any Squid-3.2 and later.



And on my debian server its locate here. 

/usr/lib/squid/negotiate_kerberos_auth 



Did you enable : --enable-auth-negotiate=kerberos,wrapper on compile ? 



Run squid –v to check it. 



Greetz, 



Louis






Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Nilesh Gavali
Verzonden: vrijdag 27 mei 2016 13:32
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] missing negotiate_kerberos_auth on my squid




Hello ; 
I have installed latest squid 3.5.19 on red hat Linux yesterday. That means I am new to squid and linux. 
able to start the squid and its working fine. 
now we are trying to authenticate user via Kerberos with windows AD. but facing issues. 
followed the steps provided on http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 
But unable to find negotiate_kerberos_auth  on my Linux box at any location. 
now I need to know where i can find/download  negotiate_kerberos_auth  and compile it to make authentication successful. 

Thanks & Regards
Nilesh Suresh Gavali
Tata Consultancy Services
3rd Floor, Tithebarn House
Tithebarn Street
Liverpool - L2 2NZ
United Kingdom
Mailto: nilesh.gavali at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.        IT Services
                      Business Solutions
                      Consulting
____________________________________________

Tata Consultancy Services Limited , incorporated  with limited liability and registered with Registrar of Companies, Mumbai, India - No: 11-84781
HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India -  Registered  in UK : 18 Grosvenor Place, London SW1X 7HS - BR :007627

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160527/bbeb60e2/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 21, Issue 101
******************************************** 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160601/4b55aed1/attachment-0001.html>


More information about the squid-users mailing list