[squid-users] Trouble getting kerberos auth working with squid 3.0

From: Steven Cardinal <steven.cardinal_at_gmail.com>
Date: Thu, 23 Oct 2008 14:25:14 -0400

Just installed an OpenSUSE 11.0 system to replace our aging Suse 9.0
squid proxy server. I've chosen to use the 3.0 version of squid that
was included. I am trying to get kerberos authentication working
against our AD (Win2003) environment. I followed the instructions at
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
I created the account in Windows, created the keytab file and moved it
over to my Linux system. I tested it using kinit and klist and it
authenticates successfully. What's more, I have the system
authenticating my ssh logins using kerberos successfully, as well. All
of that leads me to believe that my kerberos environment is configured
properly.

When I add the auth_param, acl, and http_access settings to my
squid.conf, though, I am unable to authenticate with either Firefox
(2.0.0.16) or IE (6.0) on my Windows XP clients. These same clients
are able to authenticate to our IIS servers using kerberos (for the
ability to identity_impersonate to our 3rd tier SQL servers), so I
believe my browsers are properly configured. We have set Firefox's
parameter network.negotiate-auth.trusted-uris to our internal domains.

When I try to connect with debugging turned on I see the following in
the cache.log:

<leading log removed for clarity>

2008/10/23 14:13:27.154| ACLChecklist::preCheck: 0xb8481fd8 checking
'http_access allow AUTHENTICATED'
2008/10/23 14:13:27.154| ACLList::matches: checking AUTHENTICATED
2008/10/23 14:13:27.154| ACL::checklistMatches: checking 'AUTHENTICATED'
2008/10/23 14:13:27.154| aclMatchAcl: returning 0 sending
authentication challenge.
2008/10/23 14:13:27.154| ACL::ChecklistMatches: result for 'AUTHENTICATED' is 0
2008/10/23 14:13:27.154| ACLList::matches: result is false
2008/10/23 14:13:27.154| aclmatchAclList: 0xb8481fd8 returning false
(AND list entry failed to match)
2008/10/23 14:13:27.154| ACLChecklist::checkForAsync: requiring Proxy
Auth header.
2008/10/23 14:13:27.154| ACLChecklist::markFinished: 0xb8481fd8
checklist processing finished
2008/10/23 14:13:27.154| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 1
2008/10/23 14:13:27.154| ACLChecklist::check: 0xb8481fd8 match found,
calling back with 2
2008/10/23 14:13:27.154| ACLChecklist::checkCallback: 0xb8481fd8 answer=2
2008/10/23 14:13:27.154| aclGetDenyInfoPage: got called for AUTHENTICATED
2008/10/23 14:13:27.154| aclGetDenyInfoPage: no match
2008/10/23 14:13:27.155| aclCheckFast: list: 0
2008/10/23 14:13:27.155| aclCheckFast: no matches, returning: 1
2008/10/23 14:13:27.155| ACLChecklist::~ACLChecklist: destroyed 0xb848206c
2008/10/23 14:13:27.155| aclCheckFast: list: 0

<trailing log removed for clarity>

I see no sign on my DCs of any failed authentication. A tcpdump trace
on my workstation shows no attempts from my Windows PC to perform any
kerberos authentication. If I try running the command line specified
in the squid.conf, I get:

squid_kerb_auth: Got '' from squid (length: 0).
squid_kerb_auth: Invalid request
NA Invalid request

I'm guessing, however, that squid_kerb_auth can't be run just like
that, however.

Any ideas where I should look? I set my keytab file to be
world-readable as a test and that didn't help. My config is below:

debug_options ALL,1 28,9

auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s
HTTP/myhost.mydomain.tld
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

acl AUTHENTICATED proxy_auth REQUIRED

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# allow localhost always proxy functionality
http_access allow localhost

http_access allow AUTHENTICATED

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128
http_port 3128
icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid
coredump_dir /var/cache/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Received on Thu Oct 23 2008 - 18:25:18 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 24 2008 - 12:00:04 MDT