[squid-users] Re: Help configuring Squid with Kerberos authentication to access Skype service from Markus Moeller on 2010-06-03 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 3 Jun 2010 21:05:20 +0100

The question is: Does Skype support Negotiate as an authentication scheme ?
If not you need something like a local proxy.

I have a POC version here
https://sourceforge.net/projects/squidkerbauth/files/squidkerberizer/squid_kerberizer-1.0.1/client_kerb_auth.zip/download
or
http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/

Regards
Markus

"Fryer, Huw" <hfryer_at_photronics.com> wrote in message
news:8428E62680B457449BFA2317024B0A0563D949D6E6_at_SMF1-PHOXM-01.photronics.com...
Hello All

I've setup a Squid proxy server according to the following guidelines

http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp
as my previous proxy version (on a completely different hardware platform)
used NTLM authentication which does not work "out of the box" with W7 /
W2008

The above URL install proceeded fine and authenticated users are able to
browse sites with no apparent issues. I should add that Squid also uses
Websense to provide filtering according to AD groups which also works.
However when we try and authenticate to the Skype service sites we get
failures. In my Skype configuration I am manually specifying the proxy
server using the fqdn with the port through which access is to go (same as
the squid proxy host)

My squid.conf file is thus

auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d -s
HTTP/http-proxy-fqdn
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
acl localnet src network1/24
acl localnet src network2/24
acl localnet src network3/24
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl AUTHENTICATED proxy_auth REQUIRED
acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#http_access allow localnet
http_access allow LDAP_GROUP_CHECK

http_access deny all

icp_access allow localnet
icp_access deny all

htcp_access allow localnet
htcp_access deny all

http_port 8080

hierarchy_stoplist cgi-bin ?

cache_dir ufs /var/cache/squid-3.0 100 16 256

access_log /var/log/squid-3.0/access.log squid

cache_log /var/log/squid-3.0/cache.log

cache_store_log /var/log/squid-3.0/store.log

logfile_rotate 10

pid_filename /var/run/squid-3.0.pid

debug_options ALL,1

url_rewrite_program /opt/Websense/bin/WsRedtor
url_rewrite_children 30
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid

cache_effective_group squid

icp_port 3130

coredump_dir /var/cache/squid-3.0

redirector_bypass off

My krb5.conf file is

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CHILD.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h

# For Windows XP:
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

# For Windows 2007:
# default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
# default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
forwardable = yes

[realms]
CHILD.DOMAIN.COM = {
  kdc = xxx.xxx.xxx.xxx:88
  admin_server = xxx.xxx.xxx.xxx:7491
  default_domain = child.domain.com
}

[domain_realm]
.child.domain.com = CHILD.DOMAIN.COM
child.domain.com = CHILD.DOMAIN.COM

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

When browsing sites the access.log reflects

1275588052.233 419 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 670 GET
http://www.mail-archive.com/images/msg-top2.png hfryer@CHILD.DOMAIN.COM
DIRECT/72.52.77.3 -
1275588052.266 452 172.17.192.244 TCP_REFRESH_UNMODIFIED/304 671 GET
http://www.mail-archive.com/images/msg-left.jpg hfryer@CHILD.DOMAIN.COM
DIRECT/72.52.77.3 -
1275588055.273 1 172.17.192.244 TCP_IMS_HIT/304 276 GET
http://www.mail-archive.com/favicon.ico hfryer@CHILD.DOMAIN.COM NONE/-
image/x-icon

Now when I start up Skype and watch the access.log I get

1275588304.779 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT
173.168.7.102:443 - NONE/- text/html
1275588304.781 1 172.17.192.244 TCP_DENIED/407 1895 CONNECT
178.34.74.211:443 - NONE/- text/html
1275588304.781 1 172.17.192.244 TCP_DENIED/407 1898 CONNECT
70.253.110.236:443 - NONE/- text/html
1275588304.781 1 172.17.192.244 TCP_DENIED/407 1901 CONNECT
130.132.120.126:443 - NONE/- text/html
1275588304.782 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT
173.168.7.102:443 - NONE/- text/html
1275588304.785 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT
178.34.74.211:443 - NONE/- text/html
1275588304.785 0 172.17.192.244 TCP_DENIED/407 1901 CONNECT
130.132.120.126:443 - NONE/- text/html
1275588304.785 0 172.17.192.244 TCP_DENIED/407 1898 CONNECT
70.253.110.236:443 - NONE/- text/html
1275588307.898 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT
68.196.29.250:443 - NONE/- text/html
1275588308.904 0 172.17.192.244 TCP_DENIED/407 1898 CONNECT
173.16.159.143:443 - NONE/- text/html
1275588308.904 0 172.17.192.244 TCP_DENIED/407 1895 CONNECT
72.55.196.138:443 - NONE/- text/html
1275588308.906 1 172.17.192.244 TCP_DENIED/407 1898 CONNECT
178.82.173.239:443 - NONE/- text/html
1275588308.906 1 172.17.192.244 TCP_DENIED/407 1892 CONNECT
67.244.70.95:443 - NONE/- text/html

I've tried removing the reliance on the external_acl_type command but still
get the authentication failure when attempting to sign in to the Skype
service.

I'm not sure if the solution is straight forward, I've googled for 2+ days
without much success. There may be other such situations that I cannot
access, Skype is the first one I've encountered that fails to connect.

Thanks

Huw Fryer
Email - hfryer_at_photronics.com
Received on Thu Jun 03 2010 - 20:05:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 04 2010 - 12:00:04 MDT