[squid-users] Re: Kerberos auth with Active Directory.

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 2 Nov 2010 22:08:58 -0000

> "Rolf Loudon" <rolf_at_SES.TAS.GOV.AU> wrote in message
> news:EA4139A9-AF4D-4E0D-8A05-C7B0C3EF46C2_at_SES.TAS.GOV.AU...
> hello

Hi Rolf

>
> I am trying to setup kerberos auth against Active Directory - Windows
> 2000 - in squid, 2.7. This is primarily so that the username is captured
> in the access log. But also user based access control will occasionally be
> used.
>
> I've installed the squid_kerb_auth software from
> http://squidkerbauth.sourceforge.net/
>
> The relevant squid config looks like this:
>
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN
> /usr/local/squid/squid_kerb_ldap -d -g active-directory-group_at_my.domain
>
> acl ldap_group_check external squid_kerb_ldap
>
> acl k_test src [some.test.host.address]
> http_access allow k_test ldap_group_check
> http_access deny k_test
>
>
> Initially I used the msktutil package to create the AD account keytab,
> thus:
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k
> /etc/squid/HTTP.keytab --computer-name squidhost --upn
> HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose
>
> This produced the desired keytab but in the verbose output noted that the
> ticket version number was not returned ("must be Windows 2000" - it is)
> and so set the kvno to zero. This is reflected in the output of kvno
> HTTP/squidhost.my.domain
>

I think you should set it to 1 for windows 2000 and I recall msktutil has
some code to deal with win 2000

> When the client connected (Mac OS X 10.6) using the Chrome browser,
> squid's cache.log reported that the ticket version number didn't match:
>
> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure.
> Minor code may provide more information. Key version number for principal
> in key table is incorrect.
>
> Using kvno HTTP/squidhost.my.domain on this client the version number was
> 3 while doing the same on the proxy the version was zero. So that made
> sense.
>

I am surprised. Plain win 2000 does not support kvno

> I fixed this by not using msktutil and using ktpass on the Active
> DIrectory server and specifying -kvno 3. Installed this on the proxy
> host and that error went away.
>
> Reading about ktpass and kerberos auth in Microsoft's KB, it said that the
> (squid) host needs have an account created for it as a user in the domain.
> Weird but I did this, using the host name as the user shortname. I used
> this hostname in ktpass with -mapuser
>

The difference here is that MS uses a user account in AD and associates the
key with it, whereas msktutil uses a computer account. Using a user account
means you have to disable password expiry otherwise the keytab gets invalid
after the expiry time. This is the reason I prefer nsktutil.

> Now in squid's cache.log the logs show, in part,
>
> 2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with rc=102
> 2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf_at_MY.DOMAIN
> 2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
> 2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group_at_domain
> actiive-directory-group_at_my.domain
> 2010/11/02 12:01:55| squid_kerb_ldap: Found group_at_domain
> active-directory-group_at_my.domain
> 2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
> 2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
> 2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name
> /etc/squid/HTTP.keytab
> 2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab
> /etc/squid/HTTP.keytab
> 2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name:
> MY.DOMAIN
> 2010/11/02 12:01:55| squid_kerb_ldap: Found principal name:
> HTTP/squidhost.my.domain_at_MY.DOMAIN
> 2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to
> MEMORY:squid_ldap_20411
> 2010/11/02 12:01:55| squid_kerb_ldap: Got principal name
> HTTP/squidhost.my.domain_at_MY.DOMAIN
> 2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
> 2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
> 2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for
> domain MY.DOMAIN
>
> Apart from the first line ... "failed with rc=102" this looks ok.
>

That only happens only if your kerberos implementation does not support
SPNEGO and is a warning only.

> Then there are many (from debugging I presume) instances of:
>
> squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to
> ad-domain-controller.my.domain
> for various domain controllers on the network.
>
> Then lots of
>
> 2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap server
> various-domain-servers-and-workstations_at_my.domain:389
> 2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system
>

You need SASL support to authenticate to AD.

> Finally these log entries which show the deny reason - that I'm not a
> member of the group. But I confirm that I am a member of the group:
>
> 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap
> connection: Success
> 2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap
> connection: Success
> 2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of
> group_at_domain active-directory-group_at_my.domain
> 2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group_at_domain
> active-directory-group_at_my.domain
> 2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group_at_domain
> active-directory-group_at_my.domain
> 2010/11/02 12:02:09| squid_kerb_ldap: ERR
>

This is because the ldap connection failed.

> I have tried many combinations of service keytab creation and so on, but I
> cannot get any further than this. Any help most appreciated.
>
> thanks
>
> rolf.
>

Markus
Received on Tue Nov 02 2010 - 22:09:21 MDT

This archive was generated by hypermail 2.2.0 : Wed Nov 03 2010 - 12:00:02 MDT