[squid-users] Kerberos with LDAP authentication failover and iTunes auth problems

From: James Robertson <j_at_mesrobertson.com>
Date: Fri, 23 Dec 2011 10:39:54 +1100

We have successfully deployed a squid3 proxy in a Windows AD domain
that authenticates users with the kerberos helper and uses LDAP
queries to allow access based on Security groups in AD.  This works
perfectly for IE, FF and Chrome and no authentication pop-ups occur.
We realised that not all applications use this authentication and that
sometimes non-domain PC's might need internet access so LDAP was to be
used as a backup authentication method.

I tested using a non-domain user on a Win7 workstation and when
opening IE it prompts for a login as I had expected but I notice that
I have to input the username and password a second time before it will
allow access. I also notice when this happens that the second
authentication dialogue automatically adds the domain prefix, i.e.
DOMAIN\user and the password is already entered. Looking at the logs
it seems as though this second attempt is in fact the kerberos auth
not LDAP as I had initially thought, this is what's logged in
/var/cache/squid3/cache.log whilst this takes place (long lines have
been truncated).

2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:25:13| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:25:13| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:25:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:25:13| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:25:13| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/12/23 10:25:14| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:25:14| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:25:14| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:25:14| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/12/23 10:25:14| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:25:14| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:25:14| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:25:14| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/12/23 10:26:12| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:26:12| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:26:12| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:26:12| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2011/12/23 10:27:11| squid_kerb_auth: DEBUG: Got 'YR
YIIGmQYGKwYBBQUCoIIGjTCC [...Truncated...] h07dexafHYw==' from squid
(length: 2263).
2011/12/23 10:27:11| squid_kerb_auth: DEBUG: Decode 'YIIGmQ
[...Truncated...] /h07dexafHYw==' (decoded length: 1693).
2011/12/23 10:27:11| squid_kerb_auth: DEBUG: AF oYG2MIG
[...Truncated...] jJkPFv+8= username_at_EXAMPLE.LOCAL

Besides that we also have a problem with iTunes access. When iTunes
runs it prompts for authentication regardless of whether the user is
logged in to the domain or not and fails to authenticate regardless of
entering the login multiple times. The following is logged in
/var/log/squid3/cache.log.

2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/12/23 10:03:13| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/12/23 10:03:13| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/12/23 10:03:13| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

The squid.conf is listed below. Am I mistaken about the
authentication failing over to LDAP if kerberos fails - if so, is
there a way to make this work for computers/software that cannot do
kerberos besides white listing domains??

I'm also a bit unsure about my http_access lines, hence you will see
some commented out from some testing I am doing.

### /etc/squid3/squid.conf Configuration File #######

### cache manager
cache_mgr cacheadmin_at_example.com

### kerberos authentication
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s
HTTP/squidproxy.example.local
auth_param negotiate children 10
auth_param negotiate keep_alive on

### provide access via ldap for clients not authenticated via kerberos
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
    -b "dc=example,dc=local" \
    -D squid_at_example.local \
    -W /etc/squid3/ldappass.txt \
    -f sAMAccountName=%s \
    -h domaincontroller.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

### ldap authorizations
# Internet Users Blocked
external_acl_type internet_users_blocked %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K \
    -b "dc=example,dc=local" \
    -D squid_at_example.local \
    -W /etc/squid3/ldappass.txt \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet
Users Blocked,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))"
\
    -h domaincontroller.example.local
# Internet Users Restricted
external_acl_type internet_users_restricted %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K \
    -b "dc=example,dc=local" \
    -D squid_at_example.local \
    -W /etc/squid3/ldappass.txt \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet
Users Restricted,ou=Security
Groups,ou=MyBusiness,dc=example,dc=local))" \
    -h domaincontroller.example.local
# Internet Users Standard
external_acl_type internet_users_standard %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K \
    -b "dc=example,dc=local" \
    -D squid_at_example.local \
    -W /etc/squid3/ldappass.txt \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet
Users Standard,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))"
\
    -h domaincontroller.example.local
# Internet Users Full NoLog
external_acl_type internet_users_full_nolog %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K \
    -b "dc=example,dc=local" \
    -D squid_at_example.local \
    -W /etc/squid3/ldappass.txt \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet
Users Full NoLog,ou=Security
Groups,ou=MyBusiness,dc=example,dc=local))" \
    -h domaincontroller.example.local
# Internet Users Full Log
external_acl_type internet_users_full_log %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K \
    -b "dc=example,dc=local" \
    -D squid_at_example.local \
    -W /etc/squid3/ldappass.txt \
    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet
Users Full Log,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))"
\
    -h domaincontroller.example.local

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
# format "acl, aclname, acltype, acltypename, activedirectorygroup"
acl BlockedAccessLog external internet_users_blocked Internet\ Users\ Blocked
acl RestrictedAccessLog external internet_users_restricted Internet\
Users\ Restricted
acl StandardAccessLog external internet_users_standard Internet\ Users\ Standard
acl FullAccessLog external internet_users_full_log Internet\ Users\ Full\ Log
acl FullAccessNoLog external internet_users_full_nolog Internet\
Users\ Full\ NoLog
acl whitelistsites url_regex -i "/etc/squid3/whitelistsites.txt"
acl blockedsites url_regex -i "/etc/squid3/blockedsites.txt"

### squid defaults
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

### enforce auth: order of rules is important for authorization levels
no_cache deny whitelistsites
#http_access deny !auth
# users in BlockedAccessLog are deny all
#http_access deny BlockedAccessLog all
http_access allow whitelistsites
#http_access deny RestrictedAccessLog all
http_access allow FullAccessNoLog auth
http_access allow FullAccessLog auth
http_access deny blockedsites
http_access allow StandardAccessLog auth

### logging
# don't log whitelistsites, FullAccessNoLog
access_log /var/log/squid3/access.log squid !whitelistsites !FullAccessNoLog

### squid defaults
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Thanks and Merry Christmas!

James.
Received on Thu Dec 22 2011 - 23:40:03 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 23 2011 - 12:00:03 MST