Re: [squid-users] Re: Re: Negotiate on 3.2.1

From: Paul Carew <beavatronix_at_gmail.com>
Date: Sun, 19 Aug 2012 01:44:24 +0100

Many thanks Markus, I see what's going on now. :)

I will approach the commercial company regarding adding support for
the username being supplied in the kerberos format.

Paul

On 18 August 2012 20:58, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Paul.
>
> A account reset means the password or key of this accounts changes and the
> extracted key in the keytab will get out of sync. So don't reset the
> account in AD, but only autoupdate from msktutil. Also don't share a samba
> account with squid as samba daemons als reset the account from time to time.
> Unfortunately the user_at_DOMAIN is the Kerberos format and NTDOMAIN\user the
> Netbios format and thers is no obvious 1-2-1 mapping between both.
>
> Markus
>
>
> "Paul Carew" <beavatronix_at_gmail.com> wrote in message
> news:CAPHJSn16A-QCu2wmsaQUEFN89RxhJTBx-xwSyRUByzvDW3AoyA_at_mail.gmail.com...
>
>> Hi Markus
>>
>> Thanks for responding. The squid effective user can read the keytab
>> and I've got the export line in the squid init script. If I check
>> /proc/<pid>/environ for the main squid process I can see KRB5_KTNAME
>> is set correctly. DNS hostname is proxy01.domain.local but
>> --computer-name used in msktutil is proxy01-h.
>>
>> I have been playing with it since I wrote the original email and as
>> long as I don't "Reset Account" for the proxy01-h computer account in
>> AD everything works, mskutil --auto-update correctly checks the age of
>> the password on the computer account and negotiate authentication
>> works in Squid.
>>
>> ...as an aside, we use a commercial product to monitor internet access
>> which operates off of the url_rewrite_program directive.
>> Unfortunately, it expects the authenticated user to be returned in the
>> format "DOMAIN\Username" where as negotiate_kerb_auth returns
>> "Username_at_DOMAIN". Is there any way to alter the format of the
>> returned username?
>>
>> Thanks again
>>
>> Paul
>>
>>
>> On 18 August 2012 13:30, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>
>>> Hi Paul,
>>>
>>> Does squid running user have read access to the keytab ? Did you use
>>> export KRB5_KTNAME to point to the keytab in the startup script ? What
>>> is
>>> the hostname of your squid host ? Did you get a minor code message ?
>>>
>>> Check also my page for some further hints
>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>
>>> Markus
>>>
>>>
>>> "Paul Carew" <beavatronix_at_gmail.com> wrote in message
>>>
>>> news:CAPHJSn3cN0uj3fsM1mD0iKkS4CTavBHQMu7ya=W8OJsp_twuGg_at_mail.gmail.com...
>>>
>>>> Hi!
>>>>
>>>> I'm following the guide here
>>>>
>>>>
>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>>> ...to get Negotiate authentication working with Squid 3.2.1. NTLM
>>>> works fine but I when using Negotiate I am getting this in my
>>>> cache.log...
>>>>
>>>> 2012/08/17 17:31:01 kid1| ERROR: Negotiate Authentication validating
>>>> user. Error returned 'BH gss_accept_sec_context() failed: Unspecified
>>>> GSS failure. Minor code may provide more information. '
>>>>
>>>> "kinit -V -kt /etc/squid/HTTP.keytab HTTP/proxy01.domain.local"
>>>> produces...
>>>>
>>>> Using default cache: /tmp/krb5cc_0
>>>> Using principal: HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> Using keytab: /etc/squid/HTTP.keytab
>>>> kinit: Preauthentication failed while getting initial credentials
>>>>
>>>> "klist -ekt /etc/squid/HTTP.keytab" produces...
>>>>
>>>> Keytab name: WRFILE:/etc/squid/HTTP.keytab
>>>> KVNO Timestamp Principal
>>>> ---- -----------------
>>>> --------------------------------------------------------
>>>> 2 08/17/12 17:18:03 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
>>>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
>>>> 2 08/17/12 17:18:04 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
>>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> (arcfour-hmac)
>>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> (aes128-cts-hmac-sha1-96)
>>>> 2 08/17/12 17:18:04 HTTP/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> (aes256-cts-hmac-sha1-96)
>>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (arcfour-hmac)
>>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
>>>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> (arcfour-hmac)
>>>> 3 08/17/12 17:18:57 proxy01-h$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
>>>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> (aes128-cts-hmac-sha1-96)
>>>> 2 08/17/12 17:18:04 host/proxy01.domain.local_at_DOMAIN.LOCAL
>>>> (aes256-cts-hmac-sha1-96)
>>>>
>>>> auth_params are...
>>>>
>>>> auth_param negotiate program /usr/lib/squid/negotiate_kerb_auth
>>>> auth_param negotiate children 30 startup=10 idle=5
>>>> auth_param negotiate keep_alive on
>>>>
>>>> Can anyone help? I'm guessing I've not done something rather important?
>>>>
>>>> Thank you.
>>>>
>>>> Paul
>>>>
>>>
>>>
>>
>
>
Received on Sun Aug 19 2012 - 00:44:31 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 19 2012 - 12:00:03 MDT