[squid-users] Re: Squid + Kerberos + Active Directory

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 3 Jun 2009 22:51:50 +0100

>----- Original Message -----
>From: "Truth Seeker" <truth_seeker_3535_at_yahoo.com>
>To: "Markus Moeller" <huaraz_at_moeller.plus.com>
>Cc: "Squid maillist" <squid-users_at_squid-cache.org>
>Sent: Wednesday, June 03, 2009 7:39 PM
>Subject: Re: [squid-users] Re: Squid + Kerberos + Active Directory
>
>
>
>
>Dear Markus,
>
>Really thanks for your suggestions... i didnt understand few of them...
>anyway the following is my reply to your queries... kindly assist me to
>keep the things up and running...
>
>
>FQDN --> linuxproxy.panasonic.com
>HOSTNAME --> linuxproxy
>
>
>[root_at_linuxproxy ~]# klist -kt
>Keytab name: FILE:/etc/squid/HTTP.keytab
>KVNO Timestamp Principal
>---- ----------------- --------------------------------------------------------
> 4 06/02/09 18:05:36 HTTP/linuxproxy.panasonic.com_at_PANASONIC.COM
> 4 06/02/09 18:05:36 HTTP/linuxproxy.panasonic.com_at_PANASONIC.COM
> 4 06/02/09 18:05:36 HTTP/linuxproxy.panasonic.com_at_PANASONIC.COM
> 3 06/02/09 18:05:23 HTTP/linuxproxy.panasonic.com_at_PANASONIC.COM
> 3 06/02/09 18:05:23 HTTP/linuxproxy.panasonic.com_at_PANASONIC.COM
> 3 06/02/09 18:05:23 HTTP/linuxproxy.panasonic.com_at_PANASONIC.COM
>[root_at_linuxproxy ~]#
>
>
>
>Does you startup script set the KRB5_KTNAME environment variable ?
>
>[root_at_linuxproxy ~]# head -23 /etc/rc.d/init.d/squid
>#!/bin/bash
>### BEGIN INIT INFO
># Provides: squid
># chkconfig: - 90 25
># pidfile: /var/run/squid.pid
># config: /etc/squid/squid.conf
># Short-Description: starting and stopping Squid Internet Object Cache
># Description: Squid - Internet Object Cache. Internet object caching is \
># a way to store requested Internet objects (i.e., data available \
># via the HTTP, FTP, and gopher protocols) on a system closer to the
>\
># requesting site than to the source. Web browsers can then use the \
># local Squid cache as a proxy HTTP server, reducing access time as \
># well as bandwidth consumption.
>### END INIT INFO
>
>KRB5_KTNAME=/etc/squid/HTTP.keytab
>PATH=/usr/bin:/sbin:/bin:/usr/sbin
>export PATH KRB5_KTNAME
>
># Source function library.
>. /etc/rc.d/init.d/functions
>
># Source networking configuration.
>[root_at_linuxproxy ~]#
>
>
>
>
>Can you do a successful kinit -k squid.keytab HTTP/hostname ? (i didnt
>understand how to issue this command, any way i tried the followig);
>
>[root_at_linuxproxy ~]# ls /etc/squid/HTTP.keytab (i am using HTTP.keytab
>file name, i think u mentioned squid.keytab, am i right?)
>/etc/squid/HTTP.keytab
>[root_at_linuxproxy ~]#
>[root_at_linuxproxy ~]# kinit -k HTTP.keytab HTTP/linuxproxy

Sorry I forgot the -t. It should have been:

kinit -k -t HTTP.keytab HTTP/linuxproxy.panasonic.com

This is to proof that the keytab entry is valid.

>Extra arguments (starting with "HTTP/linuxproxy").
>Usage: kinit [-5] [-4] [-V] [-l lifetime] [-s start_time]
>[-r renewable_life] [-f | -F] [-p | -P] [-a | -A]
>[-v] [-R] [-k [-t keytab_file]]
>[-c cachename] [-S service_name] [principal]
>
> options: valid with Kerberos:
>-5 Kerberos 5 (available)
>-4 Kerberos 4 (available)
> (Default behavior is to try Kerberos 5)
>-V verbose Either 4 or 5
>-l lifetime Either 4 or 5
>-s start time 5
>-r renewable lifetime 5
>-f forwardable 5
>-F not forwardable 5
>-p proxiable 5
>-P not proxiable 5
>-a include addresses 5
>-A do not include addresses 5
>-v validate 5
>-R renew 5, or both 5 and 4
>-k use keytab 5, or both 5 and 4
>-t filename of keytab to use 5, or both 5 and 4
>-c Kerberos 5 cache name 5
>-S service 5, or both 5 and 4
>[root_at_linuxproxy ~]#
>
>
>
>
>Can you add a -d to squid_kerb_auth and send me the output ?
>where i want add this -d ? you mean in the squid.conf? if so, from where i
>will get the output? in stdout? or in any of the log message? please
>clarify...

Yes in the squid.conf (e.g. auth_param negotiate program
/usr/lib/squid/squid_kerb_auth -d

The output goes to cache.log

>
>
>
>Did you use the fqdn in IE to point to squid ?
>i tried FQDN after your mail, but the same resut. Cache Access Denied!!!
>before i had given the IP, and the result is same. (i am eager to know,
>this will not work, if i am specifying IP? or is it a mandatory that i
>should specify the fqdn?
>

I remember IE needed the fqdn.

>
>
>The command which i used to create the computer account in the active
>directory from the squid proxy machine;
>
>msktutil -c -b "OU=Servers" -s HTTP/linuxproxy.panasonic.com -h
>linuxproxy -k /etc/squid/HTTP.keytab --computer-name SQUIDPROXY --upn
>HTTP/linuxproxy.panasonic.com --server pana001.panasonic.com --verbose
>
>where my hostname = linuxproxy
>fqdn = linuxproxy.panasonic.com (resolvable in DNS)
>SAM client name specified = Squidproxy
>Actice Directory Server (DC) = pana001.panasonic.com (resolvable in DNS)
>
>
>
>Here is my krb5.conf;
>
>[root_at_linuxproxy ~]# cat /etc/krb5.conf
>[libdefaults]
> default_realm = PANASONIC.COM
> dns_lookup_kdc = no
> dns_lookup_realm = no
> default_keytab_name = /etc/squid/HTTP.keytab
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>[realms]
> PANASONIC.COM = {
> kdc = pana001.panasonic.com
> admin_server = pana001.panasonic.com
> }
>
>[domain_realm]
> .panasonic..com = PANASONIC.COM
> panasonic.com = PANASONIC.COM
>
>[logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
>
>-
>--
>---
>Always try to find truth!!!
>
>
>--- On Tue, 6/2/09, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>

Can you send me the squid_kerb_auth debug output from cache.log ?

Markus
Received on Wed Jun 03 2009 - 21:53:44 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 04 2009 - 12:00:02 MDT