Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth

hm...

i can tell you what I did.

first I tried ktpass too as you describe.
But nevertheless to use exactly the same as in the wiki I finally used
msktutil to proceed.

I run an SLES 11 Server and had to download SLES 11 SDK iso to compile
msktutil successfully.

My way was:

- configure /etc/krb5.conf correctly (realm, ad-server, etc.)
- join AD domain with an user with permissions
- kinit thisADuser_at_mydomain.com
- ./msktutil -c -s HTTP/squidproxy.mydomain.com -h squidproxy.mydomain.com -k
/usr/local/squid-3.1/etc/HTTP.keytab --computer-name squidproxy --upn
HTTP/squidproxy.mydomain.com --server DC.mydomain.com --verbose --delegation
--description "Proxy Server"

- configure squid.conf to use auth_param negotiate path_to_squidkerbauth <no
parameters!!>

And it worked.

I never used squid_kerb_auth_test as I didn't know how to use it :-)

Bye
Andrew

Am Mittwoch, 26. August 2009 12:28:15 schrieben Sie:
> On Wed, Aug 26, 2009 at 11:06 AM, Mrvka Andreas<mrv_at_tuv.at> wrote:
> > hi,
> >
> > if you have made the wiki[...]/Kerberos guide through then you are close
> > to the goal.
>
> I hope so anyway :-)
>
> > it seems that your problem is only configuration error on client side.
>
> I am not so sure anymore. I tried to use the squid_kerb_auth_test
> utility, but it still gives me errors on the tokens (see below for
> listings). I may add that I compiled both squid3.0 and squid_kerb_auth
> 1.0.5. I used squid_kerb_auth_test with both squid_kerb_auth from the
> squid_kerb_auth1.0.5 package and the squid3.0 package. I get errors in
> both cases (though not the same, but that may simply be that one is
> older).
>
> I am using a windows server 2003 R2 corporate with SP2, in case there
> may be an issue with a SP or something.
>
> Last thing I can think of is the way I created the keytab (but
> kerberos seems to like it this way) :
> ktpass -out squidproxy.krb5.keytab -pass Password1 -princ
> HTTP/squidproxy.ad.simia.fr_at_ad.simia.fr -mapuser host_squid -ptype
> KRB5_NT_SRV_HST -crypto DES-CBC-MD5 (could have used RC4-HMAC, but I
> had problems before when I put in place unix authentication on
> AD/kerberos).
>
> > since squid_kerb_auth is a MUST to configure the fqdn name of squid in
> > the IE settings.
>
> I did it this way ... :-/
>
> > at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth.
>
> Hope I can make it work also.
>
>
> Thanks,
>
> Jeremy
>
> Squid_kerb_auth_test :
> ############
> squidproxy:~/squid/squid_kerb_auth-1.0.5# kdestroy
> squidproxy:~/squid/squid_kerb_auth-1.0.5# kinit jems_at_AD.SIMIA.FR
> jems_at_AD.SIMIA.FR's Password:
> squidproxy:~/squid/squid_kerb_auth-1.0.5#
> /root/squid/squid_kerb_auth-1.0.5/squid_kerb_auth_test
> squidproxy.ad.simia.fr | /usr/local/libexec/squid_kerb_auth -d -s
> HTTP/squidproxy.ad.simia.fr
> 2009/08/26 12:17:10| squid_kerb_auth: Got 'Token:
> YIIE8QYGKwYBBQUCoIIE5TCCBOGgDTALBgkqhkiG9xIBAgKiggTOBIIEymCCBMYGCSqGSIb3EgE
> CAgEAboIEtTCCBLGgAwIBBaEDAgEOogcDBQAAAAAAo4IDqWGCA6UwggOhoAMCAQWhDRsLQUQuU0
> lNSUEuRlKiKTAnoAMCAQGhIDAeGwRIVFRQGxZzcXVpZHByb3h5LmFkLnNpbWlhLmZyo4IDXjCCA
> 1qgAwIBA6EDAgEKooIDTASCA0jVFrJW9Hmfkrhd3LmVf3ZLpeqR/87YM7hkqbk75EMhcX+Mb/ci
> G5h6kuFl7fBKzW/prfmOPmYzAPVc4HdnLchdkXCQNsxe/IrCT/DwkB1pSopcr7N9zqnJ6xN8UR/
> Zd8vfUnhmoNI4/lQ2pg04GJTv8UFXi3UKVmH7aHENQGB6pLaeoFe6inhK+/c7/9O1m5GHsmNbua
> wNH3N48gEiFYkfOHVqyAQukuGWLpJHyvVUBS3XTuAj2LhqxqZJzuiyOkUIReb7NU4ZuWVO7oZvp
> 7+AIbCcaikdxU2nsnVrM9EypGpcUzdy3SBd+eqdGIuctW/+pZ0gAtu7/JCmgNpoaJGZH90dnp33
> 9/LUIg3nGI8+MoPPhTaE4iWLp6smi/rB/tzpiKYDz8Rr0MIdB5rs0jRr3Kjeg0gcaLsMIaKA2t8
> ZmFAWUXPq8GQaX57e8DGBTKNut9lzhCsDEV8zhzAIdKmrs6XJm5Vq1GjCbchTUSoRaZhd663S47
> kjTpxKA9eyTWYkWdExGrvz9fUYRq6QPIv6wmbU9HwkZZTsJ2YH5JrJPAPK2icuQkSCTXiMKBHc4
> KLMgZ3MFciWAKPBXETwVhDtEy2jeIYfkR4+Imzg9l8qC8qIUOYVQx0PYywS2gcn53FT5JgA6N7C
> I5jk6jOu7/lf5QrGR33cwk01Qh9AnGQ4pZw3beWZKN1ezZsJlHr6Ucrn63XiDhv8UAsBDdNeuT8
> pN0RjXpmt7S0xRmi7Ql4SMyljSiCplhQkOPRnM+VOqPvMcfLP/et7f6xCVMY+9mxLcR9dvl19m4
> +24EM0Hk59ndlUJD0+xsEYygp3sB6obAhg1IHv6Dn7AwKI56zju3i/H6WyAfGx6lqiDX1sv+oqd
> Djf0slTAlYpm9DNtTx2KSWmGbRlbKx4/DfxtXCjte5ltbttYOiGBcFtePQK2Z0PpTvdgXqPPfq0
> 5juN6dDsabDGuz9KyKWyga2RXssxCaIWcU2CDRY75nru6IivHR6HrEUrhj4VLXuMIfzAdw/FPcV
> 4qd+XDqhWON9yc+HiqjfXPTUq8JcHYq9+rSk/4IlkmW/WqgJuvFaQHLicev5KWYw7J+Z/sGfCOb
> XG/e6OlQMcHNIR0JRvMjukge4wgeugAwIBA6KB4wSB4IcbergiZ7uvt8Z9Y1TM62ZQM0pFTFhi8
> ll0riYdLXVnJI0KHNU1PGg+It5iDIlCJcBJWbAtgDfLfO6N00xEnIpxwZdDo3ZdNF/+eImBHsDp
> GWx7ZuEygw9R0kKUQozz+bi6JvjN6MUsvquriLecvTcfvLyViZEXdIcBmgRq1fphwambQaRsGi6
> Ubahd6Q1P6YYNg3Hk2+RzsgaFw/1gOKCoka3VGyLZndVsFv0MS2EXyyb04iXXu37uCkt2py4ou1
> lGaMS2hTpHfqz2TyMUfPM0cHF8O9iHtc9UuAEVsiXk' from squid (length: 1699).
> 2009/08/26 12:17:10| squid_kerb_auth: gss_accept_sec_context() failed:
> A token was invalid. unknown mech-code 0 for mech unknown
> NA gss_accept_sec_context() failed: A token was invalid. unknown
> mech-code 0 for mech unknown
> ##############
>
> squid log trying from windows box :
> ##############
> 2009/08/26 12:23:30.633| authenticateValidateUser: Auth_user_request was
> NULL! 2009/08/26 12:23:30.633| authenticateAuthenticate: broken auth or no
> proxy_auth header. Requesting auth header.
> 2009/08/26 12:23:30.941| authenticateAuthenticate: no connection
> authentication type
> 2009/08/26 12:23:30.942| AuthUser::AuthUser: Initialised auth_user
> '0x9b0e640' with refcount '0'.
> 2009/08/26 12:23:30.942| AuthUserRequest::AuthUserRequest: initialised
> request 0x9b12418
> 2009/08/26 12:23:30.954| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.956| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.957| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2009/08/26 12:23:30.957| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.959| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.960| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:30.961| AuthUserRequest::~AuthUserRequest: freeing
> request 0x9b12418
> 2009/08/26 12:23:32.123| authenticateValidateUser: Auth_user_request was
> NULL! 2009/08/26 12:23:32.124| authenticateAuthenticate: broken auth or no
> proxy_auth header. Requesting auth header.
> 2009/08/26 12:23:32.395| authenticateAuthenticate: no connection
> authentication type
> 2009/08/26 12:23:32.395| AuthUser::AuthUser: Initialised auth_user
> '0x9b0e688' with refcount '0'.
> 2009/08/26 12:23:32.396| AuthUserRequest::AuthUserRequest: initialised
> request 0x9b12418
> 2009/08/26 12:23:32.396| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.397| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.397| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.398| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.399| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2009/08/26 12:23:32.399| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.400| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.400| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.401| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.401| authenticateValidateUser: Validated Auth_user
> request '0x9b12418'.
> 2009/08/26 12:23:32.403| AuthUserRequest::~AuthUserRequest: freeing
> request 0x9b12418
> ##############
>
Received on Wed Aug 26 2009 - 12:58:45 MDT