[squid-users] Re: Re: Re: kerberos (AD) authentication - squid_kerb_auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 27 Aug 2009 19:14:59 +0100

"Jeremy Monnet" <jmonnet_at_gmail.com> wrote in message
news:2b1bd02c0908270340g5bfb8b9fqa9842e0fd1851825_at_mail.gmail.com...
> On Thu, Aug 27, 2009 at 9:28 AM, Mrvka Andreas<mrv_at_tuv.at> wrote:
>> Hi,
>>
>> Am Donnerstag, 27. August 2009 08:40:53 schrieb Jeremy Monnet:
>>>
>>> Would you have any clue to what the problem may be ? Should I try with
>>> the MIT libs instead ?
>>>
>> I use MIT libs... FYI
>
> Thanks for this piece of information, it helped very much (though the
> problem may not have been the library in itself).
>
> Now it works. Several pieces of information I think would be needed to
> be added to the wiki, mostly regarding windows configuration in fact.
> The squid/suid_kerb_auth/kerberos config was fine from the beginning I
> think (except maybe for the rights to the keytab file, but that was my
> mistake, and it is already written on the wiki).
>
> First, generating the keytab file on windows may be done with
> ktpass -out squidproxy.krb5.keytab -pass Password1 -princ
> HTTP/squidproxy.ad.simia.fr_at_ad.simia.fr -mapuser host_squidproxy
> -ptype KRB5_NT_SRV_HST -crypto DES-CBC-MD5 +DesOnly

That is a bad idea DES will be removed soon from Kerberos libraries as it is
seen too weak. DES was required about 5 years ago when MIT nor Heimdal had
RC4 hmac support.

> (I said in a previous message I already had problems with the
> encryption stuff on a previous project ...). I think I read somewhere
> that RC4-HMAC (in the klaubert tutorial [1]) could be used, but it
> seems it can't ? Or maybe not with MIT libs, or maybe ... for some
> other reasons.
>
> Second, you have to log in to the windows client *after* having
> generated the keytab and transfered it to the linux box.
>

I don't understand this point. I assume you mean that the client caches a
wrong old Kerberos key ?

> And it seems that the lines from krb5.conf related to *enctypes* are
> useless also.
>

They are not for MIT Kerberos libraries. I will update the wiki on this.
Thank you

> I found useful information on a thread about apache mod_auth_kerb,
> using the error message from the MIT libraries, which was more useful
> than the one from the heimdal library.
>
> Some other stuff may be useful, such as "you need the support tools on
> windows to have the ktpass command" or "you need the ressource kit to
> use the kerbtrau command", but that is very windows-ish stuff, though
> that is very useful to have this in a single wiki page IMHO.
>

ktpass has its own issues. You need 2003 SP1 version and you may have issues
to use it with Computer Accounts. The reason to use Computer accounts is
that in many environments you have user password policies (e.g. change every
90 days). This will make keytabs invalid after 90 days. You can add
exceptions to AD, but instead of that I prefer to use Computer accounts and
msktutil makes it very easy directly from the Unix machine instead of
creating keytabs on Windows and copying them over to Unix boxes (insecurly
with ftp :-) ).

> Thanks very much for all your help !
>
> Jeremy
> [1]
> http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
> [2] http://osdir.com/ml/apache.mod-auth-kerb.general/2007-01/msg00057.html
>
Received on Thu Aug 27 2009 - 18:29:01 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 28 2009 - 12:00:03 MDT