[squid-users] problems with squid_ldap_auth

From: Gavin McCullagh <gavin.mccullagh_at_gcd.ie>
Date: Tue, 10 Nov 2009 18:38:58 +0000

Hi,

I've been trying to get squid_ldap_auth to work on a debian lenny box here
using the packaged squid, which is as follows:

--------------------------------------------------------------------------------
gavinmc_at_muinnamuice:~$ sudo squid -v
Squid Cache: Version 2.7.STABLE3
configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-underscores' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 'i386-debian-linux' 'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall -g -O2' 'LDFLAGS=' 'CPPFLAGS='
--------------------------------------------------------------------------------

I've been following a set of tutorials such as

        http://www.grolmsnet.de/kerbtut/
        http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
        http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

I've set up the key tab, created on the windows server and trasnferred over and
all seems to be working:

--------------------------------------------------------------------------------
gavinmc_at_muinnamuice:~$ sudo -u proxy kinit -V -k -t /etc/squid/squid_muinnamuice.krb5keytab SQUID/muinnamuice.staff.gcd.ie_at_STAFF.GCD.IE
Authenticated to Kerberos v5
gavinmc_at_muinnamuice:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: SQUID/muinnamuice.staff.gcd.ie_at_STAFF.GCD.IE

Valid starting Expires Service principal
11/10/09 18:00:57 11/11/09 00:40:57 krbtgt/STAFF.GCD.IE_at_STAFF.GCD.IE
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
gavinmc_at_muinnamuice:~$ kvno SQUID/muinnamuice.staff.gcd.ie_at_STAFF.GCD.IE
SQUID/muinnamuice.staff.gcd.ie_at_STAFF.GCD.IE: kvno = 3
--------------------------------------------------------------------------------

However, using IE8 which requires ldap auth, authentication seems to be
failing. Below is the outout with debug level 3 in squid.

--------------------------------------------------------------------------------
2009/11/10 18:23:31| Parser: retval 1: from 0->40: method 0->2; url 4->29; version 31->39 (1/1)
2009/11/10 18:23:31| Parser: retval 1: from 0->40: method 0->2; url 4->29; version 31->39 (1/1)
2009/11/10 18:23:31| squid_kerb_auth: Got 'YR YIIF9wYGKwYBBQUCoIIF6zCCBeegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBbEEggWtYIIFqQYJKoZIhvcSAQICAQBuggWYMIIFlKADAgEFoQMCAQ6iBwMFACAAAACjggSGYYIEgjCCBH6gAwIBBaEOGwxTVEFGRi5HQ0QuSUWiKzApoAMCAQKhIjAgGwRIVFRQGxhtdWlubmFtdWljZS5zdGFmZi5nY2QuaWWjggQ4MIIENKADAgEXoQMCAQKiggQmBIIEIlFvkWb8/ir66BtS/JRa4PkFzvR933EJLhmawTrp1zUPylFzUyBx7RitmQvcNTZ4ZI8Pre1MKsGeRzKUcbZBGD6q1dMga1npFmLz7oIVwIjXiFo+uVD9t8ZI+OhnaIC4mnWR3Zsavas5e5bbwRYclTkx7j3OCbJcZzlGwjOjTu0n7EAkbQhBt7QeHMDsAOk/M1UfwY+Gtrx9W89+2sxqScsProjv2lPKCr/u4QyK9T1jG2QrP8ImjSDZG+3MAmjjpenxwC/VFRPNVAC1SR4U1gqeYKONT3IYLdYnZkfusHxBpVSJ7oHhfUMNXlKe9nah2lCDDoMgvnw2pxvskxguQ45yQ19YWMRY3LG1MOIXQLWO+b+tcJuB1DE/7XIQiwBTXwjTWfJg8dkB9pmQKuDIG6giLWaHboUQ/hH4jrVZetXAq9fbP2slyzikerBLSVu0N8sKgdNJXZWgkelwsXBqXkHbiwvZXupkrMuqHybNrMUCfszU5Ifuew5fzrO7v93saFl6Qv19zqzCH54TCczURkZtqFpSIcqqRVHwA/pT+xfr2lx6Tpg4AjJ4rqzuXrut/qJzCtrBS7StpkIzn1FEsrhYWvLHXKv69AEmAE9d+B33J/pWzUMPZ7XhycSq7Ay+pUKyAz6t2mf0y5bOFSBn7N2SNLKFIV4TaClmMwMX7VIk3+Kaf7f6v6j77H9E7XBcLZrfqXRnRRXljRArC661ETxTaeMm90f5fVzIxD1AqQLlbasu6AZ+7zBSiJZflzkqHWINPWxeU/VqvNggjQor6uKlJz0l2gipyBSjuLoi/HVA8da3Eu6XPyx4oP4APAHE/Cyvx83E4mBlZeEy9dJMk5dWmX3Bnr1qEeN+o5BjuzbQRlI2uWYZEy3TjFl4TpduJ4XO6DcUXGtN6Fg2UxWZrs7tvc8vhBy4Twq/tYO69yCnYkJLI1DzqEk2joyZh33j3KwYqA5VHbqve3gsj+9Ft+XIlpxdkJ2JEYB7Dq50qekyv1ozvo4wr9aGI3E7HTij4wUJP10HRxg3tFQs8rWdZT2r08Zon0xlLPXta5rTGzj99Dn63TB9E1YA6Q0obfZIE+uylhXj3cK/T4q09RfJiojE/T9BQiTG6HVvrvQm+RHwlPsa+6yZqp6oBODfDNHOH2iGBYGl//SNjpZAt6B2RsMItdHS/Q1v/JRJD3+xZUwWm8kspJMUWr+sPm0BpEQtykjQhcJBdLMpFFCJlL7tGYhHzEb92hnuMIZwRoL0JROH+kGxahmkHI+Oj6sCeewfxWxGgKAO5aV8gSjJTJaVlWJGk6s6KQ/onjmAKsfzcXY83ZZSuQ9LjJbIP4Gf99jJOeZEW44x8W+X6yevJPDiFeXxkBanWUAwJF5q+4vPeD9LbOHnZ0L7Px3WBO9fjTyC1yYxpIH0MIHxoAMCAReigekEgeZ2GzgZue9olCJji0cIUE6we4nigI5cLAr8Xm4GFisky95FyvuSmKdYzFk53Q3VsSuLOcG0e5y3Z4QeT0dFr0UtF9qmX5jGYOWfrIzEduuiTXpdwi3J4gbQokTcVyhv8T8t99SSooI0nbKsR9sEVHYfvCdpbb64dN0asBX3IBmsdRVOCdyuzlBnT4X7Jz6YS09Fo+IL2ixM6XD9VrNHWi5BaSsrZBo0g4ghGw8g/7M7gvX3Osgo0fyzVGINlBZISlQhIOKdS9MrI8EtWtgrIDMaqZu3t1u+mkCjITdzcX1VAPF8GV8opQ==' from squid (length: 2047).
2009/11/10 18:23:31| squid_kerb_auth: parseNegTokenInit failed with rc=101
2009/11/10 18:23:31| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No principal in keytab matches desired name
2009/11/10 18:23:31| authenticateNegotiateAuthenticateUser: need to challenge client 'gss_acquire_cred()'!
2009/11/10 18:23:31| The request GET http://www.irishtimes.com/ is DENIED, because it matched 'auth'
2009/11/10 18:23:31| The reply for GET http://www.irishtimes.com/ is ALLOWED, because it matched 'auth'
--------------------------------------------------------------------------------

It seems kerberos is working. You only see traffic on port 88 during the
kinit, but that's what I'd expect (given my limited understanding of
kerberos).

The relevant squid config is:

--------------------------------------------------------------------------------
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 40
auth_param negotiate keep_alive on
authenticate_ttl 60 seconds

acl lcl src 172.16.0.0/255.255.0.0 172.20.2.0/28
acl auth proxy_auth REQUIRED
never_direct allow lcl auth !local-servers
http_access allow lcl auth
--------------------------------------------------------------------------------

Has anyone any suggestions as to what might be wrong?

Many thanks in advance for any ideas,

Gavin
Received on Tue Nov 10 2009 - 18:39:03 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 11 2009 - 12:00:03 MST