[squid-users] Re: Re: Re: Creating a kerberos Service Principal.

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 16 Apr 2010 15:18:27 +0100

Hi Bilal,

In your case the browser is returning a NTLM token not a Kerberos token whu
squid_kerb_auth will deny access.

Regards
Markus

"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w155DE8E05828B08D15C09AB90E0_at_phx.gbl...

Dear Nick,

This was the result of my klist -k command:

[root_at_squidLhrTest log]# klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HTTP/vdc.v.com.pk_at_V.COM.PK
2 HTTP/vdc.v.com.pk_at_V.COM.PK
2 HTTP/vdc.v.com.pk_at_V.COM.PK
---------------------------------------

i recreated the spn as follows in my new lab ( domaincontroller name is now
vdc.v.local and proxyname is squidLhrTest)
msktutil -c -b "CN=COMPUTERS" -s HTTP/vdc.v.local -h squidLhrTest.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidLhrTest.v.local --server vdc.v.local --verbose

However whenever a client try to access the internet this error appears:

CacheHost: squidLhrTest
ErrPage: ERR_CACHE_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 16 Apr 2010 10:43:51 GMT
ClientIP: 10.1.82.54
HTTP Request:
GET /isapi/redir.dll?prd=ie&ar=hotmail HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.microsoft.com
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

thank you so much for you consideration Nick. yes despite doing lots of
efforts not being able to get this thing to work and am frustated now.....
however in the journey at least learnt many things :)

regards,

Bilal Aslam

> From: Nick.Cairncross_at_condenast.co.uk
> To: gigoz_at_msn.com
> Date: Fri, 16 Apr 2010 09:39:11 +0100
> Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
>
> Bilal,
>
> I understand your frustration! First off: What happens when you klist -k
> /etc/squid/HTTP.keytab
> As I understand it, shouldn't you be specifying the spn as
> HTTP/yoursquidproxy and not your DC? You want to be able to authenticate
> from the squid proxy, using the HTTP service to the squid-http computer
> account.
>
> Nick
>
>
>
>
>
> On 16/04/2010 08:43, "GIGO ." wrote:
>
>
>
> Dear Nick/Markus,
>
> I am totally lost in translation and am not sure what to do i need your
> help please. The problem is that my kerberos authentication is not
> working. In my virtual environment i have two machines one configured as
> Domain Controller and the other one as SquidProxy. I am trying to use the
> internet from my domain controller( internet explorer 7 & DNS name is
> given instead of the ip). However it only popup a authentication window
> and never works like it should.
>
>
>
>
> I have setup the squid authentication as follows:
>
>
> Steps:
>
> I copied the squid_kerb_auth files to correct directory. (SELinux is
> enabled)
>
> cp -r squid_kerb_auth /usr/libexec/squid/
>
> I then Installed the msktutil software
>
> step No 1: i changed my krb5.conf file as follows;
>
> ------------------------krb5.conf-----------------------------------------------------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = V.COM.PK
> dns_lookup_realm = no
> dns_lookup_kdc = no
> ticket_lifetime = 24h
> forwardable = yes
> default_keytab_name= /etc/krb5.keytab
> ; for windows 2003
> default_tgs_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes= rc4-hmac des-cbc-crc des-cbc-md5
> [realms]
> V.LOCAL = {
> kdc = vdc.v.com.pk:88
> admin_server = vdc.v.com.pk:749
> default_domain = v.com.pk
> }
> [domain_realm]
> .linux.home = V.COM.PK
> .v.com.pk=V.COM.PK
> v.local=V.COM.PK
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> Step 2: I verified the settings in resolv.conf & hosts file
> ------------------etc/resolv.conf---------------------------------------
> nameserver 10.1.82.51 (My domain conroller and DNS)
>
> ------------------------/etc/hosts
> file----------------------------------------
> 127.0.0.1 squidLhrTest localhost.localdomain localhost
> 10.1.82.52 squidLhrTest.v.com.pk
> ::1 localhost6.localdomain6 localhost6
> -------------------------------------------------------------------------------
>
>
> Step 3:
> i created the keytab as follows:
> kinit administrator_at_V.LOCAL
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/vdc.v.com.pk -h
> squidLhrTest.v.com.pk -k /etc/squid/HTTP.keytab --computer-name
> squid-http --upn HTTP/vdc.v.com.pk --server vdc.v.com.pk --verbose
>
> Out put of my command:
>
> [root_at_squidLhrTest msktutil-0.3.16]# msktutil -c -b "CN=COMPUTERS" -s
> HTTP/vdc.v.com.pk -h squidLhrTest.v.com.pk -k
> /etc/squid/HTTP.keytab --computer-name squid-http --upn
> HTTP/vdc.v.com.pk --server vdc.v.com.pk --verbose
> -- init_password: Wiping the computer password structure
> -- finalize_exec: Determining user principal name
> -- finalize_exec: User Principal Name is: HTTP/vdc.v.com.pk_at_V.COM.PK
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.mskt-9130krb5.conf
> -- get_krb5_context: Creating Kerberos Context
> -- try_machine_keytab: Using the local credential cache:
> /tmp/.mskt-9130krb5_ccache
> -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found
> in Kerberos database)
> -- try_machine_keytab: Unable to authenticate using the local keytab
> -- try_ldap_connect: Connecting to LDAP server: vdc.v.com.pk
> -- try_ldap_connect: Connecting to LDAP server: vdc.v.com.pk
> SASL/GSSAPI authentication started
> SASL username: Administrator_at_V.COM.PK
> SASL SSF: 56
> SASL installing layers
> -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=com,dc=pk
> -- get_short_hostname: Determined short hostname: squidLhrTest
> -- finalize_exec: SAM Account Name is: squid-http$
> Updating all entries for squidLhrTest.v.com.pk in the keytab
> /etc/squid/HTTP.keytab
> -- try_set_password: Attempting to reset computer's password
> -- ldap_check_account: Checking that a computer account for squid-http$
> exists
> No computer account for squid-http found, creating a new one.
> -- ldap_check_account_strings: Inspecting (and updating) computer account
> attributes
> -- get_user_principal: Obtaining Principal for the executing user
> -- generate_new_password: Generating a new, random password for the
> computer account
> -- try_set_password: krb5_get_init_creds_keytab failed (No such file or
> directory)
> -- try_set_password: Attempting to reset computer's password
> -- ldap_check_account: Checking that a computer account for squid-http$
> exists
> -- ldap_check_account: Checking computer account found
> -- ldap_check_account_strings: Inspecting (and updating) computer account
> attributes
> -- get_user_principal: Obtaining Principal for the executing user
> -- generate_new_password: Generating a new, random password for the
> computer account
> -- ldap_get_pwdLastSet: pwdLastSet is 0
> -- ldap_get_pwdLastSet: pwdLastSet is 129158200838811250
> -- try_set_password: Successfully reset computer's password
> -- update_keytab: Updating all entires for squidLhrTest
> -- ldap_list_principals: Listing principals for LDAP entry
> -- ldap_list_principals: Found Principal: HTTP/vdc.v.com.pk
> -- ldap_add_principal: Checking that adding principal HTTP/vdc.v.com.pk to
> squidLhrTest won't cause a conflict
> -- ldap_add_principal: Adding principal HTTP/vdc.v.com.pk to LDAP entry
> -- add_principal: Adding principal to keytab: HTTP/vdc.v.com.pk
> -- ldap_get_kvno: KVNO is 2
> -- ldap_get_des_bit: Determined DES-only flag is 0
> -- add_principal: Using salt of V.COM.PKhostsquid-http.v.com.pk
> -- add_principal: Adding entry of enctype 0x1
> -- add_principal: Using salt of V.COM.PKhostsquid-http.v.com.pk
> -- add_principal: Adding entry of enctype 0x3
> -- add_principal: Using salt of V.COM.PKHTTPvdc.v.com.pk
> -- add_principal: Adding entry of enctype 0x17
> -- krb5_cleanup: Destroying Kerberos Context
> -- ldap_cleanup: Disconnecting from LDAP server
> -- init_password: Wiping the computer password structure
> [root_at_squidLhrTest msktutil-0.3.16]#
>
>
>
>
>
> I assigned the proper permissions to the keytab file that i have created.
> chown proxy /etc/squid/HTTP.keytab
> chmod 400 /etc/squid/HTTP.keytab
>
>
> Step 4:
> I changed my squid.conf to include the following lines
>
> My squid.conf files lines;;;;
> ------------------------------------------squid.conf---------------------------------------------------------------------
> auth_param negotiate program /usr/libexec/squid/squid_kerb_auth
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
> #http_access allow all
> acl auth proxy_auth REQUIRED
> http_access deny !auth
> http_access allow auth
> http_access deny all
>
>
>
>
>
>
> i run this command from shell as well:
>
> KRB5_KTNAME=/etc/squid/HTTP.keytab
> export KRB5_KTNAME
> KRB5RCACHETYPE=none
> export KRB5RCACHETYPE
>
> squid started with no errors at all however when i tried to use internet
> from my DomainController itself. Only pop up windows with never being able
> to get through......
> ------------------------------------------Access.log-------------------------------------------------------------------
> 1271402564.794 0 10.1.82.51 TCP_DENIED/407 2352 GET
> http://www.yahoo.com/ - NONE/- text/html
> 1271402586.850 0 10.1.82.51 TCP_DENIED/407 2352 GET
> http://www.yahoo.com/ - NONE/- text/html
> 1271402601.448 0 10.1.82.51 TCP_DENIED/407 2352 GET
> http://www.yahoo.com/ - NONE/- text/html
> 1271402602.093 0 10.1.82.51 TCP_DENIED/407 2352 GET
> http://www.yahoo.com/ - NONE/- text/html
>
>
> Thanks for the support given earlier and advance.
>
> regards,
>
> Bilal Aslam
>
>
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> https://signup.live.com/signup.aspx?id=60969
>
>
> ** Please consider the environment before printing this e-mail **
>
> The information contained in this e-mail is of a confidential nature and
> is intended only for the addressee. If you are not the intended addressee,
> any disclosure, copying or distribution by you is prohibited and may be
> unlawful. Disclosure to any party other than the addressee, whether
> inadvertent or otherwise, is not intended to waive privilege or
> confidentiality. Internet communications are not secure and therefore
> Conde Nast does not accept legal responsibility for the contents of this
> message. Any views or opinions expressed are those of the author.
>
> Company Registration details:
> The Conde Nast Publications Ltd
> Vogue House
> Hanover Square
> London W1S 1JU
>
> Registered in London No. 226900
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
Received on Fri Apr 16 2010 - 14:20:07 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 17 2010 - 12:00:05 MDT