[squid-users] Kerberos authentication against AD 2003 server

Hi all,

I've been trying to get my squid 2.7 S9 to work with kerberos
authentication against AD 2003 server for a couple weeks now but still
failed. I've read through lots of posts in the list and different
tutorials following them 1 at a time but still no go. I've been
following tuts by Klaubert
(http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/)
and the wiki too.. I've tried using the squid_kerb_auth both from the
squid dist and sourceforge v1.0.5. here is what i did:

=> configure squid with these options:
./configure --prefix=/usr/local/squid --with-maxfd=16384
--enable-storeio=aufs,coss --enable-removal-policies=lru,heap
--enable-delay-pools --disable-wccp --disable-wccpv2 --enable-arp-acl
--enable-coss-aio-ops --disable-ident-lookups
--enable-auth="ntlm,basic,negotiate" --enable-ntlm-auth-helpers="SMB"
--enable-negotiate-auth-helpers="squid_kerb_auth"
--enable-basic-auth-helpers="LDAP"
--enable-external-acl-helpers="ldap_group" --with-large-files

=> created a user "proxy.domain" in AD server

=> created keytab in AD server:
ktpass -princ HTTP/proxy.domain_at_MYDOMAIN.COM -mapuser proxy.domain
-crypto rc4-hmac-nt pass <password> -ptype KRB5_NT_SRV_HST -out
proxy.domain.keytab

and transfered to squid server in /etc/proxy.domain.keytab
chmod 400 /etc/proxy.domain.keytab
chown nobody /etc/proxy.domain.keytab

=> /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MYDOMAIN.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  MYDOMAIN.COM = {
    kdc = dc1.mydomain.com:88
    kdc = dc2.mydomain.com:88
    kdc = dc3.mydomain.com:88
    admin_server = dc1.mydomain.com:749
    admin_server = dc2.mydomain.com:749
    admin_server = dc3.mydomain.com:749
    default_domain = mydomain.com
}

[domain_realm]
  .mydomain.com = MYDOMAIN.COM
  mydomain.com = MYDOMAIN.COM

;[kdc]
; profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

=> tested the keytab file
[root_at_proxy ~]# kinit -V -k -t /etc/proxy.domain.keytab HTTP/proxy.domain
Authenticated to Kerberos v5

=> squid startup script
#!/bin/bash
export KRB5_KTNAME=/etc/proxy.domain.keytab
/usr/sbin/squid -D

=> squid.conf file
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

=> after starting squid, ps ax output
7040 ? Ss 0:00 /usr/sbin/squid -D
 7042 ? Sl 0:00 (squid) -D
 7043 ? S 0:00 (squid_kerb_auth) -d
 7044 ? S 0:00 (squid_kerb_auth) -d
 7045 ? S 0:00 (squid_kerb_auth) -d
 7046 ? S 0:00 (squid_kerb_auth) -d
 7047 ? S 0:00 (squid_kerb_auth) -d
 7048 ? S 0:00 (squid_kerb_auth) -d
 7049 ? S 0:00 (squid_kerb_auth) -d
 7050 ? S 0:00 (squid_kerb_auth) -d
 7051 ? S 0:00 (squid_kerb_auth) -d
 7052 ? S 0:00 (squid_kerb_auth) -d
 7053 ? S 0:00 (unlinkd)

=> proxy has A and PTR records for its fqdn in AD Server(DNS) and
resolves find. IE7 in client machine(windows XP) is setup with fqdn in
the proxy address. when trying to access the internet, login prompt
comes up repeatedly and dies with denied message after 3 attempts.

=>when using squid_kerb_auth v1.0.5 from sourceforge:

2010/08/29 10:59:00| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 10:59:00| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 10:59:00| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 10:59:00| squid_kerb_auth: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
length: 40).
2010/08/29 10:59:00| squid_kerb_auth: received type 1 NTLM token
2010/08/29 10:59:00| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2010/08/29 10:59:00| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 10:59:00| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:03:49| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:03:49| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:03:49| squid_kerb_auth: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
length: 40).
2010/08/29 11:03:49| squid_kerb_auth: received type 1 NTLM token
2010/08/29 11:03:49| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2010/08/29 11:03:49| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:03:49| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:03:50| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:03:50| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:03:50| squid_kerb_auth: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
length: 40).
2010/08/29 11:03:50| squid_kerb_auth: received type 1 NTLM token
2010/08/29 11:03:50| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2010/08/29 11:03:50| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:03:50| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:03:50| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:03:50| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:03:50| squid_kerb_auth: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
length: 40).
2010/08/29 11:03:50| squid_kerb_auth: received type 1 NTLM token

=> using squid_kerb_auth from squid2.7Stable9 distribution:

2010/08/29 11:09:14| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:09:14| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:09:14| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:09:15| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:09:15| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token
2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to
challenge client 'received'!
2010/08/29 11:09:15| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:09:15| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:09:15| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:09:15| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:09:15| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/08/29 11:09:15| squid_kerb_auth: received type 1 NTLM token
2010/08/29 11:09:15| authenticateNegotiateAuthenticateUser: need to
challenge client 'received'!
2010/08/29 11:09:15| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:09:15| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:09:16| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:09:16| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:09:16| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/08/29 11:09:16| squid_kerb_auth: received type 1 NTLM token
2010/08/29 11:09:16| authenticateNegotiateAuthenticateUser: need to
challenge client 'received'!
2010/08/29 11:09:16| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:09:16| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'
2010/08/29 11:09:16| Parser: retval 1: from 0->41: method 0->2; url
4->30; version 32->40 (1/1)
2010/08/29 11:09:16| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/08/29 11:09:16| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/08/29 11:09:16| squid_kerb_auth: received type 1 NTLM token
2010/08/29 11:09:16| authenticateNegotiateAuthenticateUser: need to
challenge client 'received'!
2010/08/29 11:09:16| The request GET http://www.squid-cache.org/ is
DENIED, because it matched 'authenticated'
2010/08/29 11:09:16| The reply for GET http://www.squid-cache.org/ is
ALLOWED, because it matched 'authenticated'

kerbtray shows krbtgt/MYDOMAIN.COM entries listed.

I'm obviously doing something wrong here.. please help pointing out
what am I doing wrong.

Thanks
Manoj
Received on Sun Aug 29 2010 - 05:27:50 MDT