hello
I am trying to setup kerberos auth against Active Directory - Windows 2000 - in squid, 2.7. This is primarily so that the username is captured in the access log. But also user based access control will occasionally be used.
I've installed the squid_kerb_auth software from http://squidkerbauth.sourceforge.net/
The relevant squid config looks like this:
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type squid_kerb_ldap ttl=3600 negative_ttl=3600 %LOGIN /usr/local/squid/squid_kerb_ldap -d -g active-directory-group_at_my.domain
acl ldap_group_check external squid_kerb_ldap
acl k_test src [some.test.host.address]
http_access allow k_test ldap_group_check
http_access deny k_test
Initially I used the msktutil package to create the AD account keytab, thus:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidhost.my.domain -k /etc/squid/HTTP.keytab --computer-name squidhost --upn HTTP/squidhost.my.domain --server windows_ad_host.my.domain --verbose
This produced the desired keytab but in the verbose output noted that the ticket version number was not returned ("must be Windows 2000" - it is) and so set the kvno to zero. This is reflected in the output of kvno HTTP/squidhost.my.domain
When the client connected (Mac OS X 10.6) using the Chrome browser, squid's cache.log reported that the ticket version number didn't match:
squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect.
Using kvno HTTP/squidhost.my.domain on this client the version number was 3 while doing the same on the proxy the version was zero. So that made sense.
I fixed this by not using msktutil and using ktpass on the Active DIrectory server and specifying -kvno 3. Installed this on the proxy host and that error went away.
Reading about ktpass and kerberos auth in Microsoft's KB, it said that the (squid) host needs have an account created for it as a user in the domain. Weird but I did this, using the host name as the user shortname. I used this hostname in ktpass with -mapuser
Now in squid's cache.log the logs show, in part,
2010/11/02 12:01:55| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/11/02 12:01:55| squid_kerb_auth: AF AA== rolf_at_MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: Got User: rolf Domain: MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: User domain loop: group_at_domain actiive-directory-group_at_my.domain
2010/11/02 12:01:55| squid_kerb_ldap: Found group_at_domain active-directory-group_at_my.domain
2010/11/02 12:01:55| squid_kerb_ldap: Setup Kerberos credential cache
2010/11/02 12:01:55| squid_kerb_ldap: Get default keytab file name
2010/11/02 12:01:55| squid_kerb_ldap: Got default keytab file name /etc/squid/HTTP.keytab
2010/11/02 12:01:55| squid_kerb_ldap: Get principal name from keytab /etc/squid/HTTP.keytab
2010/11/02 12:01:55| squid_kerb_ldap: Keytab entry has realm name: MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: Found principal name: HTTP/squidhost.my.domain_at_MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: Set credential cache to MEMORY:squid_ldap_20411
2010/11/02 12:01:55| squid_kerb_ldap: Got principal name HTTP/squidhost.my.domain_at_MY.DOMAIN
2010/11/02 12:01:55| squid_kerb_ldap: Stored credentials
2010/11/02 12:01:55| squid_kerb_ldap: Initialise ldap connection
2010/11/02 12:01:55| squid_kerb_ldap: Canonicalise ldap server name for domain MY.DOMAIN
Apart from the first line ... "failed with rc=102" this looks ok.
Then there are many (from debugging I presume) instances of:
squid_kerb_ldap: Resolved SRV _ldap._tcp.MY.DOMAIN record to ad-domain-controller.my.domain
for various domain controllers on the network.
Then lots of
2010/11/02 12:02:09| squid_kerb_ldap: Setting up connection to ldap server various-domain-servers-and-workstations_at_my.domain:389
2010/11/02 12:02:09| squid_kerb_ldap: SASL not supported on system
Finally these log entries which show the deny reason - that I'm not a member of the group. But I confirm that I am a member of the group:
2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success
2010/11/02 12:02:09| squid_kerb_ldap: Error during initialisation of ldap connection: Success
2010/11/02 12:02:09| squid_kerb_ldap: User rolf is not member of group_at_domain active-directory-group_at_my.domain
2010/11/02 12:02:09| squid_kerb_ldap: Default domain loop: group_at_domain active-directory-group_at_my.domain
2010/11/02 12:02:09| squid_kerb_ldap: Default group loop: group_at_domain active-directory-group_at_my.domain
2010/11/02 12:02:09| squid_kerb_ldap: ERR
I have tried many combinations of service keytab creation and so on, but I cannot get any further than this. Any help most appreciated.
thanks
rolf.
Received on Tue Nov 02 2010 - 01:52:40 MDT
This archive was generated by hypermail 2.2.0 : Wed Nov 03 2010 - 12:00:02 MDT