[squid-users] Windows group authentication

From: Jean-Denis Girard <jd.girard_at_sysnux.pf>
Date: Sun, 30 Jan 2011 15:25:56 -1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,

I have an old installation using squid-2.6.STABLE23 with ntlm_auth for
Windows XP users belonging to a group; it works like a charm, but I want
to upgrade it for various reasons (security, need to support Win7, ...).

So I made a fresh Linux install (Mandriva-2010.2). It has
squid-3.1-14.1mdv2010.1 (but the log says Squid Cache version 3.1.4).

Now I'm a bit confused about what is needed to achieve Windows
authentication (XP, then 7). From the documentation, I understood that
squid_kerb_auth should be enough, so I have this in squid.conf:
 auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d

The new server has joined the windows domain using mskutil (I'd like to
avoid samba if possible). The DSN is OK, ntp is working so no clock
problem. But authentication doesn't work, see log below. How should I
configure the Windows group?

So my question is simple: do I need anything else besides
squid_kerb_auth for Windows group authentication? Are samba, ntlm_auth
still needed?

Thanks,
- --
Jean-Denis Girard

SysNux Systèmes Linux en Polynésie française
http://www.sysnux.pf/ Tél: +689 50 10 40 / GSM: +689 79 75 27

2011/01/07 10:10:43.769| authenticateValidateUser: Validating Auth_user
request '0'.
2011/01/07 10:10:43.769| authenticateValidateUser: Auth_user_request was
NULL!
2011/01/07 10:10:43.769| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2011/01/07 10:10:43.769| authenticateFixHeader: headertype:37 authuser:0
2011/01/07 10:10:43.769| AuthNegotiateConfig::fixHeader: Sending type:37
header: 'Negotiate'
2011/01/07 10:10:43.775| authenticateAuthenticate: header Negotiate YIIGJgYG
[snip]
2011/01/07 10:10:43.775| authenticateAuthenticate: This is a new
checklist test on FD:9
2011/01/07 10:10:43.775| authenticateAuthenticate: no connection
authentication type
2011/01/07 10:10:43.775| AuthConfig::CreateAuthUser: header = 'Negotiate
YIIGJg
[snip]
2011/01/07 10:10:43.775| AuthUser::AuthUser: Initialised auth_user
'0x8c20b08' with refcount '0'.
2011/01/07 10:10:43.775| AuthUserRequest::AuthUserRequest: initialised
request 0x8c20458
2011/01/07 10:10:43.775| authenticateAuthUserLock auth_user '0x8c20b08'.
2011/01/07 10:10:43.775| authenticateAuthUserLock auth_user '0x8c20b08'
now at '1'.
2011/01/07 10:10:43.775| AuthNegotiateConfig::decode: Negotiate
authentication
2011/01/07 10:10:43.775| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.775| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.775| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.775| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.775| AuthNegotiateUserRequest::authenticated: user
not fully authenticated.
2011/01/07 10:10:43.775| AuthNegotiateUserRequest::authenticate: auth
state negotiate none. Received blob: 'Negotiate YIIGJgYGKwYBBQUCoIIGGjCCBha
[snip]
2011/01/07 10:10:43.775| AuthUserRequest::lock: auth_user request
'0x8c20458 0->1
2011/01/07 10:10:43.775| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.775| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.775| AuthNegotiateUserRequest::authenticated: user
not fully authenticated.
2011/01/07 10:10:43.775| AuthUserRequest::lock: auth_user request
'0x8c20458 1->2
2011/01/07 10:10:43.776| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.776| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.776| authenticateStart: auth_user_request '0x8c20458'
2011/01/07 10:10:43.776| AuthNegotiateUserRequest::module_start: auth
state is '1'
2011/01/07 10:10:43.776| AuthUserRequest::lock: auth_user request
'0x8c20458 2->3
2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Got 'YR YIIGJgYGKwYBBQU
[snip]
bkIUQRH' from squid (length: 2107).
2011/01/07 10:10:43| squid_kerb_auth: DEBUG: Decode
'YIIGJgYGKwYBBQUCoIIGGjCCBhagJDAiB
[snip]
2011/01/07 10:10:43| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information. Key
table entry not found
2011/01/07 10:10:43.778| authenticateNegotiateHandleReply: helper:
'0x8a0e868' sent us 'BH gss_acquire_cred() failed: Unspecified GSS
failure. Minor code may provide more information. Key table entry not
found'
2011/01/07 10:10:43.778| negotiate/auth_negotiate.cc(602)
releaseAuthServer: releasing Negotiate auth server '0x8a0e868'
2011/01/07 10:10:43.778| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH gss_acquire_cred()
failed: Unspecified GSS failure. Minor code may provide more
information. Key table entry not found'
2011/01/07 10:10:43.778| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.778| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.778| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.778| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.778| AuthNegotiateUserRequest::authenticated: user
not fully authenticated.
2011/01/07 10:10:43.778| authenticateAuthenticate: header Negotiate
YIIGJgYGKwYBBQUCoI
IGGjCCBhagJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBewEggXoYIIF5AYJKoZIhvcS
A
[snip]
2011/01/07 10:10:43.778| authenticateValidateUser: Validating Auth_user
request '0x8c2
0458'.
2011/01/07 10:10:43.778| authenticateValidateUser: Validated Auth_user
request '0x8c20
458'.
2011/01/07 10:10:43.778| AuthNegotiateUserRequest::authenticated: user
not fully authe
nticated.
2011/01/07 10:10:43.778| AuthNegotiateUserRequest::authenticate: auth
state negotiate
failed. Negotiate
YIIGJgYGKwYBBQUCoIIGGjCCBhagJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYB
[snip]
2011/01/07 10:10:43.778| authenticateValidateUser: Validating Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.778| authenticateValidateUser: Validated Auth_user
request '0x8c20458'.
2011/01/07 10:10:43.778| AuthNegotiateUserRequest::authenticated: user
not fully authenticated.
2011/01/07 10:10:43.778| AuthUserRequest::unlock: auth_user request
'0x8c20458 3->2
2011/01/07 10:10:43.778| AuthUserRequest::lock: auth_user request
'0x8c20458 2->3
2011/01/07 10:10:43.779| AuthUserRequest::unlock: auth_user request
'0x8c20458 3->2
2011/01/07 10:10:43.779| authenticateFixHeader: headertype:37 authuser:0
2011/01/07 10:10:43.779| AuthNegotiateConfig::fixHeader: Sending type:37
header: 'Negotiate'
2011/01/07 10:10:43.779| AuthUserRequest::unlock: auth_user request
'0x8c20458 2->1
2011/01/07 10:10:43.779| AuthNegotiateUserRequest::onConnectionClose:
closing connection '0x8c16f38' (this is '0x8c20458')
2011/01/07 10:10:43.779| negotiate/auth_negotiate.cc(606)
releaseAuthServer: No Negotiate auth server to release.
2011/01/07 10:10:43.779| AuthNegotiateUserRequest::onConnectionClose:
Unlocking auth_user from the connection '0x8c16f38'.
2011/01/07 10:10:43.779| AuthUserRequest::unlock: auth_user request
'0x8c20458 1->0
2011/01/07 10:10:43.779| AuthUserRequest::unlock: deleting
auth_user_request '0x8c20458'.
2011/01/07 10:10:43.779| AuthUserRequest::~AuthUserRequest: freeing
request 0x8c20458

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAk1GD6QACgkQuu7Rv+oOo/giwgCgiP8H2So6bjNcbGhAAG6BbaAj
OFMAn3lcytIvvyUMr9aFKoFiph5ld9fL
=dvCQ
-----END PGP SIGNATURE-----
Received on Mon Jan 31 2011 - 01:25:59 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST