[squid-users] Re: Problems setting up Kerberos authentication

Did you follow the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos ? Did you
use the -d option with squid_kerb_auth ?

Markus

"Nikolaos Milas" <nmilas_at_noa.gr> wrote in message
news:4E7A5B55.5060107_at_noa.gr...
Hello,

I am setting up Kerberos auth on squid (3.1.15), but it won't work.
Browser (IE 8) keeps on poping up the username/password window, but
authentication is never successful. Yet, I don't see any logging of
failed authentication attempts in kerberos logs at all! It's as if squid
is not communicating with kerberos server. Yet, kinit from the command
line works fine (see details below).

What am I doing wrong? Am I missing something?

I need your help.

Thanks,
Nick

Details of the setup follow (true names/IP addresses have been changed):

I have a working Kerberos Server (MIT Kerberos 5 on CentOS 5.6) on
kerb.example.com and I am setting up squid on squid.example.com; it's
Squid 3.1.15.x86_64 as RPM on CentOS 5.6 (from here:
ftp://ftp.pbone.net/mirror/ftp.pramberger.at/systems/linux/contrib/rhel5/x86_64/squid3-3.1.15-1.el5.pp.x86_64.rpm).

Host squid.example.com is also setup as a kerberos client.

So, I have added to kerberos a host:

    host/squid.example.com_at_EXAMPLE.COM

and a service:

    HTTP/squid.example.com_at_EXAMPLE.COM

Then, I created a keytab file (httpsquid.keytab) for the latter:

[root_at_squid]# kadmin.local
Authenticating as principal userx/admin_at_EXAMPLE.COM with password.
kadmin.local: addprinc HTTP/squid.example.com_at_EXAMPLE.COM
WARNING: no policy specified for HTTP/squid.example.com_at_EXAMPLE.COM;
defaulting to no policy
Enter password for principal "HTTP/squid.example.com_at_EXAMPLE.COM":
Re-enter password for principal "HTTP/squid.example.com_at_EXAMPLE.COM":
Principal "HTTP/squid.example.com_at_EXAMPLE.COM" created.
kadmin.local: ktadd -k /etc/krb5kdc/httpsquid.keytab HTTP/squid.example.com
Entry for principal HTTP/squid.example.com with kvno 2, encryption type
AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/httpsquid.keytab.
Entry for principal HTTP/squid.example.comwith kvno 2, encryption type
DES cbc mode with RSA-MD5 added to keytab
WRFILE:/etc/krb5kdc/httpsquid.keytab.

...moved it to /etc/squid and changed ownership to root:squid and
permissions: 640.

I have checked that the keytab file works:

    [root_at_squid]# kinit -V -k -t httpsquid.keytab HTTP/squid.example.com
    Authenticated to Kerberos v5

I also added to the start of /etc/init.d/squid the lines:

    KRB5_KTNAME=/etc/squid/httpsquid.keytab
    export KRB5_KTNAME

Then, I checked that kerberos authentication is enabled (as explained
e.g. here:
http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_install_kerb_edit_browsers.html),
then I specified (in IE, Internet Options / Connections / LAN Settings)
squid.example.com as a Proxy on port 3128 and I have tried to visit any
page. As I explained, browser (IE 8) keeps on poping up the
username/password window, but authentication is never successful. I have
tried the following as username, without success:
userx
EXAMPLE.COM\userx
userx_at_example.com
userx_at_EXAMPLE.COM

On the other hand, Firefox 6 (with similar settings) doesn't show any
pop up window; it just fails.

I have tried the three following configuration alternatives, but it
didn't make any difference:
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth-d -s
HTTP/squid.example.com
auth_param negotiate program /usr/libexec/squid/squid_kerb_auth

Here is /etc/squid/squid.conf:
---------------------------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.10.10.0/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow localhost

auth_param negotiate program /usr/libexec/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl auth proxy_auth REQUIRED

http_access allow auth
#http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Disable caching
cache deny all

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

debug_options ALL, 9
---------------------------------------------------------------

And below is /etc/krb5.conf (on squid.example.com):
---------------------------------------------------------------
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm =EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
   kdc = kerb.example.com:88
   admin_server = kerb.example.com:749
   default_domain = example.com
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
---------------------------------------------------------------