[squid-users] squid_kerb_auth for AD auth

For windows system in a domain, what is the typicaly strategy, would
one usually
A. Authenticate via Kerberos (only IE browsers, or also chrome/FF?)
B. else authenticate via ntlkm (IE only?)
C. else use ldap (all other browsers and Linux, or Windows PCs not in
the domain).

It is right to say that if kerberos is enabled, but not basic/ldap,
then non IE browsers cannot login?
Or will kerberos work for all browsers in a Windows system in the domain?

Or have I completely misunderstood? :-)

Starting off with C) squid_ldap_auth, which works fine, the next step
is kerberos.

For kerberos, my main reading references are:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/
http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

Runing squid/3.HEAD-20120814-r12282.

On the linux level kerberos and samba are installed,/configured the
system is in the domain (wbinfo -t) and "kinit -V username" works
fine. Ntml auth on the command line looks ok too (/usr/bin/ntlm_auth
--domain=MYDOMAIN --username=myuser)

In squid , kerberos configured as follows:
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
-d -i -s GSS_C_NO_NAME
auth_param negotiate children 10 startup=1 idle=5
auth_param negotiate keep_alive on
acl restricted proxy_auth REQUIRED

After restart squid, log entries look good:
Sep 7 09:10:31 proxy squid[26997]: helperOpenServers: Starting 1/10
'squid_kerb_auth' processes

Trying to connect with IE causes a login box to popup on the bowser
and squid to log:
ERROR: Negotiate Authentication validating user. Error returned 'BH
received type 1 NTLM token'

in cache.log:
2012/09/07 09:22:53.421| ACL::checklistMatches: checking 'restricted'
2012/09/07 09:22:53.421| Acl.cc(65) AuthenticateAcl: returning 3
sending authentication challenge.

I can give in a valid or invalid username/password to the popup, box
but no access is granted and I dont see any usernames or
squid_kerb_auth lines in the cache.log.

Question: how can one debug in detail what squid_kerb_auth is doing?
The "-d" option does not seem to show much? (debug_options ALL,1 83,5
23,2 26,9 28,9 33,4 84,3: any better suggestions?)

Doing some "tcpdumnp -A" tracing:
- browser sends: GET http://google.com/ HTTP/1.1
-proxy answers
HTTP/1.1 407 Proxy Authentication Required
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Negotiate
- browser send back:
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
-proxy answers
HTTP/1.1 407 Proxy Authentication Required
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: Negotiate

Also tried kerberos with NTLM, in this case access is always denied,
no popup. Tcpdump show similar handshaking.
auth_param negotiate program
/usr/local/squid/libexec/negotiate_wrapper_auth -d --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=MYDOMAIN --kerberos /usr/local/squid/libexec/squid_kerb_auth
-d -i -s GSS_C_NO_NAME
-

Thanks in advance for any tips :-)
Received on Fri Sep 07 2012 - 07:59:13 MDT