PDA

View Full Version : Squid + Kerbeos authentication



sdc_renningen
18-Jul-2014, 08:59
Hi,

i wan to configure a sles (SUSE Linux Enterprise Server 11 (x86_64) V11, PL3) to run a squid proxy with kerberos authentification to the local domain. i start to install/configure with this link:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

the keytab was generated with samba.

wbinfo -g show me the existing ad groups. also wbinfo -u shows the current ad users. i also see the kerberos traffic to the windows dc on the wireshark that is installed on the sles system.

if i start a webbrowser that is configured to use the proxy service i get a login prombt, but authentication don´t work. i also see no traffic from the sles system to the windows dc!
error in sqiod log:

2014/07/10 11:24:40| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAA AADw==' from squid (length: 59).
2014/07/10 11:24:41| squid_kerb_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdA AAADw==' (decoded length: 40).
2014/07/10 11:24:41| squid_kerb_auth: WARNING: received type 1 NTLM token


krb5.conf

[libdefaults]
# default_realm = EXAMPLE.COM
# default_realm = LOCAL
default_realm = EPSCENTRAL.NET
# Fred auf 2 x auf true
dns_lookup_kdc = true
dns_lookup_realm = true
default_keytab_name = /etc/squid/HTTP.keytab
ticket_lifetime = 24h
renew_lifetime = 7d
formwardable = true
clockskew = 300

# default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
EPSCENTRAL.NET = {
default_domain = epscentral.net
kdc = derigs0019srv.epscentral.net
admin_server = derigs0019srv.epscentral.net
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.epscentral.net = EPSCENTRAL.NET
epscentral.net = EPSCENTRAL.NET
.EPSCENTRAL.NET = EPSCENTRAL.NET
EPSCENTRAL.NET = EPSCENTRAL.NET
.stuttgart = EPSCENTRAL.NET
stuttgart = EPSCENTRAL.NET
.STUTTGART = EPSCENTRAL.NET
STUTTGART = EPSCENTRAL.NET

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
keytab = /etc/squid/HTTP.keytab
}


squid.conf:



auth_param negotiate program /usr/sbin/squid_kerb_auth -d -s HTTP/squid-proxy-3.epscentral.net@EPSCENTRAL.NET

auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours

acl auth proxy_auth REQUIRED


# Error erscheint wenn aktiv: acl all src all
# acl all src all

# ACHTUNG FUER TEST - wenn diese Zeile aktiv, dann funktioniert Proxy, da ohne Kerberos (Domain) Zugriff vom localnet erlaubt ist
# http_access allow localnet
# oder:
# localhost
# als letzte Regel: alles verbieten
http_access deny !auth
http_access allow auth
http_access deny all


any ideas?

thanks, markus

sgrossiord123
29-Oct-2014, 14:27
Hi I have same issue with my config with Sles+AD=KERBEROS

Do you have troubleshooted your issue?

Thx a lot

Regards

Sébastien