[squid-users] Re: squid 2.7 - problems with kerberos authentication

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 1 Sep 2009 19:40:43 +0100

Please post extracts of the cache.log file. both squid_kerb-auth and
squid_kerb_ldap produce lots of debug with -d.

Regards
Markus

"Дмитрий Нестеркин" <undelborg_at_gmail.com> wrote in message
news:cf132a050909010041x59898e38naa49ca3eab9745e1_at_mail.gmail.com...
I'm trying to configure Kerberos authentication for Squid 2.7 (Debian
Lenny, MIT kerberos; Windows Server 2003 no service packs), but no
luck :(

This is how my configuration files look like:

squid.conf:

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.10.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3128
acl CONNECT method GET
#
#CHECKING USERS BY AD
#
external_acl_type ldap_check ttl=1200 %LOGIN
/usr/lib/squid/squid_ldap_group -R -b "dc=mydomain,dc=local" -f
"(&(objectclass=user)(sAMAccountName=%v
(memberof=cn=%a,ou=internet,dc=mydomain,dc=local))" -D
"proxyuser_at_mydomain.local" -w "password" -K -d 192.168.100.42
#
acl auth proxy_auth REQUIRED
acl inet_access external ldap_check inet_allow
#
http_access allow inet_access
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
#
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny !auth
http_access allow auth
http_access deny all

/etc/init.d/squid содержит:
KRB5_KTNAME=/etc/squid/krbldap.mydomain.local.keytab
export KRB5_KTNAME
KRB5RCACHETYPE=none
export KRB5RCACHETYPE

/etc/krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = no
default_keytab_name = /etc/squid/krbldap.mydomain.local.keytab
default_tgs_enctypes = des-cbc-crc rc4-hmac des-cbc-md5
default_tkt_enctypes = des-cbc-crc rc4-hmac des-cbc-md5
permitted_enctypes = des-cbc-crc rc4-hmac des-cbc-md5
ticket_lifetieme= 24h
# The following krb5.conf variables are only for MIT Kerberos.
# krb4_config = /etc/krb.conf
# krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
MYDOMAIN = {
kdc = dc.mydomain:88
admin_server = dc.mydomain:749
default_domain = mydomain
}

MYDOMAIN.LOCAL = {
kdc = dc.mydomain.local:88
admin_server = dc.mydomain.local:749
default_domain = mydomain.local
}

[domain_realm]
.linux.local = MYDOMAIN.LOCAL
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
.mydomain = MYDOMAIN
mydomain = MYDOMAIN
#[appdefaults]
#pam = {
#debug = false
#ticket_lifetime = 36000
#renew_lifetime = 36000
#forwardable = true
#krb4_convert = false
#}

#[kdc]
#profile = /usr/share/krb5-kdc/kdc.conf

#[login]
# krb4_convert = false
# krb4_get_tickets = false

[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/kdc.log
kdc = SYSLOG:INFO AEMON
admin_server = FILE:/var/log/kadmin.log

When I try to check authorisation from terminal - it's OK:
$ sudo kinit -V -k -t /etc/squid/krbldap.mydomain.local.keytab
HTTP/Most2.mydomain.local
Authenticated to Kerberos v5

When I try to authenticate users by IP address - everything is OK

access.log:
1251706346.035 0 192.168.10.133 TCP_DENIED/407 1750 GET
http://www.debian.org/ - NONE/- text/html

Internet Explorer 7 show error message "Internet Explorer cannot
display this page"
Opera 9.6 requests login and password, but they are not being accepted.

What am I doing wrong?

--
Best regards,
Dmitry
Received on Tue Sep 01 2009 - 18:42:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 02 2009 - 12:00:01 MDT