Squid kerberos authentication and ldap authorization in Active Directory

Edited on jun, 21, 2009

The squid web cache include a authenticator for kerberos, it is simple to use, but the documentation is not very clear about how to make it work. Below some steps use by me to make Squid 3.0 Stable1 and Squid 2.6 Stable17 authenticate against Active Directory (Windows 2003 Directory Service) and also to make it make the authorization using Ldap. This setup was not used in production environment yet, so its possible to had some problems not seen by me or scalabilities issues.

Compilation

To achieve our objective:

  • Authenticate using “Kerberos” (Negotiate);
  • Authenticate using “Basic authentication”, with Ldap as back-end (for backward compatibility);
  • Authorization using Ldap group membership;

we need to compile Squid with some specific parameters:

  • –enable-auth=”basic negotiate”
  • –enable-basic-auth-helpers=”LDAP”
  • –enable-negotiate-auth-helpers=”squid_kerb_auth”
  • –enable-external-acl-helpers=”ldap_group”

other parameters that you can need must be supplied at compilation time.

Authentication

In this article we’ll use two types of authentication: Negotiate (using Kerberos) and Basic (using Ldap).

To use Negotiate authentication method the web browser must be writed to understand it and configure correctly to do so, and the computer use need to be authenticated by the kerberos infra-structure and receive the appropriated key from the KDC (Key Distribution Center). I’m using Firefox for Linux 2.0 (authenticated with kerberos), Firefox for Windows 2.x and Internet Explorer 6/7, all worked very well.

The Basic authentication is present in any web browser, and we will use Ldap as back-end authentication provider.

Negotiate/kerberos authentication

This part is divided in two parts, one in Linux box other in Windows Domain Controlle, and was strongly based on http://www.grolmsnet.de/kerbtut/ article, that has Apache as a target but this steps works for Squid too.

Windows Step:

Create a user account, ex. squid.domain, and using ktpass command tool create a keytab file.

ktpass -princ HTTP/squid.domain@REALM -mapuser squid.domain -crypto rc4-hmac-nt pass squid-pass -ptype KRB5_NT_SRV_HST -out squid.domain.keytab

Transfer this file safely to the squid box.

Linux/Squid step:

Check that /etc/krb5.conf are correctly configured, example bellow (pay attention on bold lines):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log


[libdefaults]
default_realm = REALM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Move the keytab file to some directory related to squid, like /etc/squid, and must change the permission like this:

chmod 400 /etc/squid/squid.domain.keytab
chown nobody /etc/squid/squid.domain.keytab

You can test is the squid box can use the keytab file using kinit command:
kinit -V -k -t squid.domain.keytab HTTP/squid.domain
klist

You need to put a line like this in squid startup script:

export KRB5_KTNAME=/etc/squid/squid.domain.keytab
In squid.conf you need set directives like this:
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on

acl AUTENTICADO proxy_auth REQUIRED
http_access allow AUTENTICADO
http_access deny all

Aditional reference about kerberos authentication for Squid:

Check the /etc/hosts file to certify that the fqdn used on keytab file are associated to the correct address on hosts files, as well on DNS (A and PTR record). Dont associate the fqdn with loopback or other address.

Basic authentication

To make users not authenticated by a kerberos infra-structure keep using squid, you can use a Basic Authentication with many methods, I chose Ldap because the Samba/Winbind (that I already used) some times has problems of stability and a unknown timeouts of and refresh for password change and group membership.

To use this authentication, you can put this lines after the kerberos related lines (this is very important once that the order of method used to authenticated in browser is derived from this order, if you change this you’ll never get a negotiate authentication only basic):

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b "CN=Users,dc=bc" -s sub -D "CN=user_to_bind_in_ldap,OU=Usuers,DC=bc" -w password -f "(&(objectClass=person)(sAMAccountName=%s))" -u sAMAccountName -P -v 3 -h ldap_server.domain
auth_param basic children 10
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 2 hours

Authorization

Sometimes you can control how access the Internet, sometimes you can control how can’t, or when they access, or yet where the peoples go. For achieve this you should use some directives from squid config file, like: ACL, External_ACL, http_access, http_reply_access, etc.

How we are doing the authentication with kerberos, the username (%LOGIN for squid external_acl) become like this: username@REALM. This is a problem for us once that we are trying to check the attribute sAMAccountName in Active Directory, that don’t include Realm, so we need to apply the patch bellow, and use the new parameter -K in squid_ldap_group to strip the Realm from username.


--- squid_ldap_group.c.original 2008-01-10 11:08:12.000000000 -0200
+++ squid_ldap_group.c 2008-01-04 19:35:09.000000000 -0200
@@ -215,6 +215,7 @@
int port = LDAP_PORT;
int use_extension_dn = 0;
int strip_nt_domain = 0;
+ int strip_kerberos_realm = 0;
int err = 0;


setbuf(stdout, NULL);
@@ -370,6 +371,9 @@
case 'S':
strip_nt_domain = 1;
break;
+ case 'K':
+ strip_kerberos_realm = 1;
+ break;
default:
fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option);
exit(1);
@@ -424,6 +428,7 @@
#endif
fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+ fprintf(stderr, "\t-K\t\t\tStrip Kerberos realm from usernames\n");
fprintf(stderr, "\n");
fprintf(stderr, "\tIf you need to bind as a user to perform searches then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile options\n\n");
exit(1);
@@ -470,6 +475,12 @@
if (u && u[1])
user = u + 1;
}
+ if (strip_kerberos_realm) {
+ char *u = strchr(user, '@');
+ if (u!=NULL) {
+ *u = '';
+ }
+ }
if (use_extension_dn) {
extension_dn = strtok(NULL, " \n");
if (!extension_dn) {

and


--- squid_ldap_group.8.original 2008-01-10 11:08:21.000000000 -0200
+++ squid_ldap_group.8 2008-01-07 11:36:45.000000000 -0200
@@ -152,6 +152,10 @@
Strip NT domain name component from user names (/ or \\ separated)
.
.TP
+.BI -K
+Strip Kerberos Realm component from user names (@ separated)
+.
+.TP
.BI -d
Debug mode where each step taken will get reported in detail.
Useful for understanding what goes wrong if the results is

To allow or deny some user with account in Active Directory based on they group membership, you can use Ldap to check the this using this lines on squid.conf:

external_acl_type ldapgroup %LOGIN /usr/local/squid/libexec/squid_ldap_group -b DC=bc -f
"(&(objectclass=person)(sAMAccountName=%v)(memberOf=cn=%a,OU=Security Groups,DC=REALM))" -D
CN=user_to_bind_in_ldap,CN=Users,DC=REALM -w password -h ldap-server.domain -v 3 -K

acl ldapgroup-access external ldapgroup @users_group

http_access allow all ldapgroup-access

Is possible to check other attributes as well, just change your Ldap query.

About these ads

63 Responses to Squid kerberos authentication and ldap authorization in Active Directory

  1. Adrian Chadd says:

    If you submit these patches via bugzilla (http://bugs.squid-cache.org/) then we’ll get them included. If they’re not already done, that is. :0

  2. klaubert says:

    It was already done. Thank you.

  3. Thank you for your interesting scenario, it will help to implement without too much error ;-)

    I have a question for you : Does your solution is working with proxy chaining like transparent proxy ?
    Does the transparent proxy let the auth pass thru?

    Best Regards
    Marc Blanchard
    http://marc-blanchard.com

  4. klaubert says:

    No, I don’t try it on a transparent proxy, but I know that squid has problems with authentication and transparent proxy… If you try please let me know.

    Klaubert

  5. John Lockwood says:

    Great article.

    I am hoping to move on to getting Squid and Kerberos working myself, but first I have the following problem.

    While I have got squid_ldap_auth (and for that matter pam_auth) working, I am struggling with squid_ldap_group, maybe you or someone else can help. My server uses OpenLDAP.

    My groups are in cn=groups,dc=example,dc=com my users are in cn=users,dc=example,dc=com and my LDAP server accepts anonymous searches. However I cannot get a command that works so that I can verify a user is a member of a specific group.

    For example, I am trying to verify a user called ‘test’ is a member of the ‘internet’ group.

    The internet group in this example would have a DN of cn=internet,cn=groups,dc=example,dc=com and membership would be a list of memberUid entries. A user would have a DN of uid=test,cn=users,dc=example,dc=com.

    For your information the following squid_ldap_auth commands work for me

    squid_ldap_auth -b “cn=users,dc=example,dc=com” -f “(uid=%s)” -h 127.0.0.1 -v 3
    squid_ldap_auth -b “cn=users,dc=example,dc=com” -u cn -f “(cn=%s)” -h 127.0.0.1 -v 3

  6. JD says:

    Negotiate authentication can’t be used by IE6 to authenticate with the proxy server. See Microsoft KB article here: http://support.microsoft.com/kb/321728/. I have confirmed via tcpdump on the server that IE6 doesn’t send ‘Proxy-Authorization: Negotiate’.

    IE7 is OK.

  7. Wim Kerkhoff says:

    Thanks for the tips.

    I’ve just spent like over a day trying to get this to work. After poring through C source code, trying to setup Kerberos with both Squid 2.6 and Apache2, etc and only getting “invalid token” errors, I finally have it working.

    I discovered keytab (from Microsoft) which shows all the kerberos tickets on your XP computer and whether they were expired or not. It turns out that all my tickets were expired. After locking my screening and logging back in, the tickets got purged and reset and now I can auth to both Squid and Apache.

    What a PITA. Anyways now I can proceed with my testing. Hopefully this ticket expiry thing won’t be a big problem in production.

  8. Primeval says:

    Somehow i missed the point. Probably lost in translation :) Anyway … nice blog to visit.

    cheers, Primeval!

  9. Pablo says:

    Hi there

    Very informative article, thanks very much!

    Can I just ask a (perhaps) naive question though? Are there no dependencies on Samba in this solution? It’s just that I’ve been discussing this solution with colleagues and the opinion is that we need Samba4 installed to get Kerberos/negotiate to work. Your article seems to indicate otherwise, but I thought it best to check.

    TAL

    Pablo

  10. klaubert says:

    Pablo,

    the Samba 4 is not used in my setup, the kerberos authentication is squid native, and don’t has samba as a dependency.

    Klaubert

  11. Peta says:

    Hi folks,
    after testing squid_kerb_auth i always get strength mesage :

    #squid_kerb_auth: gss_accept_sec_context() failed: Invalid token was supplied. No error
    BH gss_accept_sec_context() failed: Invalid token was supplied. No error
    #squid_kerb_auth: User not authenticated

    It should mean, that keytab and user match together, but windows doesn’t want to replay…????
    How i can get thru this????

    Petr

  12. [...] Squid kerberos authentication and ldap authorization in Active Directory « Klaubert’s Blog [...]

  13. IG says:

    great article, are there any builds of squid currently that already have kerberos support (squid_kerb_auth) compiled in with it. I am using v. 2.6 that comes with cent os 5.1 and it does not seem to include it.

  14. klaubert says:

    IG,
    a guy from RedHat (Mnagy) has the pre-release packages hosted here: http://people.redhat.com/mnagy/squid/, it come with squid_kerb_auth but, at least currently (squid-2.6.STABLE20-1.el5 ), no squid_ldap_group patched (my patch was included in squid main source). I already use the rpm package, but compile myself the ldap_group authorization module.

    Klaubert

  15. Houston says:

    please let me know how do I patch squid_ldap_group for stripe kerberos realm
    thanks a lot,
    Dario

  16. klaubert says:

    Houston,

    you don’t need to patch it any more, it was merged in squid source. The lasts stable releases include it.

    Klaubert

  17. Wim Kerkhoff says:

    I had problems with the squid_ldap_group module, so made my own. It uses the ldapsearch script, so no patching compiling is necessary. This is tested and working on Debian Etch (stable).

    Usage in squid.conf:

    external_acl_type LDAP ttl=60 children=5 concurrency=1 %LOGIN /usr/local/bin/squid-group-plugin.sh

    Then map your AD groups to a Squid ACL:

    acl StudentGroup external LDAP Students
    # this will send the user and “Students” to the
    # plugin to see if user is in AD “Students” group

    here are the contents of the plugin:

    BASE=”dc=mydomain,dc=ca”
    HOST=”controller.mydomain.ca”
    BIND=”squid@mydomain.ca”
    PASS=”bindpass”
    REALM=”MYDOMAIN.CA” # strip this off.
    TIMELIMIT=1 # seconds

    LOG=”/tmp/squid-groups.log”

    IFS=” ”
    while read IGNORE S_USER S_GROUP; do
    S_USER=`echo $S_USER | sed -e s/@${REALM}//g`
    QUERY=”(&(objectClass=person)(sAMAccountName=$S_USER)(memberOf=CN=$S_GROUP,CN=Users,DC=MYDOMAIN,DC=CA))”
    FOUND_NAME=`ldapsearch -L -L -L -l $TIMELIMIT -b “$BASE” -h $HOST -D “$BIND” -w $PASS -x $QUERY ‘name’ |grep ^name 2>/dev/null`
    if [ "$LOG" != "" ] ; then
    echo `date` [$$] “u=$S_USER g=$S_GROUP f=$FOUND_NAME” >> $LOG
    fi
    if [ $? != 0 ] ; then
    echo “ERR”
    elif [ "$FOUND_NAME" != "" ] ; then
    # found the name of user in AD.
    echo “OK”
    else
    # couldn’t find name or some other problem.
    echo “ERR”
    fi

    done

  18. Wim Kerkhoff says:

    Sorry – I said that ldapsearch is a script but it’s actually a compiled binary.

  19. Wim Kerkhoff says:

    I also forgot to mentioned that I had to recompile the Debian Squid package to enable the negotiate support. If anybody needs the steps for it, let me know

  20. Leandro Frasson says:

    I wonder if you need the user enters the username and password, each time the user opens the browser he must inform the login and password?

  21. Hi,
    thanks for this tutorial ! I’ve set up a Squid 2.7 on OpenBSD 4.4 and all works like a charm when trying to access with Firefox 3.0.7 to HTTP and HTTPS web sites: no authentication is asked to the users that have already opened their Windows session. But if i try a ftp request in Firefox like ftp://ftp.openbsd.org for example, Squid asks to authenticate again and again, however i can acces the ftp server.

    Any idea why the kerberos ticket is not used in this case ?

    Thanks

    • Amos Jeffries says:

      FTP can only use the Basic authentication credentials. There are bugs in older releases around which credentials are used in which order (including a fake “anonymous” login set).

  22. klaubert says:

    Hi Morgan,

    I actually don’t remember to try access for ftp, so I can’t answer you now. If I can try this lather I’ll let you now.

    Klaubert

  23. greenmang0 says:

    I think you have not mentioned how to create a keytab file for linux. Or I failed to understand? I don’t know. I am a complete n00b for Kerberos. I will be thankful to you if you let me know how to create keytab for linux. :-)

    • klaubert says:

      Actually I do! In the post is the “Windows Step:”, this step is done in Windows, but the file generated on it is used on Linux. :)

  24. greenmang0 says:

    OK.. But there must be a way to create that file on gnu/linux machine. I want to create same file using gnu/linux and not Windows. Please let me know. I googled it but couldn’t find anything helpful. :)

    • klaubert says:

      Hi,

      its not exactly an option to make this file on windows, its mandatory, once that you will need to associate this the Windows User, that you create on AD, to be used on Squid. This, off course, if you want to use Windows AD as a Kerberos authentication.
      But if you want to use other Kerberos system (like MIT or Heimdal) you’ll need to make an similar process there, but for now I can’t help you on this.

      Best regards,

      Klaubert

      • Markus says:

        You can also associate the squid account to a computer account (which I prefer as I do not have to create exceptions to my user password policy)

        Markus

    • Markus says:

      There are tools for Linux like msktutil which can create accounts in AD and extract keys into a keytab.

      Markus

  25. greenmang0 says:

    no problem, thanks :)

  26. anu says:

    Its very helpful, thanx

  27. Jorge Medina says:

    greenmango0

    You can create the keytab on linux if you integrate samba using net commando, for example:

    # net ads keytab CREATE
    # net ads keytab ADD HTTP

  28. harry says:

    Nice tutor… thanks..

  29. shivaaz says:

    Large thanks for this tuto, very useful… rmk : ntlm is deprecated

  30. littlebear says:

    wow, thanks, this is quite helpful

  31. Stefan Bauer says:

    After fiddling around several hours with the -K option and the spliting of the REALM from the user-id i found out, that for unknown reasons, the -K switch has to be at the end after all other switches. just fyi

  32. Willian Lanzelotti says:

    I could not create the keytab command mskutil.
    No error, but does not create the keytab file.
    I used the command server ktpass in 2003 and copied to linux and it worked.

  33. shreckbull says:

    Hi !

    How can i apply patch for c files .. i dont’t understand how use them.

    • I’ve compiled my squid source using 1./configure(…)–enable-external-acl-helpers=”ldap_group”.
      2.Make && Make install

      After that, you’ll have a new directory: /etc/squid/squid-3.0.STABLE18/helpers/external_acl/ldap_group/, It depends on how you installed squid.
      That’s all. Now you are able to use squid_ldap_group w/ new features.

  34. Hi everyone:
    I’ve already completed each step of these processes. AD Users are able to authenticate through SQUID to surf by internet, BUT!!… after 2 hours -sometimes more or less- suddenly some users -one or two- couln’t surf by Internet…
    Internet Explorer requests for new credentials (user/password).. Then AD users type them, but They aren’t able to surf by internet…
    I checked that an AD user type user/password correctly but the prompt appears every time…
    From cache.log these lines are recorded::
    ————————————————-
    2011/02/10 17:58:15| squid_kerb_auth: Got ‘YR YIIGJgYGKwYBBQUCoIIGGjCCBhagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBeAEggXcYIIF2AYJKoZIhvcSAQICAQBuggXHMIIFw6ADAgEFoQMCAQ6iBwMFACAAAACjggS7YYIEtzCCBLOgAwIBBaENGwtHSUxBVExBLkNPTaIoMCagAwIBAqEfMB0bBEhUVFAbFVBFUFJPWFkwMS5HSUxBVExBLkNPTaOCBHEwggRtoAMCARKhAwIBAqKCBF8EggRb0CrGoBRyYtVTklzkviLTrUm2PaUeSEwiOnTMPXpXZpiqlXeIzc7EyCtLUu5YIjr8kfWunnManLdfPzFZzvlpwSV5XgpvYimVwwjijX+1M6ASwLQAoMuW7p9Km7ebFGenPsfD2stMiKvi+abaw0oqp3262aYsQKCcN+qDXyU7whJ2Li9tr3MeRnYEc6QLXMbB2CDThA7KkRf+HosCJD54W8Wofk3h0RKERMYpUkfugI2kfakkcZS/QVE241CMj8Y+iF6YwcQTOZ1FLikPveTuZu4wbkR2ywyI5/OYq1iU5oKRmh+iG3XIUMdv8vtJ3c74zrwfAS387D1wfPVw1mnoCDC6mg2NtQa2POrEsJV116fakrRt6dDRK8v6uKFXyytkZG5H+9R8cwaYXYMhGvMVAd46RB62PYerDon0V/UZh9A8Yhr9xfmnQekvIgcZYlD2a8c+SgwRf3EoOYTxa2XF93uzyLM7N/7uw+Ud0J0oSlTOOZ8N5awJ43ISC+xVsqX+lHlEDhpGhYjxfLK6EZoOxdJA9eoWWDMkndgsAhRnK06kuwZWLxGq9m1QjX1THqTy+CK0NcD7FVEJ7DpVVWYHEZoETpJN6QmwIZnPq5TsJcRzOJiL03VtKZiM01vtUGTIw5bXTQZMZFA16GlTK1j0jynjxTMDCMGzJ0prk7q6Z4jtvRga3EJdgRf0HmsUDG/r+/lDECkpPV3L7drYCdqJuyJxdMOfJM5sqNtGKK/qKYlilkfAhwOPqk/hLIue3My44Am7vj8IaJkExpK1DpN3fcRIFwUlwf81CxI1jBF4wTfHlRdYwXVgci1pxlA8wnlD24Ebiacwz9EwQfj2VkUrZoeAyt3/gZrhVxyDfSyvhQcjXcLbUDGdOPjKdki4BVGhIo3wGN+1ZZjGnitDusb4ONIiU5Md1g6d325smXiLWvSFtiBhbVBFB6CByXLx18JJ57DVSgxjkVO6nhTloltEAb8vpsXipgHkeOkmFAcAILqtugP2jFe5kwE/aZ5X9kZTXCiRaOqJItniATP2a3DPqSP0Bpp0mHx6xZv3ZzPy50rZ1aKOGj5rUlVW/YuuW2ULB2weyen44OMvkhceLFAsXppnlAmQUFB5xf5Xy2HjEuktOi8Ka7lfR2rbaYykVaEWE3DEHbd8iF8Ws1emBIaSLekMtc9HjOq4DWdXYTTOmxPLbIvuagmjGqffaDnLIBhjV7IG6q07sah0cTVGdylq/qkGTjyxi/F0f1Pk8uEncVLQ9Kib4lq9+h5OOykifeAtboTSf09skjpMB+G7qa3QD+YOiiqA4PpolEnVrHFCbMm69USlfcppzQ2zklQIEIFNOAzWRkktVgqy74B8I8SWsPLCWz54Y3IvdS8nQYElCPd821QDjAao9vFuYOnELLmpAG0R5sEODqb+EKzXecsXr5vxVoBn5m9TgfbI6XCxQVfADaaaA1O9yhd3JNI6IeH69cWH0mhil68HxQOkge4wgeugAwIBEqKB4wSB4NRMfqBGyTBUUvPKKu1cKscC63v+d5WPmFbyYUYdZ0EB/USQZWSnhWMvbEWFLiRYThJG6UL4op4nNGuw+GuW6PKQi+eB97o4NSGqWN2kvtHtc0YAGSmMma17xIkhUfRtd9j1k/+K6kIKCFN96hDiapeppnE3Tj5fy0MQf+atYDaKV35ai7guVPFxRZFfBvvRdkLntEPAqy4JjIL8ySeUUYaaqyYM97Z6Db43KodJceoECCRZZ6Y1SELwFcKpBoBlGj670kZH1hPKwsncy80TxHSjz1xU1hgYBDRbKjtYP0cH’ from squid (length: 2107).
    2011/02/10 17:58:15| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found
    ————————————————-
    I’ve been using:
    +RHEL 5.0
    +SQUID 3.0
    +modules: (squid_kerb_auth1.0.7 and squid_kerb_ldap1.2.1a)
    ————————————————–
    from squid.conf
    I’ve configured the option debug_options ALL,1 33,2 28,9 in order to get more records.. but all these records aren’t useful.

    Can somebody help?

    Thanks in advance.

  35. Markus says:

    Firstly the squid debug option are not transfered to thye helper. To get more debug from the helper start it with -d.

    Secondly the error “Key table entry not found” means that the Kerberos token presented to squid_kerb_auth does not match any entry in the configured keytab. This can be because of the name, kvno or encryption type. To list the details use klist -ekt (MIT command, Heimdal would be with ktutil).

    # klist -ekt /etc/squid/squid.keytab
    Keytab name: WRFILE:/etc/squid/squid.keytab
    KVNO Timestamp Principal
    —- —————– ——————————————————–
    HTTP/opensuse11.suse.home@WIN2003R2.HOME (DES cbc mode with CRC-32)
    2 10/29/10 21:36:50 HTTP/opensuse11.suse.home@WIN2003R2.HOME (DES cbc mode with RSA-MD5)
    2 10/29/10 21:36:50 HTTP/opensuse11.suse.home@WIN2003R2.HOME (ArcFour with HMAC/md5)

    To check the kvno and encryption type use kvno (another MIT command)

    # kinit mm@WIN2003R2.HOME
    Password for mm@WIN2003R2.HOME:
    # kvno HTTP/opensuse11.suse.home@WIN2003R2.HOME
    HTTP/opensuse11.suse.home@WIN2003R2.HOME: kvno = 2
    klist -e
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: mm@WIN2003R2.HOME

    Valid starting Expires Service principal
    02/11/11 13:11:51 02/11/11 23:11:02 krbtgt/WIN2003R2.HOME@WIN2003R2.HOME
    renew until 02/12/11 13:11:51, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
    02/11/11 13:11:08 02/11/11 23:11:02 HTTP/opensuse11.suse.home@WIN2003R2.HOME
    renew until 02/12/11 13:11:51, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

    The encryption type and name is determined by the client configuration and need to be checked by capturing the traffic between the client and squid with Wireshark.

    In Wireshark you can see the Negotiate blob which can be expanded to see the Kerberos details like name (it must be HTTP/ and encryption type.

    Markus

  36. [...] LDAP and/or Active Directory. Take your pick: http://wiki.squid-cache.org/ConfigEx…ctiveDirectory http://klaubert.wordpress.com/2008/0…ive-directory/ http://www.cyberciti.biz/tips/howto-…ntication.html If you need more, Google is the best [...]

  37. [...] Here is just one howto with config examples. Google will give you a lot more in no-time. [...]

  38. [...] like me, you can also configure Squid to make your users transparently authenticate (SSO) with Kerberos and LDAP. July 10, 2009 12:22 pm kartook “”"” I use a squid acl with the [...]

  39. art says:

    art…

    [...]Squid kerberos authentication and ldap authorization in Active Directory « Klaubert's Blog[...]…

  40. [...] tutorial contains my knowledge about using Apache/mod_auh_kerb and Windows 2000/2003/2008R2 as KDC.Squid kerberos authentication and ldap authorization in Active Directory « Klaubert’s Bl… – The squid web cache include a authenticator for kerberos, it is simple to use, but the [...]

  41. fredouille says:

    Hello,

    Is it possible to use squid_kerb_auth for windows’s users authenticated by Samba3 without any ldap backend ?
    I try to setup this since one week and I’ve always the same error : “access cache denied”

    Great and helpfull article, thenks for it…..

    • klaubert says:

      Fredouille,

      The squid_kerb_auth is for authentication, how are you doing the authorization? The ldap is used for that!

      • fredouille says:

        Hello klaubert,

        I anwsered you by adding a new comment and I don’t know how to modify it, sorry….

  42. Huaraz says:

    A Kerberos token can contain authorisation data and MS does use it for login checks. Unfortunately it was for me at the time too complex to decode the MS PAC data, but I think there is now code available which can decode the MS PAC data. If that code is introduced to squid_kerb_auth authorisation could be done in the same module as authentication.

    Markus

    • klaubert says:

      Ok, but if remember correctly (was a long time that I don’t put my hands on Squid), it don’t do that. So you need to make authorization in other step… sorry.

      Klaubert

  43. Huaraz says:

    You can just deny access at the authentication step (e.g. add an option to squid_kerb_auth like -S ) and return a deny (to the authentication) if the MS PAC data does not contain the SID.

    Markus

    • klaubert says:

      This really can work, but as I’m not working with Squid in current days, can be better make this proposition in squid-devel mailing to squid_kerb_auth maintainer consider this option. I make just a patch in the past.

      Klaubert

  44. Huaraz says:

    BTW You can also use squid_kerb_ldap for authorisation instead of ldap_group. squid_kerb_ldap uses Kerberos to authenticate to the ldap server (e.g. AD) and looks for group memberships. squid_kerb_ldap -d -g SQUID_ALLOW would check if the user is a member of a group with CN=SQUID_ALLOW.

    Finding the server, etc is done “automatic” using DNS.

    Markus

  45. fredouille says:

    Hello Klaubert,

    Fisrt of all, thanks for your answer,

    Today my network works like that :
    a linux box where DNS, DHCP, Samba, Kerberos and Squid+squidguard are installed works like a server.
    Each service seems to be correctly configured when I check them one by one.

    On this network there is some windows box and linux box used as desktop.

    When I want to use a desktop, I open a session and samba authenticate my user by using a passdb backend = tbdsam.

    I trying to use an ldapsam since more than 18 months without never succeed……

    So is it possible to work like this ??

    Thanks in advance for your answer and your help…

  46. fredouille says:

    right now my problem is when I want to go to Internet by using my proxy configured like I said before, each time I got the same error message : access cache denied !!!!

    And of course I don’t find why…..

    Thank you for your help…..

  47. Mike Bundock says:

    I’ve been using this config for a while without a problem but it broke last week and I wanted to post my experience somewhere. So, I got a new PC on the network that has MS Seaport on it. The logged on user has no www access and neither does the PC AD account. The seaport service tries to get to http://g.ceipmsn.com and drove up the memory consumed by squid_kerb_auth and crashed the server after some minutes. It seems seaport doesn’t take no for answer. Disabled seaport service and squid no longer crashes.

  48. seo|vps|hosting|dedicated|server…

    [...]Squid kerberos authentication and ldap authorization in Active Directory « Klaubert's Blog[...]…

  49. Evie says:

    Hello! I simply would like to offer you a huge thumbs up for
    the great info you have right here on this post. I will be
    coming back to your web site for more soon.

    Evie

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: