[squid-users] Re: squid_kerb_ldap issues

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 22 Aug 2014 18:31:45 +0100

Hi Scott,

  You mean authentication and authorisation ?

   I think you can. I would expect you see instead of user_at_DOMAIN a
host/<fqdn>@DOMAIN and if you add the computer account to the AD group it
should authorise.

  I am very curious to see it :-)

Markus

"Scott Finlon" wrote in message
news:D01CDF61.36EEB%scott.finlon_at_scranton.edu...

Hi Markus,
Thanks for your input. I ended up completely removing everything and
recreating my key tab and it works great now.

One more question for you or the list: Is it possible to do machine based
AD auth to squid?
We have a use case here where we would want to allow a machine access to a
resource but not necessarily specifically allow the users who are logged
in to it.
Thanks again,
-Scott

Scott Finlon, CISSP GCIA GCIH
-----------------------------------
Information Security Engineer
The University of Scranton
email : scott.finlon_at_scranton.edu
phone : 570-941-6168
-----------------------------------

On 8/21/14, 3:20 PM, "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:

>Hi Scott,
>
> So from what see in your first log you have a user MYSUER with a
>domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM.
>squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the
>keytab but does not find any entry for MYDOMAIN in the keytab. Then
>squid_kerb_ldap tries to find an entry in the keytab of a domain which
>trusts MYDOMAIN and fails. It seems there is no Kerberos trust between
>MYDOMAIN and SUBDOMAIN.DOMAIN.COM.
>
> The second log looks better, but the password stored in the keytab for
>SQUIDPROXY-K$ is incorrect (Preauthentication failed).
>
>
>Markus
>
>"Scott Finlon" wrote in message
>news:D01B8481.36D86%scott.finlon_at_scranton.edu...
>
>Hi All,
>
>
>I have squid_kerb_auth working and authenticating via my key tab file.
>However, when trying to lock it down to users that are in a group in AD,
>I��m seeing a weird issue.
>I put my sanitized output here: http://pastebin.com/wGc3RC0h
>But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
>MYDOMAIN�� it is able to auth to AD and eventually attempts to use a bind
>path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
>gives a referral error.
>
>So seeing that, I tried to use my full domain as the default domain, like
>this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM�� it
>gives a Preauthentication failed error and doesn��t even make it in to AD,
>full output here: http://pastebin.com/Gk1ci0nt
>
>That makes me think it��s an issue with the key tab file, but it works
>appropriately with kerb auth just not kerb ldap. Any ideas?
>I am going to try and make a key tab file with ktpass instead of msktutil
>and see if that has any affect.
>Thanks,
>-Scott
>
>
>
>
>
Received on Fri Aug 22 2014 - 17:32:05 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 23 2014 - 12:00:06 MDT