-
Nikolay
- Любопытный
- Сообщения: 17
- Зарегистрирован: 20 фев 2015 08:39
ERROR: Negotiate Authentication validating user
Сделано как тут http://blog.it-kb.ru/2014/06/26/forward … ment-18212
но по
# Negotiate Kerberos and NTLM authentication
и
# Only NTLM authentication
авторизация выдает ошибку
ERROR: Negotiate Authentication validating user. Error returned ‘BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL’
Авторизация по Basic проходит нормально и работает.
проверялось так, по очередно отключал параметры
# Negotiate Kerberos and NTLM authentication
и
# Only NTLM authentication
-
Алексей Максимов
- Администратор сайта
- Сообщения: 571
- Зарегистрирован: 14 сен 2012 06:50
- Откуда: г.Сыктывкар
- Контактная информация:
Re: Авторизация
Сообщение
Алексей Максимов » 20 фев 2015 10:36
Насчет «Сделано как тут» — брехня. Без сомнений.
Покажите, что творится в логе cache.log при применении конфигурации squid:
Покажите вывод команды тестирования доменной аутентификации
-
Nikolay
- Любопытный
- Сообщения: 17
- Зарегистрирован: 20 фев 2015 08:39
Re: ERROR: Negotiate Authentication validating user
Сообщение
Nikolay » 20 фев 2015 11:22
Код: Выделить всё
2015/02/20 14:19:01| Reconfiguring Squid Cache (version 3.3.8)...
2015/02/20 14:19:01| Closing HTTP port 192.168.0.169:3128
2015/02/20 14:19:01| Closing Pinger socket on FD 21
2015/02/20 14:19:01| Logfile: closing log daemon:/var/log/squid3/access.log
2015/02/20 14:19:01| Logfile Daemon: closing log daemon:/var/log/squid3/access.log
2015/02/20 14:19:01| Startup: Initializing Authentication Schemes ...
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'basic'
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'digest'
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'negotiate'
2015/02/20 14:19:01| Startup: Initialized Authentication Scheme 'ntlm'
2015/02/20 14:19:01| Startup: Initialized Authentication.
2015/02/20 14:19:01| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2015/02/20 14:19:01| Logfile: opening log daemon:/var/log/squid3/access.log
2015/02/20 14:19:01| Logfile Daemon: opening log /var/log/squid3/access.log
2015/02/20 14:19:01| Squid plugin modules loaded: 0
2015/02/20 14:19:01| Adaptation support is off.
2015/02/20 14:19:01| Store logging disabled
2015/02/20 14:19:01| DNS Socket created at [::], FD 7
2015/02/20 14:19:01| DNS Socket created at 0.0.0.0, FD 8
2015/02/20 14:19:01| Adding nameserver 192.168.0.43 from /etc/resolv.conf
2015/02/20 14:19:01| Adding nameserver 192.168.0.32 from /etc/resolv.conf
2015/02/20 14:19:01| Adding domain alea.local from /etc/resolv.conf
2015/02/20 14:19:01| Adding domain alea.local from /etc/resolv.conf
2015/02/20 14:19:01| helperOpenServers: Starting 0/20 'basic_ldap_auth' processes
2015/02/20 14:19:01| helperOpenServers: No 'basic_ldap_auth' processes needed.
2015/02/20 14:19:01| helperOpenServers: Starting 5/5 'ext_ldap_group_acl' processes
2015/02/20 14:19:01| HTCP Disabled.
2015/02/20 14:19:01| Pinger socket opened on FD 21
2015/02/20 14:19:01| pinger: Initialising ICMP pinger ...
2015/02/20 14:19:01| pinger: ICMP socket opened.
2015/02/20 14:19:01| pinger: ICMPv6 socket opened
2015/02/20 14:19:01| Loaded Icons.
2015/02/20 14:19:01| Accepting HTTP Socket connections at local=192.168.0.169:3128 remote=[::] FD 19 flags=9
2015/02/20 14:19:11| Pinger exiting.
Код: Выделить всё
Enter ALEAnbaydakov's password:
plaintext password authentication succeeded
Enter ALEAnbaydakov's password:
challenge/response password authentication succeeded-
Алексей Максимов
- Администратор сайта
- Сообщения: 571
- Зарегистрирован: 14 сен 2012 06:50
- Откуда: г.Сыктывкар
- Контактная информация:
Re: ERROR: Negotiate Authentication validating user
Сообщение
Алексей Максимов » 20 фев 2015 13:05
Закомментируйте в конфиге сквида все виды аутентификации кроме NTLM (auth_param ntlm), включите дебаг (debug_options=ALL) и подробно расскажите, что происходит на клиенте, а так же покажите что происходит в этот момент в cache.log
Ещё покажите вывод
-
Nikolay
- Любопытный
- Сообщения: 17
- Зарегистрирован: 20 фев 2015 08:39
Re: ERROR: Negotiate Authentication validating user
Сообщение
Nikolay » 20 фев 2015 14:35
1. Закомментировал и в итоге стало так
Код: Выделить всё
# Negotiate Kerberos and NTLM authentication
#auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth --kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -s "HTTP/proxy.alea.local@ALEA.LOCAL" --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
#auth_param negotiate children 200 startup=50 idle=10
#auth_param negotiate keep_alive off
# Only NTLM authentication
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off
# Basic authentication via ldap for clients not authenticated via kerberos/ntlm
#auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -P -R -b "CN=Users,dc=alea,dc=local" -D "proxyadmin@alea.local" -W /etc/squid3/ldappass.conf -f "sAMAccountName=%s" -h dc.alea.local dc2.alea.local
#auth_param basic children 20
#auth_param basic realm "proxy.alea.local - SQUID Proxy Server Basic authentication!"
#auth_param basic credentialsttl 2 hours2. добавил
3. запустил
выдало
Код: Выделить всё
2015/02/20 17:13:31| Startup: Initializing Authentication Schemes ...
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'basic'
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'digest'
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'negotiate'
2015/02/20 17:13:31| Startup: Initialized Authentication Scheme 'ntlm'
2015/02/20 17:13:31| Startup: Initialized Authentication.
2015/02/20 17:13:31| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2015/02/20 17:13:31| Processing: debug_options=ALL
2015/02/20 17:13:31| /etc/squid3/squid.conf:6 unrecognized: 'debug_options=ALL'
2015/02/20 17:13:31| Processing: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=ALEA
2015/02/20 17:13:31| Processing: auth_param ntlm children 100 startup=20 idle=5
2015/02/20 17:13:31| Processing: auth_param ntlm keep_alive off
2015/02/20 17:13:31| Processing: external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -S -b "CN=Users,dc=alea,dc=local" -D "proxyadmin@alea.local" -W /etc/squid3/ldappass.conf -f "(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=squid,OU=Группы безопасности,DC=alea,DC=local))" -h dc.alea.local dc2.alea.local
2015/02/20 17:13:31| Processing: acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
2015/02/20 17:13:31| Processing: acl auth proxy_auth REQUIRED
2015/02/20 17:13:31| Processing: acl BlockedUsers external memberof -i "/etc/squid3/grps_blocked.conf"
2015/02/20 17:13:31| Processing: acl WhiteListUsers external memberof -i "/etc/squid3/grps_whitelist.conf"
2015/02/20 17:13:31| Processing: acl BlackListUsers external memberof -i "/etc/squid3/grps_blacklist.conf"
2015/02/20 17:13:31| Processing: acl FullAccessUsers external memberof -i "/etc/squid3/grps_fullaccess.conf"
2015/02/20 17:13:31| Processing: acl AnonymousAccessUsers external memberof -i "/etc/squid3/grps_fullanonym.conf"
2015/02/20 17:13:31| Processing: acl WhiteList dstdomain -i "/etc/squid3/dom_whitelist.conf"
2015/02/20 17:13:31| Processing: acl BlackList dstdomain -i "/etc/squid3/dom_blacklist.conf"
2015/02/20 17:13:31| Processing: acl AllAccess dstdomain -i "/etc/squid3/dom_allaccess.conf"
2015/02/20 17:13:31| Processing: acl WhiteListURL url_regex -i "/etc/squid3/url_whitelist.conf"
2015/02/20 17:13:31| Processing: acl BlackListURL url_regex -i "/etc/squid3/url_blacklist.conf"
2015/02/20 17:13:31| Processing: acl WUServers src "/etc/squid3/computers_wsus.conf"
2015/02/20 17:13:31| Processing: acl WUSites dstdomain -i "/etc/squid3/dom_wsus.conf"
2015/02/20 17:13:31| Processing: acl SSL_ports port 443
2015/02/20 17:13:31| Processing: acl Safe_ports port 80 # http
2015/02/20 17:13:31| Processing: acl Safe_ports port 21 # ftp
2015/02/20 17:13:31| Processing: acl Safe_ports port 443 # https
2015/02/20 17:13:31| Processing: acl Safe_ports port 70 # gopher
2015/02/20 17:13:31| Processing: acl Safe_ports port 210 # wais
2015/02/20 17:13:31| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2015/02/20 17:13:31| Processing: acl Safe_ports port 280 # http-mgmt
2015/02/20 17:13:31| Processing: acl Safe_ports port 488 # gss-http
2015/02/20 17:13:31| Processing: acl Safe_ports port 591 # filemaker
2015/02/20 17:13:31| Processing: acl Safe_ports port 777 # multiling http
2015/02/20 17:13:31| Processing: acl CONNECT method CONNECT
2015/02/20 17:13:31| Processing: http_access deny !Safe_ports
2015/02/20 17:13:31| Processing: http_access deny CONNECT !SSL_ports
2015/02/20 17:13:31| Processing: http_access allow localhost manager
2015/02/20 17:13:31| Processing: http_access allow localnet manager
2015/02/20 17:13:31| Processing: http_access deny manager
2015/02/20 17:13:31| Processing: http_access deny to_localhost
2015/02/20 17:13:31| Processing: http_access allow WUSites WUServers
2015/02/20 17:13:31| Processing: http_access allow AllAccess
2015/02/20 17:13:31| Processing: http_access deny !auth
2015/02/20 17:13:31| Processing: http_access deny BlockedUsers all
2015/02/20 17:13:31| Processing: http_access allow WhiteList
2015/02/20 17:13:31| Processing: http_access allow WhiteListURL
2015/02/20 17:13:31| Processing: http_access deny WhiteListUsers all
2015/02/20 17:13:31| Processing: http_access allow AnonymousAccessUsers all
2015/02/20 17:13:31| Processing: http_access allow FullAccessUsers all
2015/02/20 17:13:31| Processing: http_access deny BlackList
2015/02/20 17:13:31| Processing: http_access deny BlackListURL
2015/02/20 17:13:31| Processing: http_access allow BlackListUsers all
2015/02/20 17:13:31| Processing: http_access deny all
2015/02/20 17:13:31| Processing: http_port 192.168.0.169:3128
2015/02/20 17:13:31| Processing: hierarchy_stoplist cgi-bin ?
2015/02/20 17:13:31| Processing: forward_max_tries 25
2015/02/20 17:13:31| Processing: cache_mem 1024 MB
2015/02/20 17:13:31| Processing: maximum_object_size_in_memory 1024 KB
2015/02/20 17:13:31| Processing: memory_replacement_policy heap GDSF
2015/02/20 17:13:31| Processing: cache_replacement_policy heap LFUDA
2015/02/20 17:13:31| Processing: cache_dir ufs /var/spool/squid3 7000 16 256
2015/02/20 17:13:31| Processing: maximum_object_size 32768 KB
2015/02/20 17:13:31| Processing: access_log daemon:/var/log/squid3/access.log squid !AnonymousAccessUsers
2015/02/20 17:13:31| Processing: cache_log /var/log/squid3/cache.log
2015/02/20 17:13:31| Processing: coredump_dir /var/spool/squid3
2015/02/20 17:13:31| Processing: refresh_pattern ^ftp: 1440 20% 10080
2015/02/20 17:13:31| Processing: refresh_pattern ^gopher: 1440 0% 1440
2015/02/20 17:13:31| Processing: refresh_pattern -i (/cgi-bin/|?) 0 0% 0
2015/02/20 17:13:31| Processing: refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
2015/02/20 17:13:31| Processing: refresh_pattern . 0 20% 4320
2015/02/20 17:13:31| Processing: cache_mgr nbaydakov
2015/02/20 17:13:31| Processing: httpd_suppress_version_string on
2015/02/20 17:13:31| Processing: visible_hostname F00-NBK-001
2015/02/20 17:13:31| Processing: error_directory /usr/share/squid3/errors/ru
2015/02/20 17:13:31| Processing: error_default_language ru
2015/02/20 17:13:31| Processing: dns_v4_first on
2015/02/20 17:13:31| Processing: forwarded_for delete
2015/02/20 17:13:31| Processing: cachemgr_passwd ******all4. сделал
5. cach (лог 400 метров О_о)
У пользователя постоянно запрашивает пароль, а в кеше (акс=цессе)
Код: Выделить всё
ERROR: Negotiate Authentication validating user. Error returned ‘BH NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL’-
Алексей Максимов
- Администратор сайта
- Сообщения: 571
- Зарегистрирован: 14 сен 2012 06:50
- Откуда: г.Сыктывкар
- Контактная информация:
Re: ERROR: Negotiate Authentication validating user
Сообщение
Алексей Максимов » 20 фев 2015 16:05
В моём примере для хелпера ntlm_auth не использовался параметр —domain.
Манипуляции с winbindd_privileged описанные в заметке выполнялись? Без этого у меня NTLM-аутентификация из Squid не работала (по крайней мере именно на тех версиях Samba и Squid, о которых шла речь в статьях)
-
Nikolay
- Любопытный
- Сообщения: 17
- Зарегистрирован: 20 фев 2015 08:39
Re: ERROR: Negotiate Authentication validating user
Сообщение
Nikolay » 20 фев 2015 19:22
—domain это уже попытки метода тыка, но что с ним что без него не работает.
PROXY.keytab может влиять на это? так как при создании его у меня первые три строки не выши так как у Вас, но все остальное все совпало.
Делал в Powershell на Win2012R2
небыло такого.
Код: Выделить всё
Targeting domain controller: KOM-AD01-DC01.holding.com
Successfully mapped HTTP/kom-ad01-squid.holding.com to s-KOM-SquidKerb.
Password successfully set!c winbindd_privileged выполнялись, завтра сделаю заново этот пункт еще раз
Настраиваю Squid через kerberos авторизацию. При попытке пользователя авторизоваться на прокси через браузер, в cache.log такой текст:
negotiate_kerberos_auth.cc(487): pid=10851 :2018/07/11 08:46:25| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=10851 :2018/07/11 08:46:25| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab
negotiate_kerberos_auth.cc(570): pid=10851 :2018/07/11 08:46:25| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_10851
negotiate_kerberos_auth.cc(610): pid=10258 :2018/07/11 08:32:06| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(663): pid=10258 :2018/07/11 08:32:06| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(673): pid=10258 :2018/07/11 08:32:06| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2018/07/11 08:32:06 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}kpass настраивал так:
ktpass -princ HTTP/proxy1.spz.int@SPZ.INT -mapuser squidproxy@spz.int -crypto RC4-HMAC-NT -pass passW0rd -ptype KRB5_NT_PRINCIPAL -out C:proxy.keytab============= squid.conf ========================
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy1.spz.int@SPZ.INT
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED============= /etc/krb5.conf ==========================
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SPZ.INT
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = /etc/squid/proxy.keytab
[realms]
SPZ.INT = {
kdc = spz.int
}
[domain_realm]
.spz.int = SPZ.INT
spz.int = SPZ.INT====================================================
Через kinit, авторизация проходит:
kinit -V -k -t /etc/squid/squidproxy.keytab HTTP/proxy1.spz.int@SPZ.INT
Using default cache: persistent:0:0
Using principal: HTTP/proxy1.spz.int@SPZ.INT
Using keytab: /etc/squid/proxy.keytab
Authenticated to Kerberos v5
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/proxy1.spz.int@SPZ.INT
Valid starting Expires Service principal
07/11/2018 08:59:23 07/11/2018 18:59:23 krbtgt/SPZ.INT@SPZ.INT
renew until 07/18/2018 08:59:23
I’m trying to integrate squid 3.5.19 with AD/Kerberos (Windows 2008 R2), but I get always TCP_DENIED:HIER_NONE
These are the errors in /var/log/squid/cache.log
2016/07/28 10:26:01.583 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2016/07/28 10:26:01.584 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.584 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test on:local=192.168.50.22:3128 remote=192.168.50.47:56015 FD 16 flags=1
2016/07/28 10:26:01.625 kid1| 29,4| UserRequest.cc(350) authenticate: No connection authentication type
2016/07/28 10:26:01.625 kid1| 29,9| Config.cc(36) CreateAuthUser: header = 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/28 10:26:01.625 kid1| 29,5| User.cc(39) User: Initialised auth_user '0x2857400'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(95) UserRequest: initialised request 0x28576b0
2016/07/28 10:26:01.625 kid1| 29,9| Config.cc(267) decode: decode Negotiate authentication
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. Received blob: 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(46) start: 0x28576b0
2016/07/28 10:26:01.625 kid1| 29,8| UserRequest.cc(134) startHelperLookup: credentials state is '2'
negotiate_kerberos_auth.cc(610): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(663): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(673): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/07/28 10:26:01.626 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: '0x2860438/0x2860438' sent us reply={result=BH, notes={message: received type 1 NTLM token; }}
2016/07/28 10:26:01.626 kid1| 29,6| UserRequest.cc(175) releaseAuthServer: releasing Negotiate auth server '0x2860438'
2016/07/28 10:26:01.626 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.626 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.732 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.732 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.913 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.913 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.956 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.956 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.980 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.980 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.993 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.993 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:02.004 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:02.004 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:09.555 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.556 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.556 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x28576b0
2016/07/28 10:26:09.556 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x2857400'
2016/07/28 10:26:09.556 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x2857400'.
2016/07/28 10:26:09.559 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.559 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.559 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x286f4d0
2016/07/28 10:26:09.559 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x286f2a0'
2016/07/28 10:26:09.559 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x286f2a0'.
2016/07/28 10:26:09.563 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.563 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.563 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x2857ab0
2016/07/28 10:26:09.563 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x241e990'
2016/07/28 10:26:09.563 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x241e990'.
I’ve created the keytab on Windows using ktpass:
ktpass /princ host/kanban.infoestructura.local@EXAMPLE.LOCAL /mapuser squid@EXAMPLE.LOCAL /crypto rc4-hmac-nt /pass * /ptype KRB5_NT_PRINCIPAL /out C:Soportewinkrb5.keytab
and then copied to squid, and I see the following thing:
klist -kt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
3 12/31/1969 21:00:00 HTTP/kanban.example.local@EXAMPLE.LOCAL
I wonder if the wrong timestamp has to do with the problem
Kerberos and relevant squid config files are as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
squid.conf:
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/kanban.example.local@example.LOCAL
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb_auth proxy_auth REQUIRED
Is the keytab timestamp the cause of errors? Am I doing something wrong?
Помогите пожалуйста разобраться.
Установлен samba, krb и winbind.
Расшарить папки получилось отлично, комп в домен ввел, ограничить доступ к папкам тоже получилось.
Поставил squid, по доке с инета настроил, но при попытке войти в инет вылазит окно авторизации. Логин и пароль ввожу но доступ не получаю.
На kinit -k получа.:
kinit: Cannot find KDC for realm «VPU25.LOCAL» while getting initial credentials
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: dns mdns4_minimal[NotFound=return]mdns4 files
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
hosts
127.0.0.1 localhost
127.0.1.1 file.vpu25.local file
192.168.5.250 file.vpu25.local file
192.168.5.251 dc_n.vpu25.local vpu25.local dc_n
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
default_realm = VPU25.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DC_N.VPU25.LOCAL = {
kdc = 192.168.5.251
admin_server = 192.168.5.251
default_domain = VPU25.LOCAL
}
[domain_realm]
.vpu25.local = VPU25.LOCAL
vpu25.local = VPU25.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[login]
krb4_convert = true
krb4_get_tickets = false
sbm.conf
[global]
workgroup = VPU25
server string = File server
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
#syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
realm = VPU25.LOCAL
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
pam password change = yes
socket options = TCP_NODELAY
idmap config * : backend = tdb
idmap config * : range = 10000-999999
idmap config VPU25 : backend = rid
idmap config VPU25 : range = 2000000-2999999
template shell = /bin/bash
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
#======================= Share Definitions =======================
[homes]
create mask = 0700
valid users = VPU25%S,@hlam_users
writeable = yes
directory mask = 0700
comment = Home Directories
browseable = no
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[hlam]
writeable = yes
path = /home/VPU25/hlam
valid users = @hlam_users
[install]
path = /home/VPU25/install
write list = @smb_admin
read list = @hlam_users
invalid users = @students
writeable = yes
[temp]
create mode = 777
force create mode = 777
writeable = yes
path = /home/VPU25/temp
force directory mode = 777
write list = @students,@smb_admin,@hlam_users
directory mode = 777
squid.conf
# Аутентификация в Active Directory
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/file.vpu25.locla@VPU25.LOCAL
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type inet_medium ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -g Internet@VPU25.LOCAL
external_acl_type inet_full ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -g Internet_Full@VPU25.LOCAL
external_acl_type inet_low ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -g Internet_Low@VPU25.LOCAL
# Стандартные порты
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Белый и черный список
acl white_list url_regex -i "/etc/squid/white_lis.txt"
acl black_list url_regex -i "/etc/squid/blacklist.txt"
# Определяем группы доступа
acl my_full external inet_full
acl my_medium external inet_medium
acl my_low external inet_low
# Перечень сетей
acl all src all
acl our_networks src 192.168.5.0/24
# Авторизация требуется ОБЯЗАТЕЛЬНО, без нее никого не пускать
acl nt_group proxy_auth REQUIRED
# Стандартные разрешения
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
# Права доступа для наших групп пользователей
http_access allow my_low white_list
http_access deny my_low
http_access deny my_medium black_list
http_access allow my_medium
http_access allow my_full
# Разрешаем локалхост
http_access allow localhost
# Запрещаем все остальное
http_access deny all
# Ограничение пропускной способности интернет-канала
delay_pools 3
delay_class 1 1
delay_class 2 1
delay_class 3 1
delay_parameters 1 -1/-1 -1/-1
delay_parameters 2 384000/384000
delay_parameters 3 32000/32000
#delay_access 1 allow my_full
#delay_access 1 deny all
delay_access 2 allow my_medium
delay_access 2 deny all
delay_access 3 allow my_low
delay_access 3 deny all
# Порты прокси-сервера
http_port 192.168.5.250:3128
http_port 192.168.5.250:3127 transparent
# Выделяем 3,5 Гб памяти для прокси
cache_mem 3584 MB
# Выделяем место на жестком диске для хранения файлов кэша
cache_dir ufs /var/spool/squid 100 16 256
# Куда и в каком объеме будем писать логи
access_log /var/log/squid/access.log
logfile_rotate 100
coredump_dir /var/spool/squid
# Настройки кэширования
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
refresh_pattern . 0 20% 4320
# Запрещаем отображение версии прокси-сервера и имени
httpd_suppress_version_string on
visible_hostname PROXYSERVER
# Включаем русский язык для сообщений сервера
#error_directory /usr/share/squid/errors/Russian-1251
#error_default_language ru
# Принудительно задаем желаемый DNS-сервер
#dns_nameservers 192.168.1.3
#dns_v4_first on
В логах squid
cache.log
2018/10/31 12:02:42 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/10/31 12:02:42 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:02:42 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:02:42 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/10/31 12:02:42 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:02:42 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:02:42 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/10/31 12:02:42 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:03:53 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:08 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:08 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:08 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/10/31 12:04:08 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:10 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:13 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:33 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:33 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/10/31 12:04:33 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:38 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
2018/10/31 12:04:38 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2018/10/31 12:04:38 kid1| delay_pool 0 has no delay_access configured. This means that no clients will ever use it.
access.log
1540980248.242 0 192.168.5.1 TCP_DENIED/407 4080 CONNECT aleksius.com:443 - HIER_NONE/- text/html
1540980248.243 0 192.168.5.1 TCP_DENIED/407 4080 CONNECT aleksius.com:443 - HIER_NONE/- text/html
1540980248.245 0 192.168.5.1 TCP_DENIED/407 4183 CONNECT aleksius.com:443 - HIER_NONE/- text/html
1540980250.119 0 192.168.5.1 TCP_DENIED/407 4183 CONNECT aleksius.com:443 - HIER_NONE/- text/html
1540980253.823 0 192.168.5.1 TCP_DENIED/407 4183 CONNECT aleksius.com:443 - HIER_NONE/- text/html
1540980273.483 0 192.168.5.1 TCP_DENIED/407 4102 CONNECT clients4.google.com:443 - HIER_NONE/- text/html
1540980273.486 0 192.168.5.1 TCP_DENIED/407 4205 CONNECT clients4.google.com:443 - HIER_NONE/- text/html
1540980278.264 35 192.168.5.1 TCP_DENIED/407 4317 GET http://www.gstatic.com/generate_204 - HIER_NONE/- text/html
1540980278.267 1 192.168.5.1 TCP_DENIED/407 4420 GET http://www.gstatic.com/generate_204 - HIER_NONE/- text/html
Original work By Adrian Chadd, with updates by James Robertson on 19.01.2012
and Christopher Schirner on 11.11.2014
An alternate way to integrate with Active Directory is via Samba and NTLM
🔗 Introduction
This wiki page covers setup of a Squid proxy which will seamlessly
integrate with Active Directory using Kerberos, NTLM and basic
authentication for clients not authenticated via Kerberos or NTLM.
File paths and account user/group names will depend on
the specific operating system setup
🔗 Example Environment
the following examples are utilised, you should update any configuration
examples with your clients domain, hostnames, IP’s etc. where necessary.
- Network
- Domain= example.local
- Subnet = 192.168.0.0/24
- Proxy Server
- OS = GNU/Linux
- Squid 3.1
- IP = 192.168.0.10
- HOSTNAME = squidproxy.example.local
- Kerberos computer name = SQUIDPROXY-K
- Windows Server 1
- IP = 192.168.0.1
- HOSTNAME = dc1.example.local
- Windows Server 2
- IP = 192.168.0.2
- HOSTNAME = dc2.example.local
🔗 Prerequisites
Client Windows Computers need to have Enable Integrated Windows
Authentication ticked in Internet Options ⇒ Advanced settings.
🔗 DNS Configuration
On the Windows DNS server add a new A record entry for the proxy
server’s hostname and ensure a corresponding PTR (reverse DNS) entry is
also created and works. Check that the proxy is using the Windows DNS
Server for name resolution and update /etc/resolv.conf accordingly.
Edit the file according to your network.
domain example.local
search example.local
nameserver 192.168.0.1
nameserver 192.168.0.2
Ping a internal and external hostname to ensure DNS is operating.
ping dc1.example.local -c 4 && ping google.com -c 4
Check you can reverse lookup the Windows Server and the local proxy ip
from the Windows DNS.
dig -x 192.168.0.1
dig -x 192.168.0.10
The ANSWER SECTION should contain the the DNS name of
dc1.example.local and squidproxy.example.local.
Important: If either lookup fails do not proceed until fixed or
authentication may fail.
Important: If either lookup fails do not proceed until fixed or🔗 NTP Configuration
Time needs to be syncronised with Windows Domain Controllers for
authentication, configure the proxy to obtain time from them and test to
ensure they are working as expected.
🔗 Install and Configure Kerberos
Install Kerberos packages — on Debian these are krb5-user libkrb53
Edit the file /etc/krb5.conf replacing the variables with the your
domain and servers.
additionalkdcentry from the[realms]section, or add any
additional DC’s.
Depending on your Domain Controller’s OS Version uncomment the relevant
Windows 200X section and comment out the opposing section.
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
EXAMPLE.LOCAL = {
kdc = dc1.example.local
kdc = dc2.example.local
admin_server = dc1.example.local
default_domain = example.local
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL
available. This is not just important for security reasons, but you
might also experience problems when using the DNS name of the squid
server instead of the IP address.
Example error messages regarding this issue may look like this:
ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.'
🔗 Install Squid 3
We install squid 3 now as we need the squid3 directories available.
Squid configuration takes places after authentication is configured. On
Debian install the squid3 ldap-utils packages.
🔗 Authentication
The Proxy uses 4 methods to authenticate clients, Negotiate/Kerberos,
Negotiate/NTLM, NTLM and basic authentication. Markus Moellers
negotiate_wrapper is used for the 2 Negotiate methods.
🔗 Kerberos
Kerberos utilises msktutil an Active Directory keytab manager (I presume
the name is abbreviated for “Microsoft Keytab Utility”). We need to
install some packages that msktutil requires. On Debian install
libsasl2-modules-gssapi-mit libsasl2-modules
Install msktutil — you can find msktutil here
“http://fuhm.net/software/msktutil/releases/”
Initiate a kerberos session to the server with administrator permissions
to add objects to AD, update the username where necessary. msktutil will
use it to create our kerberos computer object in Active directory.
It should return without errors. You can see if you succesfully obtained
a ticket with:
Now we configure the proxy’s kerberos computer account and service
principle by running msktutil (remember to update the values with
yours).
–computer-name argument:
—-computer-namecannot be longer than 15 characters due to netbios name
limitations. See this link and this link for further information.
—-computer-namemust be different from the proxy’s hostname so computer
account password updates for NTLM and Kerberos do not conflict, see this
link
for further information. This guide uses -k appended to the hostname.
Execute the msktutil command as follows:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.example.local -k /etc/squid3/PROXY.keytab
--computer-name SQUIDPROXY-K --upn HTTP/squidproxy.example.local --server dc1.example.local --verbose
--enctypes 28at the end of the command
Pay attention to the output of the command to ensure success, because we
are using –verbose output you should review it carefully.
Set the permissions on the keytab so squid can read it.
chgrp proxy /etc/squid3/PROXY.keytab
chmod g+r /etc/squid3/PROXY.keytab
Destroy the administrator credentials used to create the account.
On the Windows Server reset the Computer Account in AD by right clicking
on the SQUIDPROXY-K Computer object and select “Reset Account”, then run
msktutil as follows to ensure the keytab is updated as expected and that
the keytab is being sourced by msktutil from /etc/krb5.conf correctly.
This is not completely necessary but is useful to ensure msktutil works
as expected. Then run the following:
msktutil --auto-update --verbose --computer-name squidproxy-k
--auto-updatein msktutil requires the--computer-nameto be lower
case.
If the keytab is not found try adding -k /etc/squid3/PROXY.keytab to
the command to see if it works and then troubleshoot until resolved or
users will not be able to authenticate with Squid.
Add the following to cron so it can automatically updates the computer
account in active directory when it expires (typically 30 days). Pipe it
through logger so I can see any errors in syslog if necessary. As stated
msktutil uses the default /etc/krb5.conf file for its paramaters so be
aware of that if you decide to make any changes in it.
00 4 * * * msktutil --auto-update --verbose --computer-name squidproxy-k | logger -t msktutil
Edit squid3’s init script to export the KRB5_KTNAME variable so squid
knows where to find the kerberos keytab.
On Debian the simplest way to do that is as follows:
Add the following configuration to /etc/default/squid3
KRB5_KTNAME=/etc/squid3/PROXY.keytab
export KRB5_KTNAME
🔗 NTLM
Install Samba and Winbind. On Debian install samba winbind samba-common-bin
Stop the samba and winbind daemons and edit /etc/samba/smb.conf
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.LOCAL
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
Now join the proxy to the domain.
net ads join -U Administrator
Start samba and winbind and test acces to the domain.
This command should output something like this:
checking the trust secret for domain EXAMPLE via RPC calls succeeded
wbinfo -a EXAMPLE\testuser%'password'
Output should be similar to this.
plaintext password authentication succeeded
challenge/response password authentication succeeded
Set Permissions so the proxy user account can read
/var/run/samba/winbindd_privileged
gpasswd -a proxy winbindd_priv
/var/lib/samba/winbindd_privilegeddirectory created by the
winbind and ntlm_auth tools with root ownership. The group of that
folder needs to be changed to match the
/var/run/samba/winbindd_privilegedlocation.
append the following to cron to regularly change the computer account
password (Samba might do this automatically, check Samba documentation)
05 4 * * * net rpc changetrustpw -d 1 | logger -t changetrustpw
🔗 Basic
In order to use basic authentication by way of LDAP we need to create an
account with which to access Active Directory.
In Active Directory create a user called “Squid Proxy” with the logon
name squid@example.local.
Ensure the following is true when creating the account:
- User must change password at next logon Unticked
- User cannot change password Ticked
- Password never expires Ticked
- Account is disabled Unticked
Create a password file used by squid for ldap access and secure the file
permissions (substitute the word “squidpass” below with your password).
echo 'squidpass' > /etc/squid3/ldappass.txt
chmod o-r /etc/squid3/ldappass.txt
chgrp proxy /etc/squid3/ldappass.txt
🔗 Install negotiate_wrapper
Firstly we need to install negotiate_wrapper. Install the necessary
build tools on Debian intall build-essential linux-headers-$(uname -r)
Then compile and install.
cd /usr/local/src/
wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper-1.0.1/negotiate_wrapper-1.0.1.tar.gz"
tar -xvzf negotiate_wrapper-1.0.1.tar.gz
cd negotiate_wrapper-1.0.1/
./configure
make
make install
🔗 squid.conf
Then setup squid and it’s associated config files.
Add the following to your squid.conf.
Study and update the following text carefully, replacing the example
content with your networks configuration — if you get something wrong
your proxy will not work.
### /etc/squid3/squid.conf Configuration File ####
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/local/bin/squid_ldap_auth -R -b "dc=example,dc=local" -D squid@example.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
### enforce authentication
http_access deny !auth
http_access allow auth
http_access deny all
⚠️ Disclaimer: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Categories: ConfigExample
Navigation: Site Search,
Site Pages,
Categories, 🔼 go up
Содержание
- Error ntlm authentication validating user results
- Почему Squid не аутентифицируется через Actice Directory?
- forum.lissyara.su
- Не работает авторизация Squid + AD
- Не работает авторизация Squid + AD
- Услуги хостинговой компании Host-Food.ru
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Re: Не работает авторизация Squid + AD
- Не работает авторизация Squid + AD
- Не работает авторизация Squid + AD
- Squid проблема с NTLM
Error ntlm authentication validating user results
Сообщение granit.it.head » 17 фев 2016 06:05
Доброго времени суток.
Отличный цикл статей, спасибо за него
Столкнулся со следующей проблемой
basic авторизация отрабатывает без проблем, при подключении NTLM и Kerberos отказывается авторизовывать с ошибкой
ERROR: Negotiate Authentication validating user. Result: >
ERROR: NTLM Authentication validating user. Result: >
при этом при запуске в консоли следующей команды
/usr/lib/squid3/ext_ldap_group_acl -d -v 3 -P -R -K -b «CN=Users,dc=granit,dc=safety» -D SquidKerb@granit.safety -W /etc/squid3/conf_param_ldappass.txt -f «(&(objectclass=person)(sAMAccountName=%v)(memberOf:=cn=%g,CN=Users,DC=granit,DC=safety))» -h ds2.granit.safety ds.granit.safety
все отрабатывает идеально и выдается ответ:
ext_ldap_group_acl.cc(583): pid=1440 :Connected OK
ext_ldap_group_acl.cc(722): pid=1440 :group filter ‘(&(objectclass=person)(sAMAccountName=CherkasovIY)(memberOf:=cn=Internet-Full-Anon,CN=Users,DC=granit,DC=safety))’, searchbase ‘CN=Users,dc=granit,dc=safety’
OK
то есть поиск по LDAP каталогу происходит и наличие юзера в заданной группе определяется
сответственно проблема где то в районе хелперов
Подскажите можно ли их позапускать в консоли самостоятельно и что им подавать на вход чтобы проверить работу?
Источник
Почему Squid не аутентифицируется через Actice Directory?
Коллеги, добрый день. Настраиваю прозрачный прокси через AD и Kerberos V5. CentOS 7 введена в домен с помощью realm:
Содержимое файла keytab:
Есть пользователь в AD — squid2018, для которого keytab и создавался. Проверяем:
Пароль для squid2018 принимается, получаем билет:
Затем уничтожаем его.
Статус работы Squid:
Но в браузере выскакивает окно ввода имени и пароля, чего быть не должно. Ладно, ввожу, но не принимается, а в /var/log/squid/cache.log вот что пишет:
Прошу помочь, коллеги. Заранее спасибо.
- Вопрос задан более трёх лет назад
- 3819 просмотров
У меня EL6, доводить до EL7 придется Вам самим.
— Как называется файл keytab? Если иначе чем krb5.keytab — его имя нужно передавать через окружение. Squid принимает его через переменную KRB5_KEYTAB, которую я занес в /etc/sysconfig/squid:
— Принципал записан правильно? Вот так у меня выглядит auth_param:
Вот так выглядит external_acl, который отслеживает вхождение в группу:
(AccessFull — группа в AD)
— что говорит подобная команда?
(должна отработать без вопросов)
Каким орбразом мапился принципал? Я для этого использовал команду виндовой консоли (делалось давно!):
(использовался доменный юзер proxy и его пароль)
Squid принимает его через переменную KRB5_KEYTAB, которую я занес в /etc/sysconfig/squid:
Ничего не отвечает. Просто вводится, и потом можно с помощью klist посмотреть полученный билет.
Каким орбразом мапился принципал?
Вот его уже не я делал. Коллега делает и мне бросает. Использовался также доменный пользователь squid2018 с паролем.
P.S. Подправил /etc/squid/squid.conf, но пока то же самое: спрашивает имя и пароль, не принимает.
А как именно прописать? Если:
vs-otr-squid02@DOMAIN.RU
или
vs-otr-squid02.domain.ru
, то не работает вообще. Странно, но по имени с десктопа не пингуется сервер со Squid, хотя с vs-otr-squid02 все по именам пингуется.
Кстати, если группа называется Domain Users, то пробел в названии Squid учитывает как разделение параметров, надо брать в кавычки?
Ironhide, пишется именно как показано — comp.name.tld@DOMAIN.TLD. Не знаю, почему так. Это наверное знает тот, кто больше меня рубит в керберусе. Здесь comp.name.tld — DNS-имя компа с прокси, которое указывалось при привязке принципала, DOMAIN.TLD — «длинное» имя AD-домена.
А в настройках прокси пишется просто comp.name.tld
Еще стоит проверить прямой и обратный резолв имени компа с прокси — они должны совпадать.
По поводу группы — не знаю, мне проще было отдельную группу (то есть много отдельных групп) создать — я давно хотел сделать инструмент, с помощью которого админы сами бы рулили доступом, включая и исключая в группы AD
Заработало. Действительно, надо было создавать keytab так, чтобы принципиал выглядел так — comp.name.tld@DOMAIN.TLD. Очень важно, как оказалось. Мелочь, а промучался долго.
Кстати, на клиенте в настройках прокси можно просто IP-адрес прописать и порт — работает. Доменное имя не нужно.
Источник
forum.lissyara.su
Танки встречай шквалом огня, твёрдо запомни — горит и броня
Не работает авторизация Squid + AD
Модераторы: GRooVE, alexco
Услуги хостинговой компании Host-Food.ru
Re: Не работает авторизация Squid + AD
Непрочитанное сообщение Гость » 2014-07-02 9:47:17
Непрочитанное сообщение Гость » 2015-06-22 13:24:44
добавление машины в домен:
net rpc join -U user.name
авторизация в домене:
net setauthuser -U squid%password
права на папку, а то кальмар не может авторизоваться:
ls -l /var/db/samba4/winbindd_privileged
chmod 750 winbindd_privileged
chown -R root:squid winbindd_privileged
-ADS
-LDAP
-SYSLOG
-UTMP
-NSUPDATE
squid
-ARP_ACL
-AUTH_KERB (думал на керберус подцепить, не использую)
-AUTH_LDAP
-AUTH_SMB (нужно для самбы, появилось в новых версиях, на момент написания статьи не было в природе)
-HTCP
-IDENT
-SNMP
Пакеты:
root@freebsd:/usr/local/etc/rc.d # pkg info | grep samba
samba4-4.0.21 A free SMB/CIFS and AD/DC server and client for UNIX
root@freebsd:/usr/local/etc/rc.d # pkg info | grep squi
squid-3.4.8_1 HTTP Caching Proxy
Источник
Squid проблема с NTLM
Добрый день, прошу помощи у людей с опытом 🙂 Уже как неделю пробую запустить SQUID с авторизацией через kerberos но получается со скрипом, перечитал кучу манов побывал разные конфигурации и постоянно появляются разные ошибки:) На данный момент достигнуто то что команды wbinfo -t kinit -k Выполняются без ошибок авторизация на dc проходит, билет получаю. Компьютер в домене. nano /etc/krb5.conf
[libdefaults] default_realm = MSK.HOME.RU dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h # default_keytab_name = /etc/squid3/proxy.keytab # default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 # default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 # permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
# for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = < host = < rcmd = host ftp = ftp >plain = < something = something-else >> fcc-mit-ticketflags = true
[domain_realm] .MSK.HOME.RU = MSK.HOME.RU MSK.HOME.RU = MSK.HOME.RU
[login] krb4_convert = true krb4_get_tickets = false
[global] usershare allow guests = yes unix password sync = yes panic action = /usr/share/samba/panic-action %d dns proxy = no syslog = 0 os level = 20 passwd program = /usr/bin/passwd %u passdb backend = tdbsam winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind uid = 10000-20000 winbind gid = 10000-20000 log file = /var/log/samba/log.%m netbios name = Conductor passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* . max log size = 1000 map to guest = bad user server role = standalone server workgroup = MSK realm = MSK.HOME.RU obey pam restrictions = yes pam password change = yes security = ADS encrypt passwords = true dns proxy = no socket options = TCP_NODELAY domain master = no local master = no preferred master = no os level = 0 domain logons = no load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes
/var/lib/samba -s /bin/false %u
[homes] directory mask = 0700 create mask = 0700 browseable = no valid users = %S path = /home/ comment = Home Directories public = yes
# By default, the home directories are exported read-only. Change the # next parameter to ‘no’ if you want to be able to write to them.
# File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775.
# Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775.
# By default, \serverusername shares can be connected to by anyone # with access to the samba server. # The following parameter makes sure that only «username» can connect # to \serverusername # This might need tweaking when using external authentication schemes
# Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) ;[netlogon] ; comment = Network Logon Service ; path = /home/samba/netlogon ; guest ok = yes ; read only = yes
# Un-comment the following and create the profiles directory to store # users profiles (see the «logon path» option above) # (you need to configure Samba to act as a domain controller too.) # The path below should be writable by all users so that their # profile directory may be created the first time they log on ;[profiles] ; comment = Users profiles ; path = /home/samba/profiles ; guest ok = no ; browseable = no ; create mask = 0600 ; directory mask = 0700
[printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700
# Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no # Uncomment to allow remote administration of Windows print drivers. # You may need to replace ‘lpadmin’ with the name of the group your # admin users are members of. # Please note that you also need to set appropriate Unix permissions # to the drivers directory for these users to have write rights in it ; write list = root, @lpadmin
[temp] user = administrator,root write list = administrator,root path = /home/ valid users = administrator,root
ktpass -princ HTTP/SQUID.HOME.RU@HOME.RU -mapuser KOMs-KOM-SquidKerb -pass PasSw0rd -crypto All -ptype KRB5_NT_PRINCIPAL -out C:TempPROXY.keytab
# SQUID 3.4.8 Configuration # —————————————————————————— # # OPTIONS FOR AUTHENTICATION # —————————————————————————— # # Negotiate Kerberos and NTLM authentication auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth —ntlm /usr/bin/ntlm_auth —diagnostics —helper-protocol=squid-2.5-ntlmssp —kerberos /usr/lib/squid3/negotiate_kerberos_auth -r -s HTTP/SQUID.HOME.RU@MSK.HOME.RU auth_param negotiate children 200 startup=50 idle=10 auth_param negotiate keep_alive off
# Only NTLM authentication auth_param ntlm program /usr/bin/ntlm_auth —diagnostics —helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 100 startup=20 idle=5 auth_param ntlm keep_alive off
# Basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -P -R -b «dc=MSK,dc=HOME,dc=ru» -D squid3@MSK.HOME.RU -W /etc/squid3/conf_param_ldappass.txt -f sAMAccountName=%s -h MSK-dc1.MSK.HOME.RU auth_param basic children 20 auth_param basic realm «MSK-DC1.MSK.HOME.RU SQUID Proxy Server Basic authentication!» auth_param basic credentialsttl 2 hours
# ACCESS CONTROLS # —————————————————————————— # # LDAP authorization external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -v 3 -P -R -K -b «dc=MSK,dc=home,dc=ru» -D squid3@MSK.HOME.RU -W /etc/squid3/conf_param_ldappass.txt -f «(&(objectclass=person)(sAMAccountName=%v)(memberOf:1.2.840.113556.1.4.1941:=cn=%g,OU=Security Groups,OU=MSK,DC=msk,DC=home,DC=ru))» -h MSK-dc1.MSK.HOME.RU # acl auth proxy_auth REQUIRED acl BlockedAccess external memberof «/etc/squid3/conf_param_groups_blocked.txt» acl RestrictedAccess external memberof «/etc/squid3/conf_param_groups_restricted.txt» acl StandardAccess external memberof «/etc/squid3/conf_param_groups_standard.txt» acl FullAccess external memberof «/etc/squid3/conf_param_groups_full_auth.txt» acl AnonymousAccess external memberof «/etc/squid3/conf_param_groups_full_anon.txt»
acl allowedsites dstdomain «/etc/squid3/conf_param_sites_allowed.txt» acl blockedsites dstdomain «/etc/squid3/conf_param_sites_blocked.txt» acl prioritysites dstdomain «/etc/squid3/conf_param_sites_priority.txt» # acl LocalWUServers src «/etc/squid3/conf_param_computers_wsus.txt» acl GlobalWUSites dstdomain «/etc/squid3/conf_param_sites_wsus.txt» # # # Squid default ACLs # ACLs all, manager, localhost, and to_localhost are predefined. # acl manager proto cache_object # acl localhost src 127.0.0.1/32 ::1 # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 172.17.0.0/24 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # # Deny requests to certain unsafe ports http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
# Аllow cachemgr access from localhost and localnet http_access allow localhost manager http_access allow localnet manager http_access deny manager
# Allow direct access to Windows Update http_access allow GlobalWUSites LocalWUServers
# Allow unrestricted access to prioritysites http_access allow prioritysites localnet
# Enforce authentication, order of rules is important for authorization levels http_access deny !auth
# Prevent access to basic auth prompt for BlockedAccess users http_access deny BlockedAccess all http_access allow allowedsites localnet http_access deny RestrictedAccess all http_access allow AnonymousAccess auth localnet http_access allow FullAccess auth localnet http_access deny blockedsites http_access allow StandardAccess auth localnet
# And finally deny all other access to this proxy http_access deny all # # NETWORK OPTIONS # —————————————————————————— # http_port 172.17.16.94:3128 # # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # —————————————————————————— # hierarchy_stoplist cgi-bin ? forward_max_tries 25 #
# LOGFILE OPTIONS # —————————————————————————— # # don’t log AnonymousAccess access_log daemon:/var/log/squid3/access.log squid !AnonymousAccess
# OPTIONS FOR TROUBLESHOOTING # —————————————————————————— # cache_log /var/log/squid3/cache.log coredump_dir /var/spool/squid3
# OPTIONS FOR TUNING THE CACHE # —————————————————————————— # refresh_pattern ^ftp: &n. 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
# ADMINISTRATIVE PARAMETERS # —————————————————————————— # cache_mgr it@MSK.RU httpd_suppress_version_string on visible_hostname SQUID MSK.RU
# ERROR PAGE OPTIONS # —————————————————————————— # error_directory /usr/share/squid3/errors/ru error_default_language ru
Источник