29 June 2009
Integrating Active Directory and Squid3
Posted by Michele Baldessari under: en; tech .
Here’s my third and probably last post on a topic about AD integration and linux. This time around the goal is to have Kerberos authentication integrated with Squid, so that users do not have to be prompted for additional authentication when surfing the web.
The setup is the exact same as in the two previous articles (just with a 2008 DC instead of a 2003R2):
- Domain Controller and Kerberos KDC – Windows Server 2008 – dc1.win2008.corp (172.16.11.152)
- Proxy Server – Debian Squeeze (as of 05/2009) – www.win008.corp (172.16.11.16)
- Client1 – Windows XP Professional – client1.win2008.corp (172.16.11.252)
I’ll assume that the AD domain is already configured and that the Debian box is already joined to the domain (see previous blog posts on how to do that). As a first step the squid3 package needs to be installed (unless #532064 is fixed you’ll need to recompile the debian package with the options mentioned in the bug report):
apt-get install squid3
Then we need to export the correct keytab HTTP/www.win2008.corp as required for Kerberos authentication :
net ads keytab add -U Administrator HTTP
Once that is done we’ll have the appropriate keys in the default keytab (/etc/krb5.keytab). With ktutil you can explore the keys in the file:
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/www.win2008.corp@WIN2008.CORP
2 2 host/www.win2008.corp@WIN2008.CORP
3 2 host/www.win2008.corp@WIN2008.CORP
4 2 host/www@WIN2008.CORP
5 2 host/www@WIN2008.CORP
6 2 host/www@WIN2008.CORP
7 2 WWW$@WIN2008.CORP
8 2 WWW$@WIN2008.CORP
9 2 WWW$@WIN2008.CORP
10 2 HTTP/www.win2008.corp@WIN2008.CORP
11 2 HTTP/www.win2008.corp@WIN2008.CORP
12 2 HTTP/www.win2008.corp@WIN2008.CORP
13 2 HTTP/www@WIN2008.CORP
14 2 HTTP/www@WIN2008.CORP
15 2 HTTP/www@WIN2008.CORP
Make sure squid can read the keytab file: use an ACL, change file permissions or move the key to a different keytab and change the init script
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
Here’s a minimal configuration in order to test the kerberos negotiate authentication in squid (only the relevant parts):
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl AUTHENTICATED proxy_auth REQUIRED
http_access allow AUTHENTICATED
http_access deny all
At this point a simple XP client that is joined to the Windows win2008.corp domain and that has www.win2008.corp as a proxy should be able to surf authenticated (do not forget to make sure that IE integrated authentication option is active):
8 Comments so far...
Alessio Spadaro Says:
3 July 2009 at 6:21 pm.
DZoned 
http://www.dzone.com/links/integrating_active_directory_and_squid3.html
Jorge Medina Says:
5 October 2009 at 7:18 am.
Hi michele,
I think this looks much better than NTML Auth (also using samba/kerberos) because when using NTLM agains AD you will see a TCP_DENIED connection for every client trying to browse a web page, this is because the challenge/response nature of NTML, this is really problematic for access reports 
.
Do you know if you get the same behaivor using kerb auth directly on squid?
and another thing, is there any support for group authorization? like wbinfo_group?.
Best regards.
Michele Baldessari Says:
7 October 2009 at 9:38 pm.
Hello Jorge,
well you use samba in this case just to get the keytab updated for the squid service, for not much else. You have two options to make group authorization work : ldap scripts or using winbind. I have not tried any of these recently, but they both can be shoehorned to work. Maybe I’ll spend a few evenings one day and complete the article with the group membership.
hth,
Michele
Khushil Dep Says:
15 October 2009 at 5:15 pm.
Hi there,
I’ve followed this tutorial and I’m seeing the following:
gb-reaver:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: wakdep@BOUNTYGROUP.LOCAL
Valid starting Expires Service principal
10/15/09 16:02:06 10/16/09 02:02:09 krbtgt/BOUNTYGROUP.LOCAL@BOUNTYGROUP.LOCAL
renew until 10/16/09 02:02:06
gb-reaver:~# tail /var/log/squid3/
access.log cache.log store.log
gb-reaver:~# tail /var/log/squid3/access.log
1255619426.937 0 10.4.4.211 TCP_DENIED/407 3089 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619429.164 0 10.4.4.211 TCP_DENIED/407 3192 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619432.461 0 10.4.4.211 TCP_DENIED/407 3192 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619440.400 2 10.4.4.211 TCP_DENIED/407 5024 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619447.557 0 10.4.4.211 TCP_DENIED/407 3192 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619451.240 0 10.4.4.211 TCP_DENIED/407 3137 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619451.246 0 10.4.4.211 TCP_DENIED/407 3240 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619457.105 0 10.4.4.211 TCP_DENIED/407 3240 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619464.663 2 10.4.4.211 TCP_DENIED/407 5022 GET http://www.bbc.co.uk/ – NONE/- text/html
1255619468.136 2 10.4.4.211 TCP_DENIED/407 5022 GET http://www.bbc.co.uk/ – NONE/- text/html
It seems that no tickets are being created?
Khushil Dep Says:
15 October 2009 at 5:17 pm.
I’m seeing the following in the logs:
2009/10/15 16:15:51| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Permission denied
2009/10/15 16:15:51| squid_kerb_auth: Got ‘YR YIIFOQYGKwYBBQUCoIIFLTCCBSmgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBP8EggT7YIIE9wYJKoZIhvcSAQICAQBuggTmMIIE4qADAgEFoQMCAQ6iBwMFACAAAACjggQKYYIEBjCCBAKgAwIBBaETGxFCT1VOVFlHUk9VUC5MT0NBTKIuMCygAwIBAqElMCMbBEhUVFAbG2diLXJlYXZlci5ib3VudHlncm91cC5sb2NhbKOCA7QwggOwoAMCARehAwIBCqKCA6IEggOeRyRLZH50l4DcHCj3HnNLYvvByOGip8DxV0oQxZjLbe+CGGP/DwXx2miFBHazkLMHaskU3lLkpEo3BBeHMFg7N/zNnjvUCxgvlklSucKMP1grddgL3ud15DeY5MeHkgmh7a31bcKRnAnaqfEL8vreqQlPitkLvW6ub6wMdMvBz2kpSlV4bGsBACJI8Mais2i2yOt/f/rrW+Vd8Oaio2cNSegnwdE9ZDeDBStcHzCnu+FytgYa/67GZdGgQxtjxew7dPqTUV0U2j7hU1j6gjkP0w3qS5LkKFflcbzhEhCNJf7uULUWl8EXFfuBbYjmvxit2jcgUwIdk2BRln7wyR2jG03OJ3MDYMjq20Ug1wEj+F9sAce/vifxGh8hZ4SKoJk5bejaKwcHZoLnzDo+oTZVJfJiBNLI/9yF3jXeLW7iAGRaKzv9ZqjUpqHko+xhYBM8Pk0fZrmbe8c2KEYjBpIrLH3/hXKtzj8oIyafWeEG+4VGJLtmBUNY0T4NEJ02EqpDQJTDzmQsG/JoQBL0RudwDgmJg4hXjXzZwfEgTuhO+MPldmZUlg/NeOxeAmvV1XDBuLPoHAF2Z2S9M7ChYvunzCmko34zd2fBwvk56AT8+NROknDN9UJtyMCO+OQDthtkKjmwYMwlAtFF1ytq1qkAqvAgj3xQz9tydDBpr5eMIxH/iGvmFrQhMJaHpEBFO6oQdN1+6HSnwhXowN2A4IQS8nC9znpqRCLvdOBp/wzz1GiUeWgodhYqP0q0qcUqFpRTsEHyesDzIL1ZzsR5Wtk+CtEXEx/UXaLKBsn50UhPYlShRLn5362q6inDIv8BZlm1QUdnLHqoh8PJGlINVk3ULTy4Kam7e+U1+hlSIdA+5KiQonUgttl//rne5BdVPNpL5z7Y4Y18mWWnedlI0uugYG36YAXinybXMLC5iYmxYVgmWjyHRt5MSj8DzUg9/+Fb7yQC/xbLscJWQ3U7L6kp21BV+7FD27rT+298rmDlJ+R0MOBWWybY8Ytd8qUVXsTuO1OylLs+UxsnrCtiF1yse75yeI3nFhj4Vr8HHomsrcQ6LaG9cYQZMU7LsLMn2Z8uyZTDv/NdsK0L0bsvzyFLDC2xotEIZSaFS/HVZED20Mi+luuiE6IlEP0wNfcv5IkhBEljY1qIqdW5Ce9O4oKRm1Rftg3xxhUDzkQs6lJwNg3xmEs3HqKbE6QmuHFQd7LjkDKtxRuPY7MZBB8dIwekgb4wgbugAwIBF6KBswSBsHwVE2gZjlZgAMwx80EAtjo3tih2YRWUQgiK8W4d4WcV+CtRUcX26Btu7SctKRTNklmFRXhsOfpSEVBBmd3gN/cjsexKTy1koTKnjtfAGsqIeuhKY5/mE1HsrBhvkCZGyDWKopyV7TYr00ZJeq43JOa/r9N7jX9IZ3KuazZVv8wTldWFqXGicD7rwr1myAVbRkM0vFIWHTT/JkYRpA+5/3EKdRNlbjD4Rtz+6fNCi1w3′ from squid (length: 1791).
2009/10/15 16:15:51| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Permission denied
2009/10/15 16:15:52| squid_kerb_auth: Got ‘YR YIIFOQYGKwYBBQUCoIIFLTCCBSmgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBP8EggT7YIIE9wYJKoZIhvcSAQICAQBuggTmMIIE4qADAgEFoQMCAQ6iBwMFACAAAACjggQKYYIEBjCCBAKgAwIBBaETGxFCT1VOVFlHUk9VUC5MT0NBTKIuMCygAwIBAqElMCMbBEhUVFAbG2diLXJlYXZlci5ib3VudHlncm91cC5sb2NhbKOCA7QwggOwoAMCARehAwIBCqKCA6IEggOeJHdU0WS1bHm6MI7/6km7E3Nqn5WnTMwtUDx0pNwTESBFVY/Ivmw5vVBAQkvRZ6Q7uaqgSV+oO0SVVp1S/JQLtCqLhVCQtnU/Uq/47vaoaKs/0R+1Ycwo/Oe3Fu5JQY25IypIQiSA0cpoNzAxPIqucIhjoypvXzCa49jJtZWswDkpzbY4XZq3LbU9XIz5XXM/VIgGgLvyjaeInHdHrnf7ebAjCu0uUD50PFJZilHfrhXL1ml9UAUUV5Gi2c9kBHsNxlx2s6oOYI7zh5+uxWCN7rvIjrPuAxGleoYIx0VbjXnuoJrnRpI3EsGvJpzxbCQ5cPCiSJ30WoBQ+XB7g+3RGUEx4b3iBat4Yv0Jt0iotYbT74KYEzEHsGU82lKglqlfr0Wrt4j4SK13rHzdxdLRE8BNvEkQsOjfzq0qt8cmvboB+VvvFdEVaJJR4Q7A2RgB3utM99o6+WoTarlerIkbivZlxd5Vk0l9zbUt54/JCt2JHCjYs8MVIlWWzNfX3BmIFYp3Fh7/xhKNbRJxrnT5zblwpl+pIU0YTssvzwgh9ZNuvfIBgwuPZ5ixCAH8queGm8qMQ3Daq6hb5GmKtK0uXD2nFDdB4YrZ7lBRMqPpye7PoDzw47En/JCLNHZ2AuJenyydA2KG4KxAVWreeZngRJfjjohmQJQ4zStcE7BhgHR4HWMgMvvBJR9+myPJ1F89EcYQ+SngjYfWz6/Ckan4DZM9YACVlNhaM7HFQdl89eFvxYX9RYiiA5egZB77fq4MasNVgNsN3EvO46p4zg1XrJT0P40ALHxOMb+iz+Q2W1TB8qyJKxl+Jas4nsZzaEKJnjM1IgxZHWdAGSUmSyf8AyI4bYmRpbbY+by0GCDq8sogleWeORIxLYGdPdHDozLFdzusUCMBLI6+IQcDDAvF6xkaSypEVZQ6q+fa42txyzb/eh22tFMAMl+aBAEOqGp10kzxD3iYyIQDWg5vyuxWJ4Pl+6fauD89deROZlGIjVxEu7FroWWwg/JrVw3G8MnI7TSHN9iLNdEsQT5ZzJ/+oLmYPLQqD5HBNk9PN7lyq+ghBs1adIwFEGbWJkg1YY9AV9KlwI6mMuLeJ9F3i2ldRVjUi8QS86ybIpQ9/k4/p+1BiVbLCYAbMy9UMdnOOKL7nfER3gXGBAxqsVckWOlEtYogSfRvtkwuEX1sDsHVAETSqy99vpTuKcyUsxyg5Vac6XVNiVGe9kHq8cp1fO6kgb4wgbugAwIBF6KBswSBsLksBNH2FFcgThBWw1Sc9n2419KUT9cuQyfCN32oikXxKmBnUNw5qdjRa3Ssqx7oor6LHRraqWyIWkCBkXIszNEs+Rmol6grsrFQKpVAd8hDCVe53tpICNzRwVtjL0XOjePokAMv1QRP4CaeDx88cJkEeVu8lNpn660cAlwJMzeZ0SXpahqOgGv1XwKltnaXcCz/V6paaC7vR2brJv34zAwq/CSKepSetDLDPYm+wJ8I’ from squid (length: 1791).
2009/10/15 16:15:52| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Permission denied
Declan Caffrey Says:
18 November 2009 at 11:52 am.
Khusil,
I’m getting the same messages, just wondering if you resolved your issues and if so what was the resolution
Michele Baldessari Says:
23 November 2009 at 12:27 am.
Declan & Khusil,
to be sure I’d strace the squid process and then look for the Permission denied string. My bets are that the squid process can’t read the keytab.
hth,
Michele
DHG Says:
2 February 2010 at 7:30 pm.
Michele,
most useful and informative, helped my to use squid3 with Mit KDC on my Fedora 12.
Worked like a charm.
–dhg
