Я пытаюсь интегрировать squid 3.5.19 с AD / Kerberos (Windows 2008 R2), но всегда получаю TCP_DENIED:HIER_NONE
Это ошибки в /var/log/squid/cache.log
2016/07/28 10:26:01.583 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2016/07/28 10:26:01.584 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.584 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test on:local=192.168.50.22:3128 remote=192.168.50.47:56015 FD 16 flags=1
2016/07/28 10:26:01.625 kid1| 29,4| UserRequest.cc(350) authenticate: No connection authentication type
2016/07/28 10:26:01.625 kid1| 29,9| Config.cc(36) CreateAuthUser: header = 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/28 10:26:01.625 kid1| 29,5| User.cc(39) User: Initialised auth_user '0x2857400'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(95) UserRequest: initialised request 0x28576b0
2016/07/28 10:26:01.625 kid1| 29,9| Config.cc(267) decode: decode Negotiate authentication
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. Received blob: 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.625 kid1| 29,9| UserRequest.cc(46) start: 0x28576b0
2016/07/28 10:26:01.625 kid1| 29,8| UserRequest.cc(134) startHelperLookup: credentials state is '2'
negotiate_kerberos_auth.cc(610): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(663): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(673): pid=11509 :2016/07/28 10:26:01| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2016/07/28 10:26:01.626 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: '0x2860438/0x2860438' sent us reply={result=BH, notes={message: received type 1 NTLM token; }}
2016/07/28 10:26:01.626 kid1| 29,6| UserRequest.cc(175) releaseAuthServer: releasing Negotiate auth server '0x2860438'
2016/07/28 10:26:01.626 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x28576b0'.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.
2016/07/28 10:26:01.626 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.626 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.732 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.732 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.913 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.913 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.956 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.956 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.980 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.980 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:01.993 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:01.993 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:02.004 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL
2016/07/28 10:26:02.004 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'
2016/07/28 10:26:09.555 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.556 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.556 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x28576b0
2016/07/28 10:26:09.556 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x2857400'
2016/07/28 10:26:09.556 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x2857400'.
2016/07/28 10:26:09.559 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.559 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.559 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x286f4d0
2016/07/28 10:26:09.559 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x286f2a0'
2016/07/28 10:26:09.559 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x286f2a0'.
2016/07/28 10:26:09.563 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.563 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.
2016/07/28 10:26:09.563 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x2857ab0
2016/07/28 10:26:09.563 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x241e990'
2016/07/28 10:26:09.563 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x241e990'.
Я создал keytab в Windows с помощью ktpass:
ktpass /princ host/kanban.infoestructura.local@EXAMPLE.LOCAL /mapuser squid@EXAMPLE.LOCAL /crypto rc4-hmac-nt /pass * /ptype KRB5_NT_PRINCIPAL /out C:\Soporte\winkrb5.keytab
а затем скопировал в squid, и я вижу следующее:
klist -kt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
3 12/31/1969 21:00:00 HTTP/kanban.example.local@EXAMPLE.LOCAL
Интересно, связана ли неправильная метка времени с проблемой
Kerberos и соответствующие файлы конфигурации squid следующие:
[ведение журнала] по умолчанию = ФАЙЛ: /var/log/krb5libs.log kdc = ФАЙЛ: /var/log/krb5kdc.log admin_server = ФАЙЛ: /var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
squid.conf:
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/kanban.example.local@example.LOCAL
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb_auth proxy_auth REQUIRED
Является ли временная метка keytab причиной ошибок? Я делаю что-то неправильно?
Ну, наконец, спасибо @Rafael, я нашел решение:
Заменить:
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/kanban.example.local@example.LOCAL
по:
auth_param negotiate program /usr/lib64/squid/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
Также я запустил сервисы smb и winbind
Запись «gotiate_kerberos_auth: WARNING: полученный токен NTLM типа 1 »в журнале означает, что ваш браузер предоставил токен Negotiate / NTLM вместо Negotiate / Kerberos, который может обработать вашgotiate_kerberos_auth.
Вам также потребуется настроить NTLM-аутентификатор для схемы аутентификации Negotiate. Один из способов - установить и настроить Samba, как указано на http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#NTLM или используйте перенаправление учетных данных NTLM на сервер LDAP, как указано на http://docs.diladele.com/administrator_guide_4_6/active_directory/install_prerequisites_for_ntlm_authentication.html
Если ваша машина находится в домене, а пользователь является пользователем домена, то, скорее всего, вы настроили свой прокси как IP-адрес и Kerberos. требует прокси-сервер должен быть установлен как полное доменное имя в браузере. Инструкции по устранению неполадок см. http://docs.diladele.com/administrator_guide_4_6/active_directory/troubleshooting.html.