Feature #1987
Squid GSSAPI/GSS-Negotiate (Kerberos) authentication
Status: | CLOSED | Start date: | 11/28/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 11/29/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squid | |||
Target version: | v6.5-beta3 | |||
Resolution: | NEEDINFO: | No |
Description
Actually proxy support only authentication using PAM.
Add authentication via kerberos: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Related issues
Associated revisions
Enable GSSAPI/SPNEGO authentication if samba role is ADS. Refs #1987
Kerberos setup relies on nethserver-samba smbads script: added
KrbStatus and KrbPrimaryList props to squid key. Environment vars are
set in /etc/sysconfig/squid template. Requires squid >= 3.3.10
Use LDAP helper for BASIC authentication method. Refs #1987
Reload squid daemon on password-modify and user lock/unlock events to
invalidate credentials cache (TTL set to 1 hour).
Use squid NTLM helper, if we have samba in PDC role. Refs #1987
Enable GSSAPI/SPNEGO authentication if samba role is ADS. Refs #1987
Kerberos setup relies on nethserver-samba smbads script: added
KrbStatus and KrbPrimaryList props to squid key. Environment vars are
set in /etc/sysconfig/squid template. Requires squid >= 3.3.10
Use LDAP helper for BASIC authentication method. Refs #1987
Reload squid daemon on password-modify and user lock/unlock events to
invalidate credentials cache (TTL set to 1 hour).
Use squid NTLM helper, if we have samba in PDC role. Refs #1987
History
#1 Updated by Filippo Carletti almost 8 years ago
- Target version changed from ~FUTURE to v6.5-beta3
#2 Updated by Giacomo Sanchietti almost 8 years ago
- Subject changed from Proxy: add kerberos authentication to Proxy: add Kerberos authentication (GSSAPI)
#3 Updated by Davide Principi over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#4 Updated by Davide Principi over 7 years ago
- Due date set to 11/29/2013
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- Start date set to 11/28/2013
- % Done changed from 20 to 30
- Estimated time set to 8.00
#5 Updated by Davide Principi over 7 years ago
We need to upgrade the squid package to the latest version (squid-3.3.10-1.el6.x86_64). In squid-3.3.5-1.el6.x86_64
the init.d/ script is missing /etc/sysconfig/squid inclusion.
This is required to set KRB5_KTNAME
environment variable.
#6 Updated by Davide Principi over 7 years ago
- Subject changed from Proxy: add Kerberos authentication (GSSAPI) to Proxy: add Kerberos authentication (GSSAPI/GSS-Negotiate)
#7 Updated by Davide Principi over 7 years ago
- Subject changed from Proxy: add Kerberos authentication (GSSAPI/GSS-Negotiate) to Squid GSSAPI/GSS-Negotiate (Kerberos) authentication
#8 Updated by Davide Principi over 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
MODIFIED
Now the following authentication schemes are available:
- BASIC / if nethserver-directory is installed
- NTLM / if nethserver-samba is installed and
ServerRole
isPDC
- NEGOTIATE / if nethserver-samba is installed and
ServerRole
isADS
In other words BASIC is always supported on the multiusers stack. You are warned: passwords are sent in clear-text.
Test case 1 - without samba
- Install nethserver-squid
- Enable squid, setting mode
authenticated
- Install and configure nethserver-directory, create some users
- Proceed with common steps below
Test case 2 - samba PDC
- Install nethserver-squid
- Enable squid, setting mode
authenticated
- Install and configure nethserver-samba with PDC role
- Proceed with common steps below
Test case 3 - pre AD join
- Install nethserver-squid
- Enable squid, setting mode
authenticated
- Install and configure nethserver-samba with ADS role
- Proceed with common steps below
Test case 4 - post AD join
- Install and configure nethserver-samba with ADS role
- Install nethserver-squid
- Enable squid, setting mode
authenticated
- Proceed with common steps below
Common steps
From another machine test the appropriate proxy authentication scheme.
- BASIC
$ curl -v --proxy-basic -U 'DOMAIN\username:password' -x squidmachine:3128 http://example.com/
- NTLM
$ curl -v --proxy-ntlm -U 'DOMAIN\username:password' -x squidmachine:3128 http://example.com/
- NEGOTIATE
$ kinit <ADSPRINCIPAL> $ curl --proxy-negotiate -U : -v -x squidmachine:3128 http://example.com/
- /var/log/squid/access.log
- /var/log/squid/cache.log
#9 Updated by Davide Principi over 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-samba-1.3.6-4.0git0af6fbfa.ns6.noarch.rpm
nethserver-squid-1.0.4-6.0git72bcb184.ns6.noarch.rpm
#10 Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Giacomo Sanchietti
#11 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
All authentications work fine.
But some problems where encountered during testing.
Test case 2
WindowsXP machine joined to Samba domain can successfully authenticate to proxy, but the user is request for credentials each time the browser is started.
test case 4
Same as test case 2 with Windows XP. No problems with Administrator user from AD server itself: authentication is automatic using kerberos.
We need further tests on a real environment, but for now the issue is VERIFIED as it implements all requested features.
Note
Moved perl-Authen-Smb-0.91-2.2.x86_64.rpm and squid-3.3.10-1.el6.x86_64.rpm to nethserver-testing.
#12 Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm