Feature #1987

Squid GSSAPI/GSS-Negotiate (Kerberos) authentication

Added by Giacomo Sanchietti about 8 years ago. Updated over 7 years ago.

Status:CLOSEDStart date:11/28/2013
Priority:NormalDue date:11/29/2013
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.5-beta3
Resolution: NEEDINFO:No

Description

Actually proxy support only authentication using PAM.

Add authentication via kerberos: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos


Related issues

Related to NethServer 6 - Bug #2407: Kerberos keytab file is missing for new services CLOSED 11/29/2013 11/29/2013

Associated revisions

Revision e3050aa3
Added by Davide Principi over 7 years ago

Enable GSSAPI/SPNEGO authentication if samba role is ADS. Refs #1987

Kerberos setup relies on nethserver-samba smbads script: added
KrbStatus and KrbPrimaryList props to squid key. Environment vars are
set in /etc/sysconfig/squid template. Requires squid >= 3.3.10

Revision 8ee2d2bb
Added by Davide Principi over 7 years ago

Create kerberos keytab if machine has samba ADS role. Refs #2407 #1987

Revision 13da35a6
Added by Davide Principi over 7 years ago

Use LDAP helper for BASIC authentication method. Refs #1987

Reload squid daemon on password-modify and user lock/unlock events to
invalidate credentials cache (TTL set to 1 hour).

Revision 72bcb184
Added by Davide Principi over 7 years ago

Use squid NTLM helper, if we have samba in PDC role. Refs #1987

Revision 4b0fb8ad
Added by Davide Principi over 7 years ago

Enable GSSAPI/SPNEGO authentication if samba role is ADS. Refs #1987

Kerberos setup relies on nethserver-samba smbads script: added
KrbStatus and KrbPrimaryList props to squid key. Environment vars are
set in /etc/sysconfig/squid template. Requires squid >= 3.3.10

Revision b0913f78
Added by Davide Principi over 7 years ago

Create kerberos keytab if machine has samba ADS role. Refs #2407 #1987

Revision bd5f5794
Added by Davide Principi over 7 years ago

Use LDAP helper for BASIC authentication method. Refs #1987

Reload squid daemon on password-modify and user lock/unlock events to
invalidate credentials cache (TTL set to 1 hour).

Revision c8150917
Added by Davide Principi over 7 years ago

Use squid NTLM helper, if we have samba in PDC role. Refs #1987

History

#1 Updated by Filippo Carletti almost 8 years ago

  • Target version changed from ~FUTURE to v6.5-beta3

#2 Updated by Giacomo Sanchietti almost 8 years ago

  • Subject changed from Proxy: add kerberos authentication to Proxy: add Kerberos authentication (GSSAPI)

#3 Updated by Davide Principi over 7 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#4 Updated by Davide Principi over 7 years ago

  • Due date set to 11/29/2013
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 11/28/2013
  • % Done changed from 20 to 30
  • Estimated time set to 8.00

#5 Updated by Davide Principi over 7 years ago

We need to upgrade the squid package to the latest version (squid-3.3.10-1.el6.x86_64). In squid-3.3.5-1.el6.x86_64 the init.d/ script is missing /etc/sysconfig/squid inclusion.

This is required to set KRB5_KTNAME environment variable.

Add

#6 Updated by Davide Principi over 7 years ago

  • Subject changed from Proxy: add Kerberos authentication (GSSAPI) to Proxy: add Kerberos authentication (GSSAPI/GSS-Negotiate)

#7 Updated by Davide Principi over 7 years ago

  • Subject changed from Proxy: add Kerberos authentication (GSSAPI/GSS-Negotiate) to Squid GSSAPI/GSS-Negotiate (Kerberos) authentication

#8 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

MODIFIED

Now the following authentication schemes are available:

In other words BASIC is always supported on the multiusers stack. You are warned: passwords are sent in clear-text.

Test case 1 - without samba

  1. Install nethserver-squid
  2. Enable squid, setting mode authenticated
  3. Install and configure nethserver-directory, create some users
  4. Proceed with common steps below

Test case 2 - samba PDC

  1. Install nethserver-squid
  2. Enable squid, setting mode authenticated
  3. Install and configure nethserver-samba with PDC role
  4. Proceed with common steps below

Test case 3 - pre AD join

  1. Install nethserver-squid
  2. Enable squid, setting mode authenticated
  3. Install and configure nethserver-samba with ADS role
  4. Proceed with common steps below

Test case 4 - post AD join

  1. Install and configure nethserver-samba with ADS role
  2. Install nethserver-squid
  3. Enable squid, setting mode authenticated
  4. Proceed with common steps below

Common steps

From another machine test the appropriate proxy authentication scheme.

  • BASIC
        $ curl -v --proxy-basic -U 'DOMAIN\username:password' -x squidmachine:3128 http://example.com/
    
  • NTLM
        $ curl -v --proxy-ntlm -U 'DOMAIN\username:password' -x squidmachine:3128 http://example.com/ 
    
  • NEGOTIATE
        $ kinit <ADSPRINCIPAL>
        $ curl --proxy-negotiate -U : -v -x squidmachine:3128 http://example.com/
    
In NethServer host check log files:
  • /var/log/squid/access.log
  • /var/log/squid/cache.log

#9 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-samba-1.3.6-4.0git0af6fbfa.ns6.noarch.rpm
nethserver-squid-1.0.4-6.0git72bcb184.ns6.noarch.rpm

#10 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee set to Giacomo Sanchietti

#11 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

All authentications work fine.

But some problems where encountered during testing.

Test case 2

WindowsXP machine joined to Samba domain can successfully authenticate to proxy, but the user is request for credentials each time the browser is started.

test case 4

Same as test case 2 with Windows XP. No problems with Administrator user from AD server itself: authentication is automatic using kerberos.

We need further tests on a real environment, but for now the issue is VERIFIED as it implements all requested features.

Note

Moved perl-Authen-Smb-0.91-2.2.x86_64.rpm and squid-3.3.10-1.el6.x86_64.rpm to nethserver-testing.

#12 Updated by Davide Principi over 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm

Also available in: Atom PDF