Bug 31967 – add gss-spnego (kerberos) support to squid_ldap_ntlm_auth

Bug 31967 - add gss-spnego (kerberos) support to squid_ldap_ntlm_auth


Summary:	add gss-spnego (kerberos) support to squid_ldap_ntlm_auth

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Squid
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 3.1-1-errata
Assigned To:	Felix Botner
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:	31905 31972 31995 32029
	Show dependency tree / graph

Reported:	2013-07-12 15:25 CEST by Felix Botner
Modified:	2017-03-06 17:58 CET (History)
CC List:	3 users (show)

See Also:	43732
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2013-07-12 15:25:13 CEST

We should gss-spnego (kerberos) support to squid_ldap_ntlm_auth

than we activate squid negotiate:

# auth negotiate
auth_param negotiate program /usr/lib/squid3/squid_ldap_ntlm_auth --debug --gss-spnego
auth_param negotiate children 10

Linux user with a keberos ticket than can authenticate to the squid server without a password prompt. Windows user with a ticket (samba4) also

Windows user without a ticket (samba3) can also authenticate without a password because then windows does ntlm over negotiate.

Comment 1 Felix Botner

2013-07-15 14:01:03 CEST

Added negotiate support to squid_ldap_ntlm_auth. squid_ldap_ntlm_auth is now also a negotiate wrapper for kerberos (with /usr/lib/squid3/squid_kerb_auth as backend) and ntlm over negotiate.

In negotiate mode squid_ldap_ntlm_auth starts /usr/lib/squid3/squid_kerb_auth and redirects negotiate krb5 authentications tickets to squid_kerb_auth.

negotiate i still not activate by default and negotiate krb5 works only in a samba4 environment (-> Bug #31968)

The default auth negotiate tool for squid is now "/usr/lib/squid3/squid_ldap_ntlm_auth --gss-spnego --gss-spnego-strip-realm". To revert the old config "ucr set  squid/krb5auth/tool=/usr/lib/squid3/squid_kerb_auth" can be used.


Here is my test matrix. 

Win7 Proxy settings: 
  FQDN for proxy server -> negotiate kerberos
  IP for proxy server -> negotiate ntlm

UCS 3.1-1 with samba4 and squid server with negotiate, ntlm and basic authentication activated.

ok - works
nu - not used
pp - password prompt

                    | ntlm       |  negotiate krb5  |  negotiate ntlm
--------------------|------------|------------------|----------------
winxp (domain user) |  ok        |      nu          |     nu
--------------------|------------|------------------|----------------
winxp (local user)  |  ok (pp)   |      nu          |     nu
--------------------|------------|------------------|----------------
win7 (domain user)  |  nu        |      ok          |     ok
--------------------| -----------|------------------|----------------
win7 (local user)   |  ok (pp)   |      nu          |     nu
--------------------|------------|------------------|----------------
UCC                 |  ok (pp)   |      ok          |     nu
--------------------|------------|------------------|----------------
ipad                |  ok (pp)   |      nu          |     nu
--------------------|------------|------------------|----------------
asus tablet         |  ok (pp)   |      nu          |     nu

Comment 2 Erik Damrose

2013-07-24 15:31:03 CEST

QA:
                    | ntlm       |  negotiate krb5  |  negotiate ntlm
--------------------|------------|------------------|----------------
winxp (domain user) |  ok        |      nu          |     nu
--------------------|------------|------------------|----------------
winxp (local user)  |  ok (pp)   |      nu          |     nu
--------------------|------------|------------------|----------------
win7 (domain user)  |  *OK*      |      ok          |     ok
--------------------| -----------|------------------|----------------
win7 (local user)   |  ok (pp)   |      nu          |     nu
--------------------|------------|------------------|----------------
UCC                 |  ok (pp)   |      ok          |     nu
--------------------|------------|------------------|----------------
ipad                |  ok (pp)   |      nu          |     nu
--------------------|------------|------------------|----------------
asus tablet         |  ok (pp)   |      nu          |     nu

- Generally the same results, addition: win7 works with pure ntlm, too
- If a local user was used on winxp and win7 which is known in the domain, there is not even a password prompt
- ipad: username and password can be entered in the settings dialog, so that one will never be asked for them again

 --> OK

FAIL: ucrv description (2x [de])
[squid/krb5auth/tool]
Description[de]=Programm für die Squid negotiate Authentifizierung
Description[de]=Squid negotiate authentication tool

Comment 3 Felix Botner

2013-07-24 16:09:52 CEST

 
> FAIL: ucrv description (2x [de])
> [squid/krb5auth/tool]
> Description[de]=Programm für die Squid negotiate Authentifizierung
> Description[de]=Squid negotiate authentication tool

fixed in 6.0.8-4.198.201307241606, modified yaml file

Comment 4 Erik Damrose

2013-07-24 16:19:12 CEST

Bugfix: OK
YAML: OK

-> Verified

One addition to the change in the win7 ntlm-only test: 
Win7 client, not joined: If a local user has the same credentials as a domain user in which squid runs, this user is not prompted for a password to use squid, the local credentials are passed on.
In the same scenario, if the local credentials are not present for an account in the domain, the user is asked for valid credentials.

Comment 5 Moritz Muehlenhoff

2013-07-25 10:52:40 CEST

http://errata.univention.de/ucs/3.1/152.html