Univention Bugzilla – Bug 53648
Squid with kerberos uses wrong keytab in UCS 5.0
Last modified: 2021-08-25 17:53:10 CEST
With Debian Buster squid is using a system service and /etc/default/squid has been deprecated. This results in squid not using the right keytab file. The keytab file can be explicitly set as a command line option.
univention-squid.yaml 2c01e99b921e | Bug #53648: Fix squid with kerberos univention-squid (13.0.3-3) 1ff98f019824 | fixup! Bug #53648: Fix squid with kerberos 2c01e99b921e | Bug #53648: Fix squid with kerberos
OK - uses to correct key file old -> kinit Administrator -> /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f) Token: YIIFgw... -> /usr/lib/squid/squid_ldap_ntlm_auth --gss-spnego -> YR YIIFgw... BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No key table entry found matching HTTP/slave.five.new@ new -> kinit Administrator -> /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f) Token: YABCgw... -> /usr/lib/squid/squid_ldap_ntlm_auth --gss-spnego -> YR YABCgw... OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=Administrator@FIVE.NEW ... But we have another problem. Squid's negotiate wrapper protocol - https://wiki.squid-cache.org/Features/NegotiateAuthentication - has changed (is used for the communication between squid and the authentication helper). In UCS 4.4 the helper responded with "AF ...", now "OK ...". In our helper squid_ldap_ntlm_auth we parse the "AF ..." answer to rewrite the username@PRINCIPAL to just username (so that our squidGuard filter work). This feature doesn't work anymore. See patch (do not parse answer just use the -r - remove realm from username - switch for negotiate_kerberos_auth). With that patch i see TCP_MISS/200 1008 POST http://ocsp.sectigo.com/ Administrator HIER_DIRECT/151.139.128.14 application/ocsp-response in /var/log/squid/access.log instead of TCP_MISS/200 915 POST http://ocsp.digicert.com/ Administrator@FIVE.NEW HIER_DIRECT/93.184.220.29 application/ocsp-response
Created attachment 10808 [details] squid_ldap_ntlm_auth.patch - run negotiate_kerberos_auth with -r to remove REALM from username
Applied in: univention-squid (13.0.3-4) 7f0039dbd5da | Bug #53648: squid gsspnego supports stripping of realm by itself
OK - yaml OK - correct key tab OK - kerberos squid authentication # no ticket -> curl www.spiegel.de --proxy-negotiate -u : -x http://10.200.7.124:3128 1629813245.065 0 10.200.7.124 TCP_DENIED/407 4056 GET http://www.spiegel.de/ - HIER_NONE/- text/html ERR_CACHE_ACCESS_DENIED # ticket adn default settings (--gss-spnego-strip-realm) -> kinit Administrator -> curl www.spiegel.de --proxy-negotiate -u : -x http://10.200.7.124:3128 1629813296.743 6 10.200.7.124 TCP_MEM_HIT/301 488 GET http://www.spiegel.de/ Administrator HIER_NONE/- text/html <a href="https://www.spiegel.de/">Moved Permanently</a>. # ticket but without --gss-spnego-strip-realm -> ucr set squid/krb5auth/tool="/usr/lib/squid/squid_ldap_ntlm_auth --gss-spnego" -> service squid restart -> curl www.spiegel.de --proxy-negotiate -u : -x http://10.200.7.124:3128 1629813686.406 200 10.200.7.124 TCP_REFRESH_MODIFIED/301 479 GET http://www.spiegel.de/ Administrator@FIVE.NEW HIER_DIRECT/128.65.210.182 text/html <a href="https://www.spiegel.de/">Moved Permanently</a>.
<https://errata.software-univention.de/#/?erratum=5.0x73>