Re: [squid-users] kerberos auth failing behind a load balancer

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 22 May 2013 12:46:08 +0300

On 2/28/2013 2:57 PM, Sean Boran wrote:
> Hi,
>
> I’ve received (kemp) load balancers to put in front of squids to
> provide failover.
> The failover / balancing works fine until I enable Kerberos auth on the squid.
It seems to me like a basic LB problem since it's working on L7 and not L2.
Why do you use L7 LB and not L2 ?
it's less load less CPU etc..
you can use HAPROXY or even plain linux for that.

Eliezer

>
> Test setup:
> Browser ==> Kemp balancer ==> Squid ==> Internet
> proxy.example.com proxy3.example.com
>
> The client in Windows7 in an Active Directory domain.
> If the browser proxy is set to proxy3.example.com (bypassing the LB),
> Kerberos auth works just fine, but via the kemp (proxy.example.com)
> the browser prompts for a username/password which is not accepted
> anyway
>
> Googling on Squid+LBs, the key is apparently to add a principal for the LB, e.g.
> net ads keytab add HTTP/proxy.example.com
>
> In the logs (below), one can see the client sending back a Krb ticket
> to squid, but it rejects it:
> "negotiate_wrapper: Return 'BH gss_accept_sec_context() failed:
> Unspecified GSS failure. "
> When I searched on that. one user suggested changing the encryption in
> /etc/krb5.conf . In /etc/krb5.conf I tried with the recommended
> squid settings (see below), and also with none at all. The results
> were the same. Anyway, if encryption was the issue, it would not work,
> via LB or directly.
>
>
> Analysis:
> -------------
> When the client sent a request, squid replies with:
>
> HTTP/1.1 407 Proxy Authentication Required
> Server: squid
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> X-Cache: MISS from gsiproxy3.vptt.ch
> Via: 1.1 gsiproxy3.vptt.ch (squid)
>
> ok so far. the client answer with a kerberos ticket:
>
> Proxy-Authorization: Negotiate YIIWpgYGKwYBXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> UserRequest.cc(338) authenticate: header Negotiate
> YIIWpgYGKwYBXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> UserRequest.cc(360) authenticate: No connection authentication type
> Config.cc(52) CreateAuthUser: header = 'Negotiate YIIWpgYGKwYBBQUCXXXX
> auth_negotiate.cc(303) decode: decode Negotiate authentication
> UserRequest.cc(93) valid: Validated. Auth::UserRequest '0x20d68d0'.
> UserRequest.cc(51) authenticated: user not fully authenticated.
> UserRequest.cc(198) authenticate: auth state negotiate none. Received
> blob: 'Negotiate
> YIIWpgYGKwYBBQUCoIIWmjCCFpagMDAuBgkqhkiC9xIBAXXXXXXXXXX
> ..
> UserRequest.cc(101) module_start: credentials state is '2'
> helper.cc(1407) helperStatefulDispatch: helperStatefulDispatch:
> Request sent to negotiateauthenticator #1, 7740 bytes
> negotiate_wrapper: Got 'YR YIIWpgYGKwYBBQXXXXXXXXXXXXXXX
> negotiate_wrapper: received Kerberos token
> negotiate_wrapper: Return 'BH gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information.
>
>
> Logs for a (successful) auth without LB:
> .. as above ....
> negotiate_wrapper: received Kerberos token
> negotiate_wrapper: Return 'AF oYGXXXXXXXXXXXXXXXXXXXXXXA== USER_at_EXAMPLE.NET
>
>
> ----- configuration ---
> Ubuntu 12.04 + std kerberod. Squid 3.2 bzr head from lat Jan.
> - squid.conf:
> - debug_options ALL,2 29,9 (to catch auth)
> auth_param negotiate program
> /usr/local/squid/libexec/negotiate_wrapper_auth -d --kerberos
> /usr/local/squid/libexec/negotiate_kerberos_auth -s GSS_C_NO_NAME
> --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param negotiate children 20 startup=20 idle=20 auth_param
> negotiate keep_alive on
>
> - The LB is configured as a Generic Proxy (does not try to interpret
> the HTTP stream), with with Layer 7 transparency
> (it forwards traffic to the squid, the squid see the real client IP,
> and squid traffic is routed back though the LB)
> I've tried playing with the LB Layer 7 settings, to no avail.
>
> Samba:
> net ads join -U USER
> net ads testjoin
> Join is OK
>
> net ads keytab add HTTP -U USER
> net ads keytab add HTTP/proxy.example.com -U USER
> chgrp proxy /etc/krb5.keytab
> chmod 640 /etc/krb5.keytab
> strings /etc/krb5.keytab # check contents
> net ads keytab list
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.NET
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
> default_keytab_name = FILE:/etc/krb5.keytab
> dns_lookup_realm = no
> ticket_lifetime = 24h
>
> [realms]
> EXAMPLE.net = {
> kdc = ldap.EXAMPLE.net
> master_kdc = ldap.EXAMPLE.net
> admin_server = ldap.EXAMPLE.net
> default_domain = EXAMPLE.net
> }
> [domain_realm]
> .corproot.net = EXAMPLE.NET
> corproot.net = EXAMPLE.NET
>
>
> Any suggestions on where I could dig further?
>
> Thanks in advance,
>
> Sean Boran
>
Received on Wed May 22 2013 - 09:46:24 MDT

This archive was generated by hypermail 2.2.0 : Thu May 23 2013 - 12:00:35 MDT