Kerberos access denied and reauthentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Kerberos access denied and reauthentication

Grey
Hi,
I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've successfully setup Kerberos authentication generating the keytab file with ktutil and manually setting the required SPN on my Windows domain controller.
The problem I'm encountering is that sometimes (right now I'm the only one using this proxy and it happens a couple times every day at random times) while visiting random sites an authentication prompt appears asking for credentials. Hitting Ok makes the prompt reappear and leads to a loop, while hitting the cancel button makes the prompt go away and the page display an error saying "Access denied. Authentication required." (white page with black font; I'm not 100% sure that's the exact message, I'll come back and update it as soon as it happens again); refreshing the page lets it load normally and then everything works ok.

I'm posting the relevant configuration hoping that someone can help me or at least point me in the right direction. Keep in mind that right now basic authentication is disabled for testing sake, I'll later enable it when I've worked out where the problem with Kerberos is.

###

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r
auth_param negotiate children 150
auth_param negotiate keep_alive off

acl whitelist dstdomain "/etc/squid/whitelist"
acl blacklist dstdomain "/etc/squid/blacklist"

acl AUTH proxy_auth REQUIRED
http_access deny !AUTH all

http_access deny !Safe_ports all
http_access deny CONNECT !SSL_ports all
http_access allow localhost manager
http_access deny manager all
http_access allow localhost all

acl destsquid dstdomain .squid1 .squid2
http_access allow destsquid all

http_access allow whitelist all
http_access deny blacklist all
acl test_account proxy_auth test_account
http_access allow test_account all
http_access deny all
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos access denied and reauthentication

dijxie
On 2017-07-27 10:27, Grey wrote:

> Hi,
> I'm trying to setup a proxy server using Squid 3.5.23 on Debian 9; I've
> successfully setup Kerberos authentication generating the keytab file with
> ktutil and manually setting the required SPN on my Windows domain
> controller.
> The problem I'm encountering is that sometimes (right now I'm the only one
> using this proxy and it happens a couple times every day at random times)
> while visiting random sites an authentication prompt appears asking for
> credentials. Hitting Ok makes the prompt reappear and leads to a loop, while
> hitting the cancel button makes the prompt go away and the page display an
> error saying "Access denied. Authentication required." (white page with
> black font; I'm not 100% sure that's the exact message, I'll come back and
> update it as soon as it happens again); refreshing the page lets it load
> normally and then everything works ok.
>
> I'm posting the relevant configuration hoping that someone can help me or at
> least point me in the right direction. Keep in mind that right now basic
> authentication is disabled for testing sake, I'll later enable it when I've
> worked out where the problem with Kerberos is.
>
> ###
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r
> auth_param negotiate children 150
> auth_param negotiate keep_alive off
>
> acl whitelist dstdomain "/etc/squid/whitelist"
> acl blacklist dstdomain "/etc/squid/blacklist"
>
> acl AUTH proxy_auth REQUIRED
> http_access deny !AUTH all
>
> http_access deny !Safe_ports all
> http_access deny CONNECT !SSL_ports all
> http_access allow localhost manager
> http_access deny manager all
> http_access allow localhost all
>
> acl destsquid dstdomain .squid1 .squid2
> http_access allow destsquid all
>
> http_access allow whitelist all
> http_access deny blacklist all
> acl test_account proxy_auth test_account
> http_access allow test_account all
> http_access deny all
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Hi,

Could You please check and post a portion of cache.log? You may also
want to temporary modify squid.conf: by adding -d to this line:

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d

That should put negotiate_kerberos_auth in debug mode. Be aware that
kerberos ticket will be added to log, so before posting in You may want
to alterate your log.
Also, squidklient output for mgr:kerberosauthenticator may be helpful,
although I'm not sure is that the right name for this module, so check
mgr:menu for correct name.

--
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos access denied and reauthentication

Grey
Shoul I wait for the error to appear and post the section relevant to the time when it occurs?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos access denied and reauthentication

dijxie
W dniu 28.07.2017 o 10:46, Grey pisze:
Shoul I wait for the error to appear and post the section relevant to the
time when it occurs?



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-access-denied-and-reauthentication-tp4683224p4683232.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

Or check older entries, grep cache.log for time you know the problem already occured - most important informations should be there even without debugging mode.  Something like (z)cat /var/log/squid/cache.log | grep -iE "error|warning"

-- 
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Kerberos access denied and reauthentication

Grey
This post was updated on .
I've just had the problem happen again (usually it happens after a long period of inactivity, e.g. when trying to load the first web page in the morning).

Here's the log: https://pastebin.com/fFTJNiKf 

I'm looking into getting the output from squidclient but I have to try and reproduce the problem first.

Edit: forgot to say it happened around 8:14
Loading...