Squid - Kerberos - update keytab issue

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid - Kerberos - update keytab issue

Sébastien Genesta-2

Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k /etc/squid/squid.keytab

Below log I have every run (when everything is ok):

samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxx.xxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxx.xxxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago. -- execute: Exiting because password was changed recently. -- ~KRB5Context: Destroying Kerberos Context

Below logs when things gone bad:

lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxxxxx.xxxxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxxxx.xxxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxxxx.xxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 30 days ago. -- ldap_check_account: Checking that a computer account for KRB-PROX$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = xxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found Principal: HTTP/xxxxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found User Principal: HTTP/proxy.xxxxxxxxxxxxxxxxx.local -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try using keytab for KRB-PROX$ to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- set_password: krb5_change_password failed using keytab: (3) Authentication error -- ~KRB5Context: Destroying Kerberos Context

lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain xxxxxxxxx.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxx.xxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/xxxxxxxxxxx.xxxxxxxxxx.local from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for KRB-PROX$ with password. -- create_default_machine_password: Default machine password for KRB-PROX$ is krb-prox -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxx.xxxxxxxxx.local -- ~KRB5Context: Destroying Kerberos Context

Technical information:
-Windows 2016 server (Kerberos)
-Squid 3-x
-msktutil version 1.0

Thanks for your help!

Seb

Sébastien GENESTA

System & Network Administrator

Avis Vérifiés

<a color="#000000" href="tel:+334%1325%8170" style="color:rgb(0,0,0);font-size:12px" target="_blank">+334 13 25 81 70
[hidden email]
www.avis-verifies.com
facebook
twitter
linkedin

https://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=url


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid - Kerberos - update keytab issue

L.P.H. van Belle
Hai,
 
Use winbind and never have this problem again.
 
* install winbind only is sufficient, below works since squid 3.2 up to 4.10
 
An example of a minimal smb.conf for it.
 
[global]
    # Auth-Only setup with winbind. ( no Shares )
 
    workgroup = NTDOM
    security = ADS
    realm = YOUR.REALM.TLD
    netbios name = PROXY1
 
    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes
    interfaces = IP_OR_INTERFACENAME 127.0.0.1
    bind interfaces only = yes
 
    ### OBLIGATED PART begin
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999
 
    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM: backend = rid
    idmap config NTDOM: range = 100000-3999999
 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    # renew the kerberos ticket
    winbind refresh tickets = yes
 
    ### OBLIGATED PART end
 
    # Disable usershares create.. ( removes  (unneeded ) error from the logs )
    usershare path =
 
    # Disable printing completely ( removes also (unneeded ) error from the logs. )
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
 
-- ---
 
and join the Windows domain.
kinit administrator
net ads join -k
 
Allow the server in the AD to Delegate Kerberos for Squid. ( or all services ). thats up to you.
After thats done, then
 
Create Squid keytab:
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)
 
Verify it : klist -ke /etc/squid/HTTP-$(hostname -s).keytab
unset KRB5_KTNAME
 
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
 
 
! Optional krb5.conf ( most of the time the default should be sufficient.
 
[libdefaults]
    default_realm = YOUR.REALM.TLD

    ## below her is optional.
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 24h
    ccache_type = 4
    forwardable = true
    proxiable = true
    ;https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262
    ignore_k5login = true

and the squid auth part.
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/krb5-squid-HTTP-proxy1.keytab \
    -s [hidden email] \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
Good luck.
 
Greetz,
 
Louis
 
 


Van: squid-users [mailto:[hidden email]] Namens Sébastien Genesta
Verzonden: maandag 23 maart 2020 16:01
Aan: [hidden email]
Onderwerp: [squid-users] Squid - Kerberos - update keytab issue

Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k /etc/squid/squid.keytab

Below log I have every run (when everything is ok):

samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxx.xxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxx.xxxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago. -- execute: Exiting because password was changed recently. -- ~KRB5Context: Destroying Kerberos Context

Below logs when things gone bad:

lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain XXXXXX.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxxxxx.xxxxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxxxx.xxxxxxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using method 1 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxxxxx.xxxxxxxxxxxx.local -- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxxxxxxxxx,dc=LOCAL -- get_default_ou: Determining default OU: CN=Computers,DC=xxxxxxxxxxxxxxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password last set 30 days ago. -- ldap_check_account: Checking that a computer account for KRB-PROX$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = xxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found Principal: HTTP/xxxxxxxxxx.xxxxxxxxxxx.local -- ldap_check_account: Found User Principal: HTTP/proxy.xxxxxxxxxxxxxxxxx.local -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try using keytab for KRB-PROX$ to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- set_password: krb5_change_password failed using keytab: (3) Authentication error -- ~KRB5Context: Destroying Kerberos Context

lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain xxxxxxxxx.LOCAL for procotol tcp -- get_dc_host: Found DC: xxxxxxxxx.xxxxxxxxx.local -- get_dc_host: Canonicalizing DC through forward/reverse lookup... -- get_dc_host: Found Domain Controller: xxxxxxxxxx.xxxxxxx.local -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for KRB-PROX$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/xxxxxxxxxxx.xxxxxxxxxx.local from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for KRB-PROX$ with password. -- create_default_machine_password: Default machine password for KRB-PROX$ is krb-prox -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: xxxxxxxxx.xxxxxxxxx.local -- ~KRB5Context: Destroying Kerberos Context

Technical information:
-Windows 2016 server (Kerberos)
-Squid 3-x
-msktutil version 1.0

Thanks for your help!

Seb

Sébastien GENESTA

System & Network Administrator

Avis Vérifiés

<A style="FONT-SIZE: 12px; COLOR: rgb(0,0,0)" href="tel:+334%1325%8170" target=_blank color="#000000">+334 13 25 81 70
[hidden email]
www.avis-verifies.com
facebook
twitter
linkedin

https://www.avis-verifies.com/api.php?action=act_api_redirection_signature&locale=fr&type=url


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users