ÍNDICE
Servidor Proxy. Conceptos y datos para el ejemplo a desarrollar.
1. Instalación de squid-5.0.2 por compilado.
1.1. Generando e instalando empaquetado “.deb” de squid-5.0.2.
2.2. Proxy padre.
2.3. Caché.
2.4. Autenticación.
2.5. Patrones de refrescamiento.
2.6. Declaración de reglas (ACLs).
2.8. Declaración y aplicación de otras reglas especiales.
2.8.1. Retardo con Delay Pools.
2.8.2. MITM con SSL Bump.
3. Integración de Squid-ADDC mediante Kerberos.
3.1. Configuraciones necesarias en el ADDC Samba4.
3.2. Sincronización de tiempo.
3.3. timesyncd.
3.4. ntpd & ntpdate.
3.5. Integración Squid-ADDC por Kerberos, mediante Ticket.
4. Ejemplo integrador de configuración de Squid.
4.1. Configuraciones del ejemplo.
3.5 Integración Squid-ADDC por Kerberos, mediante Ticket.
Instalamos paquetes necesarios para Kerberos y herramientas para LDAP:
apt -y install krb5-user msktutil libsasl2-modules-gssapi-mit ldap-utils
Editamos o creamos, si no existe, “/etc/default/squid”.
nano /etc/default/squid
Agregamos lo siguiente:
KRB5RCACHETYPE=none export KRB5RCACHETYPE KRB5_KTNAME=/etc/squid/proxysquid.keytab export KRB5_KTNAME
Configuración de Kerberos:
mv /etc/krb5.conf /etc/krb5.conf.salva nano /etc/krb5.conf
Agregamos los siguiente:
[libdefaults]
default_realm = EMPRESA.MIDOMINIO.CU
dns_lookup_realm = false
dns_lookup_kdc = true
clockskew = 3600
ticket_lifetime = 24h
default_keytab_name = /etc/squid/proxysquid.keytab
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
EMPRESA.MIDOMINIO.CU = {
kdc = pdc1.empresa.midominio.cu
# kdc = pdc2.empresa.midominio.cu
master_kdc = pdc1.empresa.midominio.cu
admin_server = pdc1.empresa.midominio.cu
default_domain = empresa.midominio.cu
}
empresa.midominio.cu = {
kdc = pdc1.empresa.midominio.cu
# kdc = pdc2.empresa.midominio.cu
master_kdc = pdc1.empresa.midominio.cu
admin_server = pdc1.empresa.midominio.cu
default_domain = empresa.midominio.cu
}
[domain_realm]
.empresa.midominio.cu = EMPRESA.MIDOMINIO.CU
empresa.midominio.cu = EMPRESA.MIDOMINIO.CU
A continuación, se describe cómo generar el ticket “proxysquid.keytab” y registrar el SPN en el dominio, usándose un usuario con permisos de administración en el ADDC:
kinit [email protected]
Nos sale para poner el password:
Password for [email protected]: Admin*123
Generamos el ticket, el cual agregara una cuenta de computadora al ADDC con el nombre especificado:
msktutil -c -b "OU=Linux,OU=Servidores" \ -s HTTP/proxysquid.empresa.midominio.cu \ -h proxysquid.empresa.midominio.cu \ -k /etc/squid/proxysquid.keytab \ --computer-name PROXYSQUID \ --upn HTTP/proxysquid.empresa.midominio.cu \ --server pdc1.empresa.midominio.cu \ --verbose \ --dont-expire-password \ --no-reverse-lookups
Si el ADDC es un Windows Server Active Directory entonces el comando debe ser el siguiente:
msktutil -c -b "OU=Linux,OU=Servidores" \ -s HTTP/proxysquid.empresa.midominio.cu \ -h proxysquid.empresa.midominio.cu \ -k /etc/squid/proxysquid.keytab \ --computer-name PROXYSQUID \ --upn HTTP/proxysquid.empresa.midominio.cu \ --server pdc1.empresa.midominio.cu \ --verbose \ --dont-expire-password \ --no-reverse-lookups \ --enctypes 28
Lo anterior debe devolver algo parecido a lo siguiente:
-- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 88 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-c66hIC -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: PROXYSQUID$ -- try_machine_keytab_princ: Trying to authenticate for PROXYSQUID$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for PROXYSQUID$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxysquid.empresa.midominio.cu from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for PROXYSQUID$ with password. -- create_default_machine_password: Default machine password for PROXYSQUID$ is proxysquid10 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: pdc1.empresa.midominio.cu SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. -- ldap_get_base_dn: Determining default LDAP base: dc=EMPRESA,dc=MIDOMINIO,dc=CU -- ldap_check_account: Checking that a computer account for PROXYSQUID$ exists -- ldap_create_account: Computer account not found, create the account No computer account for PROXYSQUID found, creating a new one. -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_check_account_strings: Found userPrincipalName = -- ldap_check_account_strings: userPrincipalName should be HTTP/[email protected] -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1 -- ldap_get_kvno: KVNO is 1 -- ldap_add_principal: Checking that adding principal HTTP/proxysquid.empresa.midominio.cu to PROXYSQUID$ won't cause a conflict -- ldap_add_principal: Adding principal HTTP/proxysquid.empresa.midominio.cu to LDAP entry -- ldap_add_principal: Checking that adding principal host/proxysquid.ecasa.avianet.cu to PROXYSQUID$ won't cause a conflict -- ldap_add_principal: Adding principal host/proxysquid.empresa.midominio.cu to LDAP entry -- execute: Updating all entries for proxysquid.empresa.midominio.cu in the keytab WRFILE:/etc/squid/proxysquid.keytab -- update_keytab: Updating all entries for PROXYSQUID$ -- add_principal_keytab: Adding principal to keytab: PROXYSQUID$ -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of EMPRES.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: PROXYSQUID$ -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Deleting [email protected] kvno=1, enctype=23 -- add_principal_keytab: Deleting [email protected] kvno=1, enctype=17 -- add_principal_keytab: Deleting [email protected] kvno=1, enctype=18 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresamidominio.cu -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: HTTP/proxysquid.empresa.midominio.cu -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: host/PROXYSQUID -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of EMPRESA.MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x12 -- update_keytab: Entries for SPN HTTP/proxysquid.empresa.midominio.cu have already been added. Skipping ... -- add_principal_keytab: Adding principal to keytab: host/proxysquid.empresa.midominio.cu -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of MIDOMINIO.CUhostproxysquid.empresa.midominio.cu -- add_principal_keytab: Adding entry of enctype 0x12 -- ~KRB5Context: Destroying Kerberos Context
Comprobamos que todo haya resultado bien:
kinit -k HTTP/proxysquid.empresa.midominio.cu
El comando anterior no debe devolver nada, si todo está bien.
klist -k
Nos debe devolver lo siguiente:
Keytab name: FILE:/etc/squid/proxysquid.keytab KVNO Principal ---- ----------------------------------------------------------------- 1 [email protected] 1 [email protected] 1 [email protected] 1 HTTP/[email protected] 1 HTTP/[email protected] 1 HTTP/[email protected] 1 host/[email protected] 1 host/[email protected] 1 host/[email protected] 1 host/[email protected] 1 host/[email protected] 1 host/[email protected]
Establecemos los permisos del archivo keytab:
chown proxy:proxy /etc/squid/proxysquid.keytab chmod 640 /etc/squid/proxysquid.keytab
Comprobamos que la cuenta de host se actualiza correctamente:
msktutil --auto-update --verbose --dont-expire-password \ -b "CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=EMPRESA,DC=MIDOMINIO,DC=CU" \ --user-creds-only \ --computer-name PROXYSQUID \ -k /etc/squid/proxysquid.keytab \ --server pdc1.empresa.midominio.cu \ --no-reverse-lookups
Lo anterior debe devolver algo parecido a lo siguiente:
-- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 87 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-mote6W -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: PROXYSQUID$ -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: pdc1.empresa.midominio.cu SASL/GSSAPI authentication started SASL username: HTTP/[email protected] SASL SSF: 256 SASL data security layer installed. -- ldap_get_base_dn: Determining default LDAP base: dc=EMPRESA,dc=MIDOMINIO,dc=CU -- ldap_check_account: Checking that a computer account for PROXYSQUID$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x11000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = proxysquid.ecasa.avianet.cu -- ldap_check_account: Found Principal: host/proxysquid.ecasa.avianet.cu -- ldap_check_account: Found Principal: HTTP/proxysquid.ecasa.avianet.cu -- ldap_check_account: Found User Principal: HTTP/proxysquid.ecasa.avianet.cu -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 132355895442940306 -- execute: Password last set 0 days ago. -- execute: Exiting because password was changed recently. -- ~KRB5Context: Destroying Kerberos Context
NOTA: En un ADDC Windows Server se obtuvo un error al final:
-- ldap_get_pwdLastSet: pwdLastSet is 132307603480393316 Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm) Error: set_password failed -- ~KRB5Context: Destroying Kerberos Context
Simplemente ignorar este error y continuar el procedimiento.
Comprobamos que en la base de datos de LDAP exista la computadora que representa al proxy:
ldapsearch -T -x -Y GSSAPI -b "dc=empresa,dc=midominio,dc=cu" cn=PROXYSQUID -h pdc1.empresa.midominio.cu
Nos debe devolver algo como esto:
SASL/GSSAPI authentication started SASL username: [email protected] SASL/GSSAPI authentication started SASL username: HTTP/[email protected] SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=empresa,dc=midominio,dc=cu> with scope subtree # filter: cn=PROXYSQUID # requesting: ALL # # PROXYSQUID, Linux, Servidores, empresa.midominio.cu dn: CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=empresa,DC=midominio,DC=cu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: PROXYSQUID distinguishedName: CN=PROXYSQUID,OU=Linux,OU=Servidores,DC=empresa,DC=midominio,DC=cu instanceType: 4 whenCreated: 20200602163904.0Z whenChanged: 20200602163943.0Z uSNCreated: 46923335 uSNChanged: 46923353 name: PROXYSQUID objectGUID:: nsG44Oq3jkCFDXerJXCEZA== userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 132355895839381100 localPolicyFlags: 0 pwdLastSet: 132355895442940306 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJLCcAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: PROXYSQUID$ sAMAccountType: 805306369 dNSHostName: proxysquid.empresa.midominio.cu userPrincipalName: HTTP/[email protected] servicePrincipalName: host/proxysquid.empresa.midominio.cu servicePrincipalName: HTTP/proxysquid.empresa.midominio.cu objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=empresa,DC=midominio,DC=cu isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 132355895839381100 msDS-SupportedEncryptionTypes: 28 # search reference ref: ldap://DomainDnsZones.ecasa.avianet.cu/DC=DomainDnsZones,DC=empresa,DC=midominio,DC=cu # search reference ref: ldap://ForestDnsZones.midominio.cu/DC=ForestDnsZones,DC=empresa,DC=midominio,DC=cu # search reference ref: ldap://empresa.midominio.cu/CN=Configuration,DC=empresa,DC=midominio,DC=cu # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3
Comprobamos autenticación por LDAP:
NOTA: Debe estar creado el usuario “squid” en el AD.
Primero creamos un fichero que contendrá la contraseña para autenticar al usuario “squid”.
touch /etc/squid/ldappass.txt
Agregamos el password del usuario:
echo "Proxyadmin*123" > /etc/squid/ldappass.txt
Comprobando la autenticación por LDAP básico:
/usr/lib/squid/basic_ldap_auth -R -b "dc=empresa,dc=midominio,dc=cu" -D [email protected] -W /etc/squid/ldappass.txt -f "(|(userPrincipalName=%s)(sAMAccountName=%s)(userPasswdac=ACTIVE))" -h pdc1.empresa.midominio.cu
Ahora tecleamos un usuario que pertenezca al dominio y su contraseña:
usuario1.apellido Prueba2020*
Si el usuario existe y su contraseña es correcta, deberá devolver lo siguiente:
OK
Comprobamos la autenticación por Kerberos:
/usr/lib/squid/negotiate_kerberos_auth_test proxysquid.empresa.midominio.cu | awk \
'{sub(/Token:/,"YR"); print $0}END{print"QQ"}'| \
/usr/lib/squid/negotiate_kerberos_auth -d -r -s HTTP/[email protected]
Debe devolver algo como esto:
negotiate_kerberos_auth.cc(489): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq negotiate_kerberos_auth.cc(548): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxysquid.keytab negotiate_kerberos_auth.cc(572): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_29506 negotiate_kerberos_auth.cc(612): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Got 'YR YIIF8gYGKwYBBQUCoIIF5jCCBeKgDTALBgkqhkiG9xIBAgKiggXPBIIFy2CCBccGCSqGSIb3EgECAgEAboIFtjCCBbKgAwIBBaEDAgEOogcDBQAAAAAAo4IEqWGCBKUwggShoAMCAQWhEhsQRUNBU0EuQVZJQU5FVC5DVaIuMCygAwIBA6ElMCMbBEhUVFAbG3Byb3h5c3F1aWQuZWNhc2EuYXZpYW5ldC5jdaOCBFQwggRQoAMCARKhAwIBAaKCBEIEggQ+LqPiulPdQuHVcW90hxDFzkTEtLSBxfoBCaUGuRwhdqXDMB/I33B81RUc/tXUDqpO7AAKfculDH7N2ie0pY2BfItMOfRTVRqB/qAzHkLNFHTFbQFWyiLVy7KKX/SrGXMf8g3d8o03bSgbCPsHlqBlAoCcMbccpoIk1gvzNdz5E9QiHqQRn/9MJcRn81zi4VZG3pCtTA+1o61zYL6fBmTCwEpRawZpyBAO7kh9Rx6x5wJ3EGFCxfaGrtBgj7VG0tTiay1I0TzlvNtXZF1xadqImhGiv1fw33zKG5KZV7rR5LNi8sFiFP3TpBrO1F5EHHZUpNb9q7yAkVqyMCT1EhuD96/IMhL4mI/E9xDAZjlkSzVI/0OyYCoL6OS4bVvCo+iGFsfq0Z9PM4bcR6dePqSbsmrw0YnImKr1KjUN4ROPjXg+fp6n4PuAcutfYFaEkbO9/1UY8Oi9DFIwqsV9lXbvmOtHDbexJkoLzbpgQal/GmAJswvEWYcWUQvC2/RkLivZJ5mK0lYhQE/YfkRcdUQcNKD+AoUQFlXRtgEbWrJbtRbBpKlDk11q+PYJ8Fqk/fgc5rWqezb/TmQBgHu4vTYQ+M5eRL6G2d9jcYqAW7+VgtjTq7TrfRUJmipaCF4gypDJzzqai6OIZMM0/wf8cvBgxve5tJRZpqv0XX915KBUWqB0m4jgwj/bPxmVa2ibNAq1uOJ7jwWBTUQ80NuxOZDUmhn2ICrzPRsa0c6IW8O3+BxE1xNds16rMEF7qhFMVE8QSgxBBMnsUOAX6xM8nDyFqnmsAQl7Qqxpq11ggAyxZCzzsE3fTF4LV/fU9T0fSu68gJCelmbT3mWbE3LjrPIHy4FMDFQcTYahPOUFLQLdh2zcFV/U76tAgYdSUtgaJHgeJ7lsVMOiBQkGLazEBb3Sop/of00ZhFB/8MLo7DtVx21X3fxsSSu5fB8SjG1Z7NvkqGd0P8bf3o4CtTkkVyojtlyrRAo9JXbVSb+2ZKU1DK/JnlQXZ1teLXyPKGB5m0WnzoeaEKhzk6l9NTcae2SvEci1iLawzQzEWxMHoE3Pd/4g6k1vG1Zf4wUWH9sN4hrQL6i2qzT7xwtbaUDG0VsOZBBAsgGXYehkTaJIObKjLg3+LbDSTDvzm5Z9JDQVqFTq7/OK4XafQWMUEbflXWrLpXsYaGAAPIpEADr+Ld58wdHv5iajmwPhGphV1sC26jf7lL0sRr8S1pRwfHqLUs3yOMvcdZJksxVXj2tjwY281dH8xIpHubPbN8Yt58O9qhMKMiCKK72E9jimrBMX4AeD9LP6AhbT/jwuOoIR5+xoodOO762fHmooHicGOD+TPRkvZYfVPo1ZKIcc4VEh39ApNyGGyDCoAdebdxErVwRA0rIYi7m2YwWVf9Djy2S4y5I1ZTwf7RWDtl6MzoUhwaOIe2JW67OhykR+E8YcAAH9pIHvMIHsoAMCARKigeQEgeEVBw2wep15J795akl2JhvXcROkjLr9tZNU03X/F8ujgMgp17OpNL834IPiOT3UzztbPGznudLQMN9NAYepDSGScCKQXdFAU2MoTmAN6uo6s1Sf6xNirlIdeE6gTQ+a9Dyd8jA1YKgOxB4s6YZatlmZIasBGepeGcxfmwpATym2o3dwWLH6ts9Kf+utek0HXPiOX2/wR2JgWAUx3SMC9b1M2cQbV3YW6dw3knlI5cRZaANjxqG0a9GUVonC3ILA3yygxXbROvPOzxfZ0bWhzhIDsXyIbVcuszLbgjHWV/kyYIM=' from squid (length: 2039). negotiate_kerberos_auth.cc(679): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Decode 'YIIF8gYGKwYBBQUCoIIF5jCCBeKgDTALBgkqhkiG9xIBAgKiggXPBIIFy2CCBccGCSqGSIb3EgECAgEAboIFtjCCBbKgAwIBBaEDAgEOogcDBQAAAAAAo4IEqWGCBKUwggShoAMCAQWhEhsQRUNBU0EuQVZJQU5FVC5DVaIuMCygAwIBA6ElMCMbBEhUVFAbG3Byb3h5c3F1aWQuZWNhc2EuYXZpYW5ldC5jdaOCBFQwggRQoAMCARKhAwIBAaKCBEIEggQ+LqPiulPdQuHVcW90hxDFzkTEtLSBxfoBCaUGuRwhdqXDMB/I33B81RUc/tXUDqpO7AAKfculDH7N2ie0pY2BfItMOfRTVRqB/qAzHkLNFHTFbQFWyiLVy7KKX/SrGXMf8g3d8o03bSgbCPsHlqBlAoCcMbccpoIk1gvzNdz5E9QiHqQRn/9MJcRn81zi4VZG3pCtTA+1o61zYL6fBmTCwEpRawZpyBAO7kh9Rx6x5wJ3EGFCxfaGrtBgj7VG0tTiay1I0TzlvNtXZF1xadqImhGiv1fw33zKG5KZV7rR5LNi8sFiFP3TpBrO1F5EHHZUpNb9q7yAkVqyMCT1EhuD96/IMhL4mI/E9xDAZjlkSzVI/0OyYCoL6OS4bVvCo+iGFsfq0Z9PM4bcR6dePqSbsmrw0YnImKr1KjUN4ROPjXg+fp6n4PuAcutfYFaEkbO9/1UY8Oi9DFIwqsV9lXbvmOtHDbexJkoLzbpgQal/GmAJswvEWYcWUQvC2/RkLivZJ5mK0lYhQE/YfkRcdUQcNKD+AoUQFlXRtgEbWrJbtRbBpKlDk11q+PYJ8Fqk/fgc5rWqezb/TmQBgHu4vTYQ+M5eRL6G2d9jcYqAW7+VgtjTq7TrfRUJmipaCF4gypDJzzqai6OIZMM0/wf8cvBgxve5tJRZpqv0XX915KBUWqB0m4jgwj/bPxmVa2ibNAq1uOJ7jwWBTUQ80NuxOZDUmhn2ICrzPRsa0c6IW8O3+BxE1xNds16rMEF7qhFMVE8QSgxBBMnsUOAX6xM8nDyFqnmsAQl7Qqxpq11ggAyxZCzzsE3fTF4LV/fU9T0fSu68gJCelmbT3mWbE3LjrPIHy4FMDFQcTYahPOUFLQLdh2zcFV/U76tAgYdSUtgaJHgeJ7lsVMOiBQkGLazEBb3Sop/of00ZhFB/8MLo7DtVx21X3fxsSSu5fB8SjG1Z7NvkqGd0P8bf3o4CtTkkVyojtlyrRAo9JXbVSb+2ZKU1DK/JnlQXZ1teLXyPKGB5m0WnzoeaEKhzk6l9NTcae2SvEci1iLawzQzEWxMHoE3Pd/4g6k1vG1Zf4wUWH9sN4hrQL6i2qzT7xwtbaUDG0VsOZBBAsgGXYehkTaJIObKjLg3+LbDSTDvzm5Z9JDQVqFTq7/OK4XafQWMUEbflXWrLpXsYaGAAPIpEADr+Ld58wdHv5iajmwPhGphV1sC26jf7lL0sRr8S1pRwfHqLUs3yOMvcdZJksxVXj2tjwY281dH8xIpHubPbN8Yt58O9qhMKMiCKK72E9jimrBMX4AeD9LP6AhbT/jwuOoIR5+xoodOO762fHmooHicGOD+TPRkvZYfVPo1ZKIcc4VEh39ApNyGGyDCoAdebdxErVwRA0rIYi7m2YwWVf9Djy2S4y5I1ZTwf7RWDtl6MzoUhwaOIe2JW67OhykR+E8YcAAH9pIHvMIHsoAMCARKigeQEgeEVBw2wep15J795akl2JhvXcROkjLr9tZNU03X/F8ujgMgp17OpNL834IPiOT3UzztbPGznudLQMN9NAYepDSGScCKQXdFAU2MoTmAN6uo6s1Sf6xNirlIdeE6gTQ+a9Dyd8jA1YKgOxB4s6YZatlmZIasBGepeGcxfmwpATym2o3dwWLH6ts9Kf+utek0HXPiOX2/wR2JgWAUx3SMC9b1M2cQbV3YW6dw3knlI5cRZaANjxqG0a9GUVonC3ILA3yygxXbROvPOzxfZ0bWhzhIDsXyIbVcuszLbgjHWV/kyYIM=' (decoded length estimate: 1527). negotiate_kerberos_pac.cc(406): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Got PAC data of length 432 negotiate_kerberos_pac.cc(180): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Found 1 rids negotiate_kerberos_pac.cc(188): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: Info: Got rid: 515 negotiate_kerberos_pac.cc(270): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-2701354736-835243039-2314636293 negotiate_kerberos_pac.cc(486): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: INFO: Read 428 of 432 bytes negotiate_kerberos_auth.cc(806): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJAwIAAA== OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=HTTP/proxysquid.empresa.midominio.cu group=AQUAAAAAAAUVAAAA8GYDoR/MyDEFjPaJAwIAAA== negotiate_kerberos_auth.cc(815): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: OK token=oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user=HTTP/proxysquid.empresa.midominio.cu negotiate_kerberos_auth.cc(612): pid=29506 :2020/06/02 11:50:51| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2). BH quit command
NOTA: A partir de la versión de 3.4 se desprecia esa respuesta en favor de OK. Si devuelve este resultado, entonces funciona la autenticación de Squid con el ADDC mediante Kerberos.
Probamos los grupos de Kerberos con alto nivel de debugg, para ver todo el procedimiento de negociación con Kerberos:
/usr/lib/squid/ext_kerberos_ldap_group_acl -a -d -g Inter_F_Redes -D EMPRESA.MIDOMINIO.CU
Nos debe devolver algo como esto:
kerberos_ldap_group.cc(311): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Starting version 1.4.0sq support_group.cc(382): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Group list Inter_F_Redes support_group.cc(447): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: INFO: Group Inter_F_Redes Domain NULL support_netbios.cc(83): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: Netbios list NULL support_netbios.cc(87): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: No netbios names defined. support_lserver.cc(82): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: ldap server list NULL support_lserver.cc(86): pid=29507 :2020/06/02 11:52:01| kerberos_ldap_group: DEBUG: No ldap servers defined.
Ahora tecleamos un usuario que pertenezca al grupo indicado en el comando anterior:
usuario1.apellido
Tras introducir el usuario, la opción de debugg, nos permitirá ver más información en el proceso de búsqueda:
kerberos_ldap_group.cc(430): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: INFO: Got User: usuario1.apellido set default domain: EMPRESA.MIDOMINIO.CU kerberos_ldap_group.cc(435): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: INFO: Got User: usuario1.apellido Domain: ECASA.AVIANET.CU support_member.cc(63): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: User domain loop: group@domain Inter_F_Redes@NULL support_member.cc(91): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Default domain loop: group@domain Inter_F_Redes@NULL support_member.cc(119): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Default group loop: group@domain Inter_F_Redes@NULL support_member.cc(121): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Found group@domain Inter_F_Redes@NULL support_ldap.cc(1007): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(131): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_EMPRESA.MIDOMINIO.CU_29507 support_krb5.cc(78): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: No default principal found in ccache : No credentials cache found support_krb5.cc(263): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(269): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/proxysquid.keytab support_krb5.cc(283): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/proxysquid.keytab support_krb5.cc(294): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EMPRESA.MIDOMINIO.CU support_krb5.cc(306): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Found principal name: [email protected] support_krb5.cc(326): pid=29507 :2020/06/02 11:52:05| kerberos_ldap_group: DEBUG: Got principal name [email protected] support_krb5.cc(390): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(1048): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(1057): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EMPRESA.MIDOMINIO.CU support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to pdc1.empresa.midominio.cu support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to PDC1.empresa.midominio.cu support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to PDC2.empresa.midominio.cu support_resolv.cc(379): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EMPRESA.MIDOMINIO.CU record to pdc2.empresa.midominio.cu support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 1 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 2 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 3 of EMPRESA.MIDOMINIO.CU to PDC2.empresa.midominio.cu support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 4 of EMPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 5 of EMPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu support_resolv.cc(207): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Resolved address 6 of EPRESA.MIDOMINIO.CU to pdc1.empresa.midominio.cu support_resolv.cc(407): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Adding EMPRESA.MIDOMINIO.CU to list support_resolv.cc(443): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain EMPRESA.MIDOMINIO.CU: support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: PDC2.empresa.midominio.cu Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: pdc1.empresa.midominio.cu Port: 389 Priority: 0 Weight: 100 support_resolv.cc(445): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Host: EMPRESA.MIDOMINIO.CU Port: -1 Priority: -2 Weight: -2 support_ldap.cc(1068): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Setting up connection to ldap server PDC2.empresa.midominio.cu:389 support_ldap.cc(1081): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_ldap.cc(1100): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Successfully initialised connection to ldap server PDC2.empresa.midominio.cu:389 support_ldap.cc(316): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*) support_ldap.cc(665): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext support_ldap.cc(719): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext support_ldap.cc(327): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,DC=empresa,DC=midominio,DC=cu and filter: (ldapdisplayname=samaccountname) support_ldap.cc(332): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Found 1 ldap entry support_ldap.cc(341): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Determined ldap server as an Active Directory server support_ldap.cc(1232): pid=29507 :2020/06/02 11:52:06| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=EMPRESA,dc=MIDOMINIO,dc=CU and filter : (samaccountname=usuario1.apellido) support_ldap.cc(1247): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Found 1 ldap entry support_ldap.cc(665): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof support_ldap.cc(719): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: 5 ldap entries found with attribute : memberof support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 1 "Inter_F_Redes" in hex UTF-8 is 496e7465725f465f5265646573 support_ldap.cc(1285): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 1 "Inter_F_Redes" matches group name "Inter_F_Redes" support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 3 "Administradores del dominio" in hex UTF-8 is 41646d696e6973747261646f7265732064656c20646f6d696e696f support_ldap.cc(1291): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 3 "Administradores del dominio" does not match group name "Inter_F_Redes" support_ldap.cc(1275): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 5 "Domain Admins" in hex UTF-8 is 446f6d61696e2041646d696e73 support_ldap.cc(1291): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Entry 5 "Domain Admins" does not match group name "Inter_F_Redes" support_ldap.cc(1588): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: Unbind ldap server support_member.cc(125): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: INFO: User usuario1.apellido is member of group@domain Inter_F_Redes@NULL
Si el usuario existe, deberá devolver “OK”:
OK kerberos_ldap_group.cc(471): pid=29507 :2020/06/02 11:52:07| kerberos_ldap_group: DEBUG: OK
Si tecleamos un usuario que no pertenece al grupo, respuesta será un error en su lugar:
ERR
Terminamos el “kinit” con el usuario “administrator”:
kdestroy
Verificamos que se haya cerrado la conexión:
klist
Debe devolver lo siguiente:
klist: No credentials cache found (filename: /tmp/krb5cc_0)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Alexander en la línea de código de Comprobando la autenticación por LDAP básico hay un error de signo de puntuación en squid@empresa,midominio.cu
(sustituir , por .). Felicidades por el parto…. buen trabajo de todos.