#1 Le 13/10/2014, à 19:22
- Vista
Ubuntu server 14.04 - Squid 3.3.8 - Active directory Probléme !
Bonjour, à tous,
voici j'ai installé un serveur Ubuntu 14.04 et Squid v3.3.8 (version par defaut sur ubuntu 14.04), et j'aimerais pouvoir faire du SSO via un active directory :
je suis donc le tuto la documentation officiel --> http://wiki.squid-cache.org/ConfigExamp … e/Kerberos
après une fraîche install et les mise à jour.
1> Pre-requisites for Active Directory integration
Serveur active directory :
ip active directory : 192.168.1.60
hostname : ws2008
Nom de domaine : sonsofanarchy.fr
Utilisateur de l'active directory :
- administrateur password
- jteller P@ssword1
Serveur squid :
ip : 192.168.1.62
hostname : srv-proxy-01
user administrateur
password : password
Config du serveur proxy :
aprés une fraiche installe et les mise à jour compléte.
1.1> Install des prérequis :
sudo apt-get install krb5-user msktutil squid samba-common-bin - Vérification configuration DNS :
sudo nano /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
domain sonsofanarchy.fr
search sonsofanarchy.fr
nameserver 192.168.1.60- Synchronisation de la date avec l'Active directory :
sudo nano /etc/default/ntpdate
# The settings in this file are used by the program ntpdate-debian, but not
# by the upstream program ntpdate.
# Set to "yes" to take the server list from /etc/ntp.conf, from package ntp,
# so you only have to keep it in one place.
NTPDATE_USE_NTP_CONF=yes
# List of NTP servers to use (Separate multiple servers with spaces.)
# Not used if NTPDATE_USE_NTP_CONF is yes.
NTPSERVERS="ws2008.sonsofanarchy.fr"
# Additional options to pass to ntpdate
NTPOPTIONS=""root@srv-proxy-01:~# ntpdate ws2008.sonsofanarchy.fr
13 Oct 18:16:27 ntpdate[1632]: adjust time server 192.168.1.60 offset 0.032533 sec-Création du keytab :
root@srv-proxy-01:~# kinit administrateur
Password for administrateur@SONSOFANARCHY.FR:
root@srv-proxy-01:~#si pas de message alors c'est OK
root@srv-proxy-01:~# msktutil -c -b "CN=COMPUTERS" -s HTTP/srv-proxy-01.sonsofanarchy.fr -k /etc/squid3/PROXY.keytab --computer-name SRV-PROXY-01-K --upn HTTP/srv-proxy-01.sonsofanarchy.fr --server ws2008.sonsofanarchy.fr --verbose --enctypes 28
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 85
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-p1Stna
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: SRV-PROXY-01-K$
-- try_machine_keytab_princ: Trying to authenticate for SRV-PROXY-01-K$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/srv-proxy-01 from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for SRV-PROXY-01-K$ with password.
-- create_default_machine_password: Default machine password for SRV-PROXY-01-K$ is srv-proxy-01-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: ws2008.sonsofanarchy.fr try_tls=YES
-- ldap_connect: Connecting to LDAP server: ws2008.sonsofanarchy.fr try_tls=NO
SASL/GSSAPI authentication started
SASL username: administrateur@SONSOFANARCHY.FR
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=SONSOFANARCHY,dc=FR
-- ldap_check_account: Checking that a computer account for SRV-PROXY-01-K$ exists
-- ldap_check_account: Computer account not found, create the account
No computer account for SRV-PROXY-01-K found, creating a new one.
dn: cn=SRV-PROXY-01-K,CN=COMPUTERS,dc=SONSOFANARCHY,dc=FR
-- ldap_check_account_strings: Inspecting (and updating) computer account attributes
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to srv-proxy-01
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/srv-proxy-01.sonsofanarchy.fr@SONSOFANARCHY.FR
-- ldap_set_supportedEncryptionTypes: DEE dn=cn=SRV-PROXY-01-K,CN=COMPUTERS,dc=SONSOFANARCHY,dc=FR old=7 new=28
-- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 130576908153384910
-- set_password: Successfully set password, waiting for it to be reflected in LDAP.
-- ldap_get_pwdLastSet: pwdLastSet is 130576908153853660
-- set_password: Successfully reset computer's password
-- ldap_add_principal: Checking that adding principal HTTP/srv-proxy-01.sonsofanarchy.fr to SRV-PROXY-01-K$ won't cause a conflict
-- ldap_add_principal: Adding principal HTTP/srv-proxy-01.sonsofanarchy.fr to LDAP entry
-- ldap_add_principal: Checking that adding principal host/srv-proxy-01 to SRV-PROXY-01-K$ won't cause a conflict
-- ldap_add_principal: Adding principal host/srv-proxy-01 to LDAP entry
-- execute: Updating all entries for srv-proxy-01 in the keytab WRFILE:/etc/squid3/PROXY.keytab
-- update_keytab: Updating all entires for SRV-PROXY-01-K$
-- ldap_get_kvno: KVNO is 2
-- add_principal_keytab: Adding principal to keytab: SRV-PROXY-01-K$
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3, enctype=23
-- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3, enctype=17
-- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3, enctype=18
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: HTTP/srv-proxy-01.sonsofanarchy.fr
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Deleting HTTP/srv-proxy-01.sonsofanarchy.fr@SONSOFANARCHY.FR kvno=3, enctype=23
-- add_principal_keytab: Deleting HTTP/srv-proxy-01.sonsofanarchy.fr@SONSOFANARCHY.FR kvno=3, enctype=17
-- add_principal_keytab: Deleting HTTP/srv-proxy-01.sonsofanarchy.fr@SONSOFANARCHY.FR kvno=3, enctype=18
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: host/srv-proxy-01
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr
-- add_principal_keytab: Adding entry of enctype 0x12
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
root@srv-proxy-01:~# ajout des droits sur le fichier généré grace à la commande précédente :
root@srv-proxy-01:~# chgrp proxy /etc/squid3/PROXY.keytab
root@srv-proxy-01:~# chmod g+r /etc/squid3/PROXY.keytabcréation du fichier de conf squid :
# Listen on Port 8080
http_port 8080
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -i -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny allet voila, normelement ça suffit, mais c'est pas la cas car ça ne fonctionne pas j'ai le message d'erreur suivant :
2014/10/13 19:15:52| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'
negotiate_kerberos_auth.cc(315): pid=3418 :2014/10/13 19:15:52| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59).
negotiate_kerberos_auth.cc(378): pid=3418 :2014/10/13 19:15:52| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40).
negotiate_kerberos_auth.cc(388): pid=3418 :2014/10/13 19:15:52| negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/10/13 19:15:52| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token'la je sais plus quoi faire si quelqu'un connait squid et active directory je suis partant
merci à vous
Dernière modification par Vista (Le 13/10/2014, à 19:27)
Hors ligne