Debug Squid Kerberos authentication

kerberos
proxy
debug
squid
ucs-4-3

#1

In case the Kerberos Squid authentication does not work, here are some basic tests.

Check filesystem permissions

The user proxy must be able to access the keytab file /var/lib/samba/private/http-proxy-$(hostname).keytab.

Check the keytab

root@master431:~# kinit --keytab=/var/lib/samba/private/http-proxy-$(hostname).keytab HTTP/$(hostname -f)
root@master431:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: HTTP/master431.deadlock43.intranet@DEADLOCK43.INTRANET

  Issued                Expires               Principal
Mar 14 18:35:18 2018  Mar 15 04:35:18 2018  krbtgt/DEADLOCK43.INTRANET@DEADLOCK43.INTRANET
root@master431:~# 

Check the KRB5_KTNAME configuration

root@master431:~# grep KRB5_KTNAME /etc/default/squid 
KRB5_KTNAME="/var/lib/samba/private/http-proxy-master431.keytab"
export KRB5_KTNAME
root@master431:~# 

Is the UCR variable squid/krb5auth set to yes?

root@master431:~# ucr get squid/krb5auth
yes
root@master431:~# 

Perform a manual kerberos logon at squid

First, as testuser:

$ su - testuser
$ kinit
 → Enter password
$ /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f)
  → then you should get something like 'Token: .....'.
$ exit

Afterwards, as root:

$ KRB5_KTNAME=/var/lib/samba/private/http-proxy-$(hostname).keytab
$ export KRB5_KTNAME
$ /usr/lib/squid/negotiate_kerberos_auth -d
 → then please enter "YR " followed by the token
 → press \<CTRL\>-D

For example:

root@master431:~# su - stefan
stefan@master431:~$ kinit
stefan@DEADLOCK43.INTRANET's Password: 
stefan@master431:~$ /usr/lib/squid/negotiate_kerberos_auth_test $(hostname -f)
Token: YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=
stefan@master431:~$ exit
Abgemeldet
root@master431:~# KRB5_KTNAME=/var/lib/samba/private/http-proxy-$(hostname).keytab
root@master431:~# export KRB5_KTNAME
root@master431:~# /usr/lib/squid/negotiate_kerberos_auth -d
negotiate_kerberos_auth.cc(487): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Setting keytab to /var/lib/samba/private/http-proxy-master431.keytab
negotiate_kerberos_auth.cc(570): pid=25736 :2018/03/14 11:27:26| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_25736
YR YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=
negotiate_kerberos_auth.cc(610): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Got 'YR YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=' from squid (length: 1883).
negotiate_kerberos_auth.cc(663): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Decode 'YIIFfQYGKwYBBQUCoIIFcTCCBW2gDTALBgkqhkiG9xIBAgKiggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAAAAAAo4IEYGGCBFwwggRYoAMCAQWhFRsTREVBRExPQ0s0My5JTlRSQU5FVKIwMC6gAwIBA6EnMCUbBEhUVFAbHW1hc3RlcjQzMS5kZWFkbG9jazQzLmludHJhbmV0o4IEBjCCBAKgAwIBF6EDAgECooID9ASCA/B9QQMGHijl8fEk2XZfzz+dRLe5han0FvCdAojPZNT73MVIZM5d23hiHQWyDqDOC4oiNqamjggUgXBYLHs1/06HVz3rZ44pn6Grc/dxS6BdxJerzYr7kRaa/X3/Ef/RFx2OknpcpGfRhaG2czP/qxpwyTML26qWxPRSLvB0PRJJlS/45JmqgVQwKNYYxwkeU7zlB3cQ7JMFipvDQDqwiiWcFibwKSk/8HwDBvj3Jm7v86hLIivqzxmZX3de9LAoRdpXRltFflAit15ih9bO8Q0oOPmCiv2CEcUeW0AnJa6N970jryZZhIGKAqaMRdBGwUvBWqcJwL0D/KJsFH5Qf554LSh+/4wjiyeNNq7TKmr/IPEQ9PyR1/GQmAEJuCGT796U3hGHRhdULncSP1m57AvfZzb5xZe/YDcBoxEuwkpaiqd/nAOOYXpjxvoXoaVgnPGmYQ6ZXh+kxl1vZ6PuC5sCvxge/R1j8k1KSg7ONPWdRJXg5kVkw2lvncnIcR2DPMIs9oSvt+UirWxNYyLPtoxmlaKyrBOESmdh/vxNV2gDLsBjqBJzpLC0bXN5oPSIV4wUmv9kmglRGnH/x+KT8IxlnsFRKLCk0cmGxo7M/xfJfVLKdqIVZdtCU+AUVZa6pl5yIkp2LwIVz4w1uQbxGgcmiivEsx7SCnatQSA7b4Pu9+OY6Bl2l2F2lhMcFJQn8w3JviUutHlI33/yLBaOLQErtlOZTAEO6RIWYuO1EpI/LmbSAFBPpajI1I0C8g/PMmifDJ34gqYJgmgYi8uPxDS3XbXsu0aPlm8gUeZffCMcLetZZJ28hP2Je3eZVDrBdL/YFX/aYixcCfNi4dmElewQN/tNL42oKbtHyRgERx1RRSnKuWrfxMgt8/4InC3kUrZHpE4RyuHIoF/3jK2cspkWgQWDhMSAFIRjF4pMn6MZFkK5IRcB4uHhJOy15fQo2wtXgO7juDVuDu/ND04tfhBQCQBfq5TOSeaAAY0sNkuPY2EKxRqhvKJ31CFuNtJc6RV/NswPb+EQvBKHxVuJCUYTOv4Qk6nxQDbCgpjG5nLEJlZjNeo2O4wf4upxwO2f5Z80GOZfaQkAgI10Nhzb6XpwOZY3mFVbGIo1nCFgj0SOfzGN25Boa0MfBEjh2BuTbx9gtj5KWjr2m3B3u7yhTd4B+D4VTCvLrW+x2m7oqqspK2wYYzaKasDXXYjYiklwvaVVpsfackqA0lavKYlWF8O+Iz/vQqxv+i2Bd6bfOjUbCFbdta/nJDP1PTBnWBKnfStZAA9Xfd0v8hzU2c3ZtNWP1JjbZu+nRmY2CNWTB0F6aS2uAdEqbI616Kk88HSEMPWkgcMwgcCgAwIBF6KBuASBtUZwbBmM+ToFJA4SXv+Y1Y9CVpcXY5yAzgbFEkK6wiq5yx2mS5a+EcSQwKLJkS3VGg6Ulot/6Ab8QV0p+74chJ+0CHStK4h5sDjbdQ83QFYvD6pxHbmzqQoykpV5FDbGyIp1cbWyMwl45RX9ew1KoM9EC3ACIw9NiS9PULgiKB71N6AmGYUyGxziKkeDCR09HD/ajVfEU43zSOBaKJprEc6EDh3SrYt39m/Sd3gWI7DoxFNcKsA=' (decoded length: 1409).
negotiate_kerberos_pac.cc(376): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Got PAC data of lengh 456
negotiate_kerberos_pac.cc(180): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Found 1 rids
negotiate_kerberos_pac.cc(188): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(256): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-1415230736-3466347602-1585201122
negotiate_kerberos_pac.cc(456): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: INFO: Read 452 of 456 bytes 
negotiate_kerberos_auth.cc(778): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAELVaVFJEnM7iP3xeAQIAAA==
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== stefan@DEADLOCK43.INTRANET
negotiate_kerberos_auth.cc(783): pid=25736 :2018/03/14 11:27:36| negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== stefan@DEADLOCK43.INTRANET
BH input error
root@master431:~# 

Check the UCR squid template

root@server:~# univention-check-templates  2>&1 | grep -i squid
/etc/univention/templates/files/etc/squid/squid.conf
root@server:~# 

In this case, a test should be performed with the original template, for example:

 cd /etc/univention/templates/files/etc/squid/
 cp squid.conf squid.conf_modified_template
 cp squid.conf-old squid.conf
 ucr commit /etc/squid/squid.conf
 /etc/init.d/squid restart

Check the Kerberos and DNS settings

Especially in a school environment it should be checked if the correct DNS and Kerberos server is used. If Squid is started on a school DC, the school DC should be used as DNS and Kerberos server.


#2

#3

#4