News:

Праздник нужно всегда носить с собой. Эрнест Хемингуэй

Main Menu

Squid3.5.20 + Kerberos + AD

Started by t1n0x, 29 November 2018, 11:09

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

t1n0x

Доброго времени суток! Руководство поставило задачу поднять прокси-сервер для запуска сотрудников и мониторинга посещений через авторизацию на AD. Выбор упал на squid3 + Kerberos +  групповая блокировка через AD (ext_kerberos_ldap_group_acl). Получилось сделать первые два, т.е. поднять сквида + авторизация через Kerberos на AD, однако блокировка доступа через ext_kerberos_ldap_group_acl не работает, из источников гугла(в частности и на вашем форуме) выяснил, что это может быть проблема с обратной зоной для домена или с библиотеками cyrus-sasl-gssapi, однако все установил, обратную зону сделал на домене(на прокси-сервере резолвится ptr без проблем).

Исходные данные:

ОС - CentOS 7 x86_64 minimal
Squid - v3.5.20

Вот что пишет ext_kerberos_ldap_group_acl при проверке пользователя в группе:

[root@vm-srv-proxy02 squid]# ./ext_kerberos_ldap_group_acl -d -a -i -g proxy_on@EXAMPLE.COM
kerberos_ldap_group.cc(278): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: INFO: Starting version 1.3.1sq
support_group.cc(382): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: INFO: Group list proxy_on@EXAMPLE.COM
support_group.cc(447): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: INFO: Group proxy_on  Domain EXAMPLE.COM
support_netbios.cc(83): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: Netbios list NULL
support_netbios.cc(87): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: No netbios names defined.
support_lserver.cc(82): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: ldap server list NULL
support_lserver.cc(86): pid=2055 :2018/11/29 10:44:41| kerberos_ldap_group: DEBUG: No ldap servers defined.
test@EXAMPLE.COM  --Вот здесь ввожу пользователя в группе proxy_on
kerberos_ldap_group.cc(376): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: INFO: Got User: test Domain: EXAMPLE.COM
support_member.cc(63): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain proxy_on@EXAMPLE.COM
support_member.cc(65): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Found group@domain proxy_on@EXAMPLE.COM
support_ldap.cc(898): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(127): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_2                                                                         055
support_krb5.cc(138): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(144): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Got default keytab file name /etc/squid/proxy.keytab
support_krb5.cc(158): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /etc/squid/proxy.keytab
support_krb5.cc(169): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.COM
support_krb5.cc(181): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Found principal name: HTTP/vm-srv-proxy02.example.com@EXAMPLE.COM
support_krb5.cc(196): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Got principal name HTTP/vm-srv-proxy02.example.com@EXAMPLE.COM
support_krb5.cc(260): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(927): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(933): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.COM
support_resolv.cc(379): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.COM record                                                                          to dc.example.com
support_resolv.cc(183): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: Error while resolving hostname with getaddrinfo: Name or service not known
support_resolv.cc(407): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Adding EXAMPLE.COM to list
support_resolv.cc(443): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Sorted ldap server names for domain EXAMPLE.COM:
support_resolv.cc(445): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Host: dc.example.com Port: 389 Priority: 0 Weight: 100
support_resolv.cc(445): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Host: EXAMPLE.COM Port: -1 Priority: -2 Weight: -2
support_ldap.cc(942): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Setting up connection to ldap server dc.example.com:389
support_ldap.cc(953): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(957): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error
support_ldap.cc(942): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Setting up connection to ldap server EXAMPLE.COM:389
support_ldap.cc(953): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
support_sasl.cc(276): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
support_ldap.cc(979): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: Success
support_ldap.cc(1048): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: Success
support_member.cc(76): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: INFO: User test is not member of group@domain proxy_on@EXAMPLE.COM
support_member.cc(91): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain proxy_on@EXAMPLE.COM
support_member.cc(119): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain proxy_on@EXAMPLE.COM
ERR
kerberos_ldap_group.cc(411): pid=2055 :2018/11/29 10:44:53| kerberos_ldap_group: DEBUG: ERR



Вот конфиг сквида:

#
# Recommended minimum configuration:
#
shutdown_lifetime 0 seconds



auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/vm-srv-proxy02.example.com@EXAMPLE.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on






acl auth proxy_auth REQUIRED

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 192.168.30.0/24 # RFC1918 possible internal network
#acl localnet src 192.168.1.0/24
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines


# пользовательские списки


acl allow-sites dstdomain "/etc/squid/acl/allow-sites.acl"
acl socnet-block dstdomain "/etc/squid/acl/socnet-block.acl"
#acl block-porn dstdom_regex "/etc/squid/acl/block-porn.txt"

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT




#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost


# закрыть доступ всем соцсетям из socnet-block

http_access deny socnet-block

# разрешаем все сайты из доменов в списке


# запрещаем сайты с содержанием в домене слов из block-porn
#http_access deny block-porn

http_access allow allow-sites




http_access allow auth
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed



# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128


# разрешенные порты

http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem



# Параметры ssl-bump

#ssl_bump none localhost

ssl_bump server-first socnet-block

#ssl_bump server-first block-porn

ssl_bump server-first allow-sites




# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#httpd_suppress_version_string on

visible_hostname proxy-srv

dns_nameservers 192.168.1.1 192.168.1.18

strip_query_terms off

error_directory /usr/share/squid/errors/ru-ru

logfile_rotate 10

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320



p.s. так же в /etc/default/squid установлено

KRB5_KTNAME=/etc/squid/proxy.keytab
export KRB5_KTNAME

Авторазация и блокировки работают (это видно в статистике squidanalyzer), но почему-то напрочь сквид отказывается работать с
ext_kerberos_ldap_acl_group


Прошу помощи, взаимопонимания(если где-то туплю) и указания в какую сторону копать, ибо перерыл уже весь инет и толком ничего не нашел.

Уваров А.С.

Проверяйте обратную зону и вообще DNS, у вас напрямую ругается на невозможность разрешить имя:

QuoteERROR: Error while resolving hostname with getaddrinfo: Name or service not known

А это уже идет следствием:

Quoteldap_sasl_interactive_bind_s error: Local error