Authenticate squid in Active Directory

classic Classic list List threaded Threaded
42 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars Hansson-5
On Feb 6, 2008 4:45 PM, Lars Noodin <[hidden email]> wrote:
> You've provided that data point yourself: MS Windows.

Since when is misc@ a Linux-esque anti-MS list?

---
Lars Hansson

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Brett Lymn
In reply to this post by Lars D. Noodén
On Wed, Feb 06, 2008 at 10:09:50AM +0200, Lars Nood?n wrote:
>
> Assuming a positive aspect to that, either you're confused about the
> meaning of word 'based' or unfamiliar with AD.
>

Neither actually but you seem content.  Never mind.
 
> AD is *not* Kerberos nor is it LDAP. AD may well be inspired by LDAP and
> Kerberos and DNS, but go back and read up on it.  The
> added/missing/changed parts prevent or, at best, hinder
> interoperability.  A tool that does not conform to the
> specification is, guess what, not a standard.
>

Oddly this non-standard AD seems to interoperate with the Solaris ldap
client, an openldap client and with MIT kerberos just fine.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
Brett Lymn wrote:

> Oddly this non-standard AD seems to interoperate with the Solaris ldap
> client, an openldap client and with MIT kerberos just fine.

Seems to, or actually does?  Or can be be pounded in after agreeing to
non-Open licenses?

Point me to some more recent articles or documentation (without NDA
requirements) which counter the following:

http://www.ddj.com/184404225
http://www.infoworld.com/articles/op/xml/00/05/15/000515oplivingston.html
http://www.networkworld.com/news/2000/0511kerberos.html
http://archive.salon.com/tech/log/2000/05/11/slashdot_censor/
http://technews.acm.org/articles/2000-2/0405w.html#item14
http://features.slashdot.org/article.pl?sid=00/05/11/0153247&mode=nested&threshold=3

In short, there seems to have been no announcement that the problem is
resolved.  That's a strange silence for a marketing company.

I'm not arguing that the Squid patch does not work, nor that it is not
possible for some systems vendors to have signed agreements to get at
the proprietary information.  Nor will I say that there is no *short
term* advantage.

What I am saying is that without careful planning, injudicious use of
the patch leads to further entrenchment of an unsound service and the
unsound system in which it is embedded rather than as a transition to a
more stable, secure and maintainable infrastructure.

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

bofh-6
On Feb 6, 2008 7:42 AM, Lars Noodin <[hidden email]> wrote:

> Brett Lymn wrote:
>
> > Oddly this non-standard AD seems to interoperate with the Solaris ldap
> > client, an openldap client and with MIT kerberos just fine.
>
> Seems to, or actually does?  Or can be be pounded in after agreeing to
> non-Open licenses?
>
> Point me to some more recent articles or documentation (without NDA
> requirements) which counter the following:
>
>
http://www.ddj.com/184404225<http://www.infoworld.com/articles/op/xml/00/05/1
5/000515oplivingston.html>


http://msdn2.microsoft.com/en-us/library/ms818754.aspx

Read the page topic and search for the word "PAC "

This was well publicized too, as I had mentioned in my previous email.

Now can you kindly stfu?



--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
bofh wrote:

> http://msdn2.microsoft.com/en-us/library/ms818754.aspx
> Read the page topic and search for the word "PAC "

Several links in it appears to confirm that a broken version of Kerberos
is still used:

        "The Kerberos Authentication Group Membership
        Extensions extend the Kerberos Authentication
        Network Service (version 5) specification..."

Extend == not a standard anymore.

Yes a client can be hacked, and many appear to be, to accommodate a
non-standard protocol.  But at the end of the day it's still not a
standard.

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

bofh-6
On Feb 6, 2008 9:07 AM, Lars Noodin <[hidden email]> wrote:

> bofh wrote:
>
> > http://msdn2.microsoft.com/en-us/library/ms818754.aspx
> > Read the page topic and search for the word "PAC "
>
> Several links in it appears to confirm that a broken version of Kerberos
> is still used:
>
>        "The Kerberos Authentication Group Membership
>        Extensions extend the Kerberos Authentication
>        Network Service (version 5) specification..."
>
> Extend == not a standard anymore.
>
> Yes a client can be hacked, and many appear to be, to accommodate a
> non-standard protocol.  But at the end of the day it's still not a
> standard.


RFC 2822 extends RFC 822.  RFC 822 extends RFC 821.  What's your point?  The
kerberos working team has already accepted it.

Additionally, that field was *DESIGNED* to be extended - it was labelled
"UNUSED" for gods sake.

http://it.slashdot.org/article.pl?sid=07/09/17/2050215&from=rss and search
for "pac "

Microsoft has done a whole lot of shitty things.  Even tried to embrace and
extend kerberos.  But as I mentioned in my *original* email, they got
roundly smacked for it, and decided to release the information.

So, put that FUD pipe down please.


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Mark Rolen
In reply to this post by Lars D. Noodén
Lars NoodC)n wrote:

> bofh wrote:
>
>> http://msdn2.microsoft.com/en-us/library/ms818754.aspx
>> Read the page topic and search for the word "PAC "
>
> Several links in it appears to confirm that a broken version of
> Kerberos is still used:
>
>     "The Kerberos Authentication Group Membership
>     Extensions extend the Kerberos Authentication
>     Network Service (version 5) specification..."
>
> Extend == not a standard anymore.
>
> Yes a client can be hacked, and many appear to be, to accommodate a
> non-standard protocol.  But at the end of the day it's still not a
> standard.
>
> -Lars
>

 From the very first story you linked:

"This field was intentionally left undefined by Kerberos's authors so
that vendors (like Microsoft) could implement customized versions."

"Let's be clear on one thing: Microsoft's customization of the
authorization placeholder field is entirely legitimate. Others,
including the OSF with its DCE specification, have customized Kerberos
in a similar manner. What's at issue here isn't Microsoft's Kerberos
extensions, but the company's disingenuous ownership claims, onerous
licensing policies, and bullying tactics."

The author (like you, perhaps) doesn't like Microsoft's tactics, but
notes that their changes are "entirely legitimate".

Regards,
Mark

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Brett Lymn
In reply to this post by Lars D. Noodén
On Wed, Feb 06, 2008 at 02:42:02PM +0200, Lars Nood?n wrote:
> Brett Lymn wrote:
>
> >Oddly this non-standard AD seems to interoperate with the Solaris ldap
> >client, an openldap client and with MIT kerberos just fine.
>
> Seems to, or actually does?  Or can be be pounded in after agreeing to
> non-Open licenses?
>

Alright.  I am Australian and we are renowned for understating
things.  Just to make it crystal clear for you Lars, I have used squid
integrated with Active Directory authentication using purely open
source tools (samba winbindd, MIT kerberos 5, openldap) for _years_.
It works - no ifs no buts, it just goes.  I can bind our Solaris
machines to the AD domain using samba, the AD management shows those
machines as valid clients in the AD forest.

> Point me to some more recent articles or documentation (without NDA
> requirements) which counter the following:
>

Lars, you are an idiot.  You are throwing up 8 year old articles
describing problems with operating systems that are now obsolete.  As
others have pointed out, what you are pointing at are non-issues and
MS has followed the RFC's.

>
> What I am saying is that without careful planning, injudicious use of
> the patch leads to further entrenchment of an unsound service and the
> unsound system in which it is embedded rather than as a transition to a
> more stable, secure and maintainable infrastructure.
>

Ah - you actually failed to answer that bit from my initial message.
I am wondering what this mythical infrastructure you write of is.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
Brett Lymn wrote:
> ... I have used squid
> integrated with Active Directory authentication using purely open
> source tools (samba winbindd, MIT kerberos 5, openldap) for _years_.
> It works - no ifs no buts, it just goes.  

I have not contested that.  Anything can be hacked together with enough
skill and effort.  Samba is an example.  Fine. But in the situation you
describe above there, at the end of the day you still have to have
weakened your network with the presence of MS Windows if it is needed
for AD.  And keep in mind we are talking about (open) standards and not
(open) source code.

So, regarding these claims of interoperability, can you put
LDAP+Kerberos+DNS services on an OpenBSD in a network of Windows clients
and removed the need for any other machines running AD?

If yes, then you are correct and AD is standards compliant and a lot of
effort can be saved by building OpenBSD/LDAP+Kerberos+DNS systems.
If not, then these claims of interoperability are baloney (en_AU) and
just marketeers feedin the chooks.

> ...  You are throwing up 8 year old articles
> describing problems with operating systems that are now obsolete.  As
> others have pointed out, what you are pointing at are non-issues and
> MS has followed the RFC's.

Those are the most recent ones addressing interoperability.

If there are more recent ones then show them.  And no, the link to
slashdot is just that, a link to some comments on slashdot.

>> What I am saying is that without careful planning, injudicious use of
>> the patch leads to further entrenchment of an unsound service and the
>> unsound system in which it is embedded rather than as a transition to a
>> more stable, secure and maintainable infrastructure.
>
> Ah - you actually failed to answer that bit from my initial message.

Pose the question again.  You are, among other things, unclear.

Regards,
-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

wwauters
> Brett Lymn wrote:

> So, regarding these claims of interoperability, can you put
> LDAP+Kerberos+DNS services on an OpenBSD in a network of Windows clients
> and removed the need for any other machines running AD?

have a look at this:
http://www.kernel-panic.it/openbsd/pdc/

I found it on:
http://www.openbsdsupport.org/

>
> If yes, then you are correct and AD is standards compliant and a lot of
> effort can be saved by building OpenBSD/LDAP+Kerberos+DNS systems.

If you don't need to supoort Windows Vista client machines, you should be
all right.
Last time I checked you would need a very up-to-date version of Samba to
support Vista, but as a sysadmin I only use OpenBSD stable.
>
> If not, then these claims of interoperability are baloney (en_AU) and
> just marketeers feedin the chooks.

:-)

My clients are stuck with windows (ISVs and Exchange groupware features),
but one day...

I've only got OpenBSD in production use as file servers &
VPN/router/firewalls, so I can't help much further :-)

WFR,
Wim

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Brett Lymn
On Thu, Feb 07, 2008 at 11:42:38AM -0000, [hidden email] wrote:
> > Brett Lymn wrote:
>

I did not.
 
> > So, regarding these claims of interoperability, can you put
> > LDAP+Kerberos+DNS services on an OpenBSD in a network of Windows clients
> > and removed the need for any other machines running AD?
>

That is from Lars - I have strong objections being implicated in
being responsible for any of his drivel.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Brett Lymn
In reply to this post by Lars D. Noodén
On Thu, Feb 07, 2008 at 11:26:09AM +0200, Lars Nood?n wrote:
>
> Pose the question again.  You are, among other things, unclear.
>

No.  Look in the archives if you want it - I know you don't have any
answers apart from some tired rhetoric.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
In reply to this post by wwauters
[hidden email] wrote:
>> Brett Lymn wrote:
>
>> So, regarding these claims of interoperability, can you put
>> LDAP+Kerberos+DNS services on an OpenBSD in a network of Windows clients
>> and removed the need for any other machines running AD?
>
> have a look at this:
> http://www.kernel-panic.it/openbsd/pdc/

Thanks, it clarifies that it is possible to serve standard LDAP, at
least, to AD clients with the help of Samba.  It also looks like it
might save some time/effort/money by reducing the number of unsecurable
systems on the server end of things.

Samba leads to this item from July 2006:

        "It so happens that Microsoft Windows clients depend
        on and expect the contents of the unspecified fields
        in the Kerberos 5 communications data stream for their
        Windows interoperability, particularly when Samba is
        expected to emulate a Windows Server 200x domain controller.
        But the interoperability issue goes far deeper than this.
        In the domain control protocols that are used by MS Windows
        XP Professional, there is a tight interdependency between
        the Kerberos protocols and the Microsoft distributed
        computing environment (DCE) RPCs that themselves are an
        integral part of the SMB/CIFS protocols as used by Microsoft."

  From "Active Directory Replacement with Kerberos, LDAP, and Samba"
        Chapter 11. Active Directory, Kerberos, and Security.
        _Samba-3 by Example_
        July, 2006

So the kerberos question still remains unless there is more recent
material somewhere that can show that these problems have been resolved.
    I would have expected some documentation.

As of 2002, definitely not:
        http://www.pcworld.com/article/id,97504/article.html

> If you don't need to supoort Windows Vista client machines, you should be
> all right.

Nope.

> My clients are stuck with windows (ISVs and Exchange groupware features),
> but one day...

MS Exchange was one of the productivity killers I referred to earlier.
For people that use e-mail, it's an albatross.  For people that need to
use e-mail for their job, well, they can't work.

We plan to evaluate Kolab or Citadel soon.

Regards
-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

ropers
> [hidden email] wrote:
> >> Brett Lymn wrote:
> >
> >> So, regarding these claims of interoperability, can you put
> >> LDAP+Kerberos+DNS services on an OpenBSD in a network of Windows
> >> clients and removed the need for any other machines running AD?
> >
> > have a look at this:
> > http://www.kernel-panic.it/openbsd/pdc/

I'm not sure I fully understand:
I was under the impression that NT, up to NT 4, used the PDC/BDC
model, and W2K and later used AD. While the kernel-panic tutorial does
seem to address using OpenBSD to handle logins to NT4-compatible
domains (including logins to such domains from W2K/WXP clients), it
seems to me that it's not offering anything that's truly
interchangeable with AD. Please correct me if I'm wrong.

Thanks and regards,
--ropers

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Karl Karlsson
2008/2/8, ropers <[hidden email]>:

>
>
> I'm not sure I fully understand:
> I was under the impression that NT, up to NT 4, used the PDC/BDC
> model, and W2K and later used AD. While the kernel-panic tutorial does
> seem to address using OpenBSD to handle logins to NT4-compatible
> domains (including logins to such domains from W2K/WXP clients), it
> seems to me that it's not offering anything that's truly
> interchangeable with AD. Please correct me if I'm wrong.
>
> Thanks and regards,
> --ropers
>
>
Samba as of version 3 only do the old emulation of an NT4-domain as PDC/BDC.
AD is way more complex in its use of GP and stuff. Samba 4 can do it but its
no way near to be complete and ready for production. And btw, Vista is
working as client in both modes. There is of course possible to do some of
the GP the ugly way by enforcing registry changes via login script, but it
sure is ugly have some quirks.

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Leonardo Rodrigues
In reply to this post by ropers
> I'm not sure I fully understand:
> I was under the impression that NT, up to NT 4, used the PDC/BDC
> model, and W2K and later used AD. While the kernel-panic tutorial does
> seem to address using OpenBSD to handle logins to NT4-compatible
> domains (including logins to such domains from W2K/WXP clients), it
> seems to me that it's not offering anything that's truly
> interchangeable with AD. Please correct me if I'm wrong.
>
> Thanks and regards,
> --ropers
>
>

SAMBA version 3 does not offer a complete AD solution. That's promised
for SAMBA v4 though...

The tutorial at kernel-panic is a good one, but I do not see the point
of using ldap, instead of the standard samba backend for example,
since user account database replication is not likely to work on SAMBA
+ OpenBSD, unless one automates the process of creating local accounts
on each machine along with the ldap accounts.


--
An OpenBSD user... and that's all you need to know =)

Please, send private emails to [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Eduardo Alvarenga
A long time ago a asked the developers to implement nsswitch
compatibility on OpenBSD, for sake of having user automatic
syncronization on AD. The answer was not positive.

There is also a patch that implements this hanging around. Got to ask Google :-)

Maybe it's time for OpenBSD to become more competitive and introduce
industry standards on its userland.

2008/2/8, Leonardo Rodrigues <[hidden email]>:

> > I'm not sure I fully understand:
> > I was under the impression that NT, up to NT 4, used the PDC/BDC
> > model, and W2K and later used AD. While the kernel-panic tutorial does
> > seem to address using OpenBSD to handle logins to NT4-compatible
> > domains (including logins to such domains from W2K/WXP clients), it
> > seems to me that it's not offering anything that's truly
> > interchangeable with AD. Please correct me if I'm wrong.
> >
> > Thanks and regards,
> > --ropers
> >
> >
>
> SAMBA version 3 does not offer a complete AD solution. That's promised
> for SAMBA v4 though...
>
> The tutorial at kernel-panic is a good one, but I do not see the point
> of using ldap, instead of the standard samba backend for example,
> since user account database replication is not likely to work on SAMBA
> + OpenBSD, unless one automates the process of creating local accounts
> on each machine along with the ldap accounts.
>
>
> --
> An OpenBSD user... and that's all you need to know =)
>
> Please, send private emails to [hidden email]
>
>


--
Eduardo Alvarenga

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Karl Karlsson
2008/2/8, Eduardo Alvarenga <[hidden email]>:

>
> A long time ago a asked the developers to implement nsswitch
> compatibility on OpenBSD, for sake of having user automatic
> syncronization on AD. The answer was not positive.
>
> There is also a patch that implements this hanging around. Got to ask
> Google :-)
>
> Maybe it's time for OpenBSD to become more competitive and introduce
> industry standards on its userland.
>
>
> Little OT but anyway, what do you exactly mean with "industry standards"?
As far as i can see PAM is making its way through on more and more different
UNIX systems. If PAM is "industry standard" one should stay as far away from
standards as possible.

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Eduardo Alvarenga
2008/2/8, Karl Karlsson <[hidden email]>:

> 2008/2/8, Eduardo Alvarenga <[hidden email]>:
> >
> > A long time ago a asked the developers to implement nsswitch
> > compatibility on OpenBSD, for sake of having user automatic
> > syncronization on AD. The answer was not positive.
> >
> > There is also a patch that implements this hanging around. Got to ask
> > Google :-)
> >
> > Maybe it's time for OpenBSD to become more competitive and introduce
> > industry standards on its userland.
> >
> >
> > Little OT but anyway, what do you exactly mean with "industry standards"?
> As far as i can see PAM is making its way through on more and more different
> UNIX systems. If PAM is "industry standard" one should stay as far away from
> standards as possible.

nsswitch - System Databases and Name Service Switch
PAM - Pluggable Authentication Modules

Forgive me if I misunderstood your reply, but PAM has NOTHING to do
with nsswitch.

When I say "industry standards" I mean the methods to obtain something
and not a specific way to do it.

OpenBSD products like SSH, NTPD, BGPD, OSPFD, etc follow industry standards.

Maybe it's time to interconnect user databases with other systems, and
one possible way is to implement nsswitch-like compatibility.

--
Eduardo Alvarenga

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Karl Karlsson
2008/2/8, Eduardo Alvarenga <[hidden email]>:

>
> 2008/2/8, Karl Karlsson <[hidden email]>:
> > 2008/2/8, Eduardo Alvarenga <[hidden email]>:
> > >
> > > A long time ago a asked the developers to implement nsswitch
> > > compatibility on OpenBSD, for sake of having user automatic
> > > syncronization on AD. The answer was not positive.
> > >
> > > There is also a patch that implements this hanging around. Got to ask
> > > Google :-)
> > >
> > > Maybe it's time for OpenBSD to become more competitive and introduce
> > > industry standards on its userland.
> > >
> > >
> > > Little OT but anyway, what do you exactly mean with "industry
> standards"?
> > As far as i can see PAM is making its way through on more and more
> different
> > UNIX systems. If PAM is "industry standard" one should stay as far away
> from
> > standards as possible.
>
> nsswitch - System Databases and Name Service Switch
> PAM - Pluggable Authentication Modules
>
> Forgive me if I misunderstood your reply, but PAM has NOTHING to do
> with nsswitch.
>
> When I say "industry standards" I mean the methods to obtain something
> and not a specific way to do it.
>
> OpenBSD products like SSH, NTPD, BGPD, OSPFD, etc follow industry
> standards.
>
> Maybe it's time to interconnect user databases with other systems, and
> one possible way is to implement nsswitch-like compatibility.
>
> --
> Eduardo Alvarenga
>
> Those standards i fully agree with. I got a bit a float there and thought
you meant it in a broader sense as it's going almost everywhere these days
where they use pam to glue every one and everything together. But this
really is off topic from that AD where we started. :)

123