Search squid archive

squid_kerb_auth - Negotiate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm testing new squid helper to use negotiate to authenticate users
against a mit kerberos kdc.

I already use a cross-realm trust to authenticate windows users against
the kdc, so users when logged into windows already have the TGT for
kerberos realm (authenticating users this way i cannot use NTLM auth,
that's why i need negotiate against kerberos).

I've compiled the latest squid-2.6 branch version

# sbin/squid -v
Squid Cache: Version 2.6.STABLE13-20070704
configure options: '--prefix=/usr/local/squid'
'--enable-auth=negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'

set up a local keytab for squid (HTTP/squid.domain@xxxxxxxxxxxxxx)
tested it
kinit -k -t squid.keytab HTTP/squid.domain@xxxxxxxxxxxxxx

setted and exported KRB5_KTNAME pointing to the local keytab

added authentication to squid conf

auth_param negotiate program /usr/libexec/squid_kerb_auth -d -s HTTP/squid.domain@xxxxxxxxxxxxxx

and started squid.

When trying to access web with firefox user get ticket for
HTTP/squid.domain service, but access is denied.

>From logs i've investigated (and from wireshark dumps) seems like
client sends authentication but squid fails to verify it.

Flows seems like this:

Client send request
Squid process request, no auth, so request auth header
client send request + Proxy-Authorization: Negotiate YIICTA[...]YdpMw==
squid process proxy-authorization header: (strip "Proxy-Authorization: Negotiate" and add YR to request)
squid pass "YR YIICTA[...]YdpMw==" to squid_kerb_auth
squid_kerb_auth generate an error.

Here are revelant log part:

2007/07/05 15:47:19| squid_kerb_auth: parseNegTokenInit failed with rc=102
2007/07/05 15:47:19| squid_kerb_auth: gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect
2007/07/05 15:47:19| comm_call_handlers(): got fd=6 read_event=1 write_event=0 F->read_handler=0x8084b10 F->write_handler=(nil)
2007/07/05 15:47:19| comm_call_handlers(): Calling read handler on fd=6
2007/07/05 15:47:19| cbdataValid: 0x82239b0
2007/07/05 15:47:19| helperStatefulHandleRead: 80 bytes from negotiateauthenticator #1.
2007/07/05 15:47:19| commSetSelect: FD 6 type 1
2007/07/05 15:47:19| commSetEvents(fd=6)
2007/07/05 15:47:19| helperStatefulHandleRead: end of reply found
2007/07/05 15:47:19| cbdataValid: 0x841eb48
2007/07/05 15:47:19| authenticateNegotiateHandleReply: Helper: '0x82239b0' {NA gss_accept_sec_context() failed: A token was invalid. Mechanism is incorrect}

What is rc=102 ? Why mechanism is incorrect?
There's a way i can verify if Proxy-Authorization header is correct?

Btw if you need full log output i can attach it, but problem seems to arize here in squid_kerb_auth


Thanks,


--
Miolinux


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux