Search squid archive

Re: Re: Re: Squid + Kerberos + Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




----- Original Message -----
From: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx>
To: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
Cc: "Squid maillist" <squid-users@xxxxxxxxxxxxxxx>
Sent: Sunday, June 07, 2009 10:23 AM
Subject: Re:  Re: Re: Re: Squid + Kerberos + Active Directory


Dear Markus,

After trying all the possible way, i got atleast just for one time a error message in cache.log

2009/06/07 11:31:46| AuthConfig::CreateAuthUser: Unsupported or unconfigured/inactive proxy-auth scheme, 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='


So IE or Firefox don't do negotiate.


after that i didnt got this message at all..

My Client is Win XP with IE 6 and Firefox 3.0.10. Its working really fine behind the MS ISA Server.

But no way behind the squid???


Because squid is configured for negotiate/kerberos. Can you do the following
in Firefox:

1) Type about:config in the URL bar
2) In the filter type nego
3) double click on network.negotiate-auth.trusted-uris
4) Enter .panasonic.com
5) Try again

If that does not work can you run the attached binary on yoru XP desktop as
follows:

getTGT -p HTTP/linuxproxy.panasonic.com

You should get an output like:

getTGT.exe -p HTTP/w2k3r2.win2003r2.home
2009/06/07 17:50:42| getTGT[5180]: Info: Context Key Information:
2009/06/07 17:50:42| getTGT[5180]:       Signature Algorithm: (-138)
2009/06/07 17:50:42| getTGT[5180]:       Encryption Algorithm: RSADSI
RC4-HMAC(23)
2009/06/07 17:50:42| getTGT[5180]:       Key Size: 128
2009/06/07 17:50:42| getTGT[5180]: Info: Context Session Key Length: 16
2009/06/07 17:50:42| getTGT[5180]: Info: Context Client Native Name:
Administrator@xxxxxxxxxxxxxx
2009/06/07 17:50:42| getTGT[5180]: Info: Context Server Native Name:
HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx
2009/06/07 17:50:42| getTGT[5180]: Info: Context Start Time: 2009/06/07
17:50:42
2009/06/07 17:50:42| getTGT[5180]: Info: Context End Time: 2009/06/08
03:42:29
2009/06/07 17:50:42| getTGT[5180]: Info: Credential User Principal Name:
Administrator@xxxxxxxxxxxxxx
2009/06/07 17:50:42| getTGT[5180]: Info: Credential ExpiryTime: 2009/06/08
03:42:29

and a klist tickets should give:

C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tickets

Cached Tickets: (2)

  Server: krbtgt/WIN2003R2.HOME@xxxxxxxxxxxxxx
     KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
     End Time: 6/8/2009 3:42:29
     Renew Time: 6/14/2009 17:42:29


  Server: HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx
     KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
     End Time: 6/8/2009 3:42:29
     Renew Time: 6/14/2009 17:42:29


C:\WINNT\Profiles\Administrator.WIN2003R2.000>


klist is part of the resource kit tools
(http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)

If getTGT gives an error like:
2009/06/07 17:55:10| getTGT[3640]: InitializeSecurityContext failed:
SEC_E_TARGET_UNKNOWN

it means that either the kdc does not have a principal with the name or the
client does not have a valid user ticket which can be check ed with klist
tgt:

C:\WINNT\Profiles\Administrator.WIN2003R2.000>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: Administrator
DomainName: WIN2003R2.HOME
TargetDomainName: WIN2003R2.HOME
AltTargetDomainName: WIN2003R2.HOME
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 1:00:00
StartTime: 6/7/2009 17:42:29
EndTime: 6/8/2009 3:42:29
RenewUntil: 6/14/2009 17:42:29
TimeSkew: 1/1/1601 1:00:00



i captured the following types of traffic;

a. My XP Client + IE 6  <---> ISA Server
b. MY XP Client + IE 6  <---> squid-3.0.STABLE13-1.el5 + CentOS 5.2
c. more auth packet level details of Client <-> ISA Server
d. more auth packet level details of Client <-> Squid


Please see the attachments;

and hoping for a way to resolve the issue.


From all this what i understood is, client is trying to do NTLM auth, but server dosent support it. Ok if this is the case, how can i tell the client not to use NTLM and just use Kerberos. Second case, how can i configure squid to handle the NTLM based authentication.


There are NTLM helpers as part of the squid package available. Or better use
the samba ntlm_auth helper.


guide me please...


Regards
Markus



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux