Search squid archive

Re: Re: squid_kerb_auth problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




The message parseNegTokenInit failed with rc=102 just means the token is not a GSSAPI token wrapped in a SPNEGO token, but a plain GSSAPI token. When you use firefox you have to do a kinit first to store the AS token in the Kerberos cache for Firefox to use and I think Firfox has to be configured with network.negotiate-auth.trusted-uris to be set to the domains of your proxy server.

Regards
Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001181054n7091ea3aj761a508938de74e3@xxxxxxxxxxxxxxxxx
Hi Markus
Sorry yes you were right, it was DNS.

In our environment we are running two DNS servers. One using MS DNS
and the other using unix BIND. The linux server was added to the unix
DNS (with name proxy1.domain.com) but not to the MS DNS which was
authority for ad.domain.com. Now that I think about it our MS DNS has
issues doing reverse lookups for IPs that the unix DNS is authority
for (which in this case was proxy1.domain.com).

I changed linux server name to proxy1.ad.domain.com and now the
squid_kerb_auth_test works.
Using your squid_kerb_auth (version 1.0.5) I get:
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx
2010/01/18 20:25:10| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx
When I try the same thing with the auth from squid-2.7.STABLE7.tar.bz2
I get
2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit failed with rc=102
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx
2010/01/18 20:29:07| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx
Is the parseNegTokenInit failed with rc=102 ok?

I then tried running squid and used Firefox 3.5.7. I got the following
error from squid cache:

authenticateNegotiateHandleReply: Failed validating user via
Negotiate. Error returned 'type 1 NTLM token'

Any ideas? Also I don't get any authentication popups for userid and password...

A sample of the log:
2010/01/18 20:47:58| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
(length: 59).
2010/01/18 20:47:58| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/01/18 20:47:58| squid_kerb_auth: received type 1 NTLM token
2010/01/18 20:47:58| do_comm_select: 1 fds ready
2010/01/18 20:47:58| cbdataValid: 0x1838d448
2010/01/18 20:47:58| helperStatefulHandleRead: 30 bytes from
negotiateauthenticator #1.
2010/01/18 20:47:58| commSetSelect: FD 7 type 1
2010/01/18 20:47:58| helperStatefulHandleRead: end of reply found
2010/01/18 20:47:58| cbdataValid: 0x18648bb8
2010/01/18 20:47:58| cbdataValid: 0x185cad18
2010/01/18 20:47:58| helperStatefulReleaseServer: 0x1838d448
2010/01/18 20:47:58| helperStatefulReset: 0x1838d448
2010/01/18 20:47:58| StatefulGetFirstAvailable: Running servers 10.
2010/01/18 20:47:58| authenticateNegotiateHandleReply: Failed
validating user via Negotiate. Error returned 'type 1 NTLM token'
2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
request '0x18648960'.
2010/01/18 20:47:58| cbdataValid: 0x183561a8
2010/01/18 20:47:58| aclCheck: checking 'http_access deny !password'
2010/01/18 20:47:58| aclMatchAclList: checking !password
2010/01/18 20:47:58| aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
request '0x18648960'.
2010/01/18 20:47:58| authenticateNegotiateAuthenticateUser: need to
challenge client 'received'!
2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
request '0x18648960'.
2010/01/18 20:47:58| aclAuthenticated: returning 0 sending
authentication challenge.
2010/01/18 20:47:58| aclCheck: match found, returning 2
2010/01/18 20:47:58| cbdataUnlock: 0x183561a8
2010/01/18 20:47:58| aclCheckCallback: answer=2
2010/01/18 20:47:58| cbdataValid: 0x185ca298
2010/01/18 20:47:58| The request GET
http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
is DENIED, because it matched 'password'

My acl for this was:
'http_access deny !password'

Regards
Umesh

2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Can you check your DNS you should get for

nslookup name an ip
and for the reverse
nslookup ip the same name.

Which Kerberos libraries do you use ? Heimdal or MIT and which release ?

Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx
Hi

When I tried
./squid_kerb_auth_test proxy1
or
./squid_kerb_auth_test proxy1.domain.com
I got
2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information. Unknown code krb5 7
Token: NULL

But I got a token if I used
./squid_kerb_auth_test domain.com
or
./squid_kerb_auth_test adserver.domain.com

Using this token and squid auth in the same directory I got

squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. No error
BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information. No error

Using the same token on the latest compiled squid
/usr/local/squid/libexec/squid_kerb_auth -d
I got

2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. No
error
NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information. No error

Any ideas?
Regards
Umesh



2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

There should be a squid_kerb_auth_test application in the same source
directory as squid_kerb_auth.

Do a kinit user@DOMAIN and then a squid_kerb_auth_test squid-fqdn which
should give you a token like:

Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......

which you can the use with squid_kerb_auth like

export KRB5_KTNAME=/path-to-squid.keytab.
./squid_kerb_auth -d
YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775).
2010/01/15 14:40:29| squid_kerb_auth: Decode
'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx
2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
markus@xxxxxxxxx


Regards
Markus

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx

When you use ktpass or msktutil you have to specify a different AD object
then your samba object and remove the HTTP/... entries as service
principal
from your samba AD object. If you want to have only one AD object you
have
to use the net keytab command as described in the wiki.


Regards
Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx
Hi
Ok. Did that now and I got:

kvno HTTP/proxy1.domain.com
HTTP/proxy1@xxxxxxxxxx: kvno = 5

This number is different from the the keytab number.
How do I correct this?

Yes I did use samba (net ads join -U adminuserid). Then I tried the
msktutil. Then finally ktpass.

During the net ads join I got:

# net ads join -U userid
userid's password:
Using short domain name -- DOMAIN
DNS update failed!
Joined 'PROXY1' to realm 'DOMAIN.COM'

Is the DNS update a problem?

Regards
Umesh





2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Sorry I forgot to say that you have to do a kinit aduser@REALM before
you
issue the kvno command. Did you use the sambe netjoin command to create
the as account and the keytab ?

Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx
Hi Markus
I've checked with ADSIEDIT and found a single entry for the linux
server named proxy1.
Clicking on it's properties I found the following entries for service
Principal Name:



28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1



28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com


28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1


28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com

On the linux box:

# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour
with HMAC/md5)

# kvno HTTP/proxy1.domain.com
kvno: Ticket expired while getting credentials for
HTTP/proxy1.domain.com@xxxxxxxxxxxxx
# kvno HTTP/proxy1
kvno: Ticket expired while getting credentials for
HTTP/proxy1@xxxxxxxxxxxxx

Should I remove the entry on AD, rejoin the pc to AD and create the
keytab again?
Which mechanism should I use to create the keytab?
Is my DNS correct if the pc came up on AD as proxy1 should it be the
fqdn (proxy1.domain.com)?

Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

On AD you can use ADSIEDIT (
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx )
to
search for entries and delete,modify them. The best instructions are
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Let me know what you get once you deleted the old entry. Another check
is
to use the kvno tool which you should have when you use MIT Kerberos.

#kvno HTTP/fqdn@REALM should give the same number as klist -ekt
squid.keytab
e.g.

# klist -ekt /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with
HMAC/md5)
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc
mode with HMAC/sha1)
3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode
with
CRC-32)

#kvno HTTP/opensuse11.suse.home
HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3


Regards
Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx
Hi,
I'm new to this. I've run the following command on the server:

ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
"OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM"

and get
#
# LDAPv3
# base <OU=name,DC=domain,DC=com> with scope subtree
# filter: serviceprincipalname=HTTP/fqdn@REALM
# requesting: ALL
#

# search result

# numResponses: 1

Is it possible to check directly on AD if this service principal name
exits?
How else can I test if this keytab works?
If I create a new keytab what is the procedure of getting rid of the
old one and retesting (what should be done on AD and the linux box)?

Are there any docs that will help me with this?

Sorry for being a pain and thanks again.
Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Can you check with an ldap query (e.g. with ldapadmin from
sourceforge)
or
search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you
have
duplicate entries ?

This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will
only
work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I
think
is
not the case with ktpass.


Regards
Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx

Hi,

I'm trying to get the squid helper squid_kerb_auth to work against
our
Active Directory (win 2003 sp2).

I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS
5.4
64 bit.

Squid Cache: Version 2.7.STABLE7
configure options: '--prefix=/usr/local/squid' '--disable-wccp'
'--disable-wccpv2' '--enable-large-cache-files' '--with-large-files'
'--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
'--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'


A keytab file was create on AD for squid
(HTTP/squid.domain@xxxxxxxxxxxxxx)

ktpass -princ HTTP/fqdn@REALM -mapuser squiduser
-pass password -out HTTP.keytab

Transferred the file on the CentOS server and placed it
in /etc/squid/HTTP.keytab


kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx

I get the error message:
kinit(v5): Client not found in Kerberos database while getting
initial
credentials


I've also tried creating the keytab file using
msktutil or samba according to the following doc:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

I get the same error.

How do I sort out this problem?

Thanks in advance.
Regards
Umesh






















[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux