Hi, I have the same problem. I have already set network.negotiate-auth.trusted-uris to proxy domain. At the firefox (FF) log appears: 0[825140]: service = squid.domain 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain] 0[825140]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 0[825140]: entering nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length 40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 0[825140]: entering nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart authentication sequence! The http messages between squid an FF are: FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] I have already IE working, and the http seems similar. IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] Proxy-Authorization: Negotiate YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...] SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...] Seems like at first IE use NTLM and at second use kerberos. I think FF is similar, but FF don't allow the second iteration. How can I put kerberos as first iteration? Thanks in advance Regards Jose Markus Moeller wrote: > > The message parseNegTokenInit failed with rc=102 just means the token > is not a GSSAPI token wrapped in a SPNEGO token, but a plain GSSAPI > token. When you use firefox you have to do a kinit first to store the > AS token in the Kerberos cache for Firefox to use and I think Firfox > has to be configured with network.negotiate-auth.trusted-uris to be > set to the domains of your proxy server. > > Regards > Markus > > "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message > news:c3b47c041001181054n7091ea3aj761a508938de74e3@xxxxxxxxxxxxxxxxx > Hi Markus > Sorry yes you were right, it was DNS. > > In our environment we are running two DNS servers. One using MS DNS > and the other using unix BIND. The linux server was added to the unix > DNS (with name proxy1.domain.com) but not to the MS DNS which was > authority for ad.domain.com. Now that I think about it our MS DNS has > issues doing reverse lookups for IPs that the unix DNS is authority > for (which in this case was proxy1.domain.com). > > I changed linux server name to proxy1.ad.domain.com and now the > squid_kerb_auth_test works. > Using your squid_kerb_auth (version 1.0.5) I get: > AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx > 2010/01/18 20:25:10| squid_kerb_auth: AF > oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx > When I try the same thing with the auth from squid-2.7.STABLE7.tar.bz2 > I get > 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit failed with > rc=102 > AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx > 2010/01/18 20:29:07| squid_kerb_auth: AF > oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx > Is the parseNegTokenInit failed with rc=102 ok? > > I then tried running squid and used Firefox 3.5.7. I got the following > error from squid cache: > > authenticateNegotiateHandleReply: Failed validating user via > Negotiate. Error returned 'type 1 NTLM token' > > Any ideas? Also I don't get any authentication popups for userid and > password... > > A sample of the log: > 2010/01/18 20:47:58| squid_kerb_auth: Got 'YR > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid > (length: 59). > 2010/01/18 20:47:58| squid_kerb_auth: parseNegTokenInit failed with > rc=101 > 2010/01/18 20:47:58| squid_kerb_auth: received type 1 NTLM token > 2010/01/18 20:47:58| do_comm_select: 1 fds ready > 2010/01/18 20:47:58| cbdataValid: 0x1838d448 > 2010/01/18 20:47:58| helperStatefulHandleRead: 30 bytes from > negotiateauthenticator #1. > 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 > 2010/01/18 20:47:58| helperStatefulHandleRead: end of reply found > 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 > 2010/01/18 20:47:58| cbdataValid: 0x185cad18 > 2010/01/18 20:47:58| helperStatefulReleaseServer: 0x1838d448 > 2010/01/18 20:47:58| helperStatefulReset: 0x1838d448 > 2010/01/18 20:47:58| StatefulGetFirstAvailable: Running servers 10. > 2010/01/18 20:47:58| authenticateNegotiateHandleReply: Failed > validating user via Negotiate. Error returned 'type 1 NTLM token' > 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user > request '0x18648960'. > 2010/01/18 20:47:58| cbdataValid: 0x183561a8 > 2010/01/18 20:47:58| aclCheck: checking 'http_access deny !password' > 2010/01/18 20:47:58| aclMatchAclList: checking !password > 2010/01/18 20:47:58| aclMatchAcl: checking 'acl password proxy_auth > REQUIRED' > 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user > request '0x18648960'. > 2010/01/18 20:47:58| authenticateNegotiateAuthenticateUser: need to > challenge client 'received'! > 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user > request '0x18648960'. > 2010/01/18 20:47:58| aclAuthenticated: returning 0 sending > authentication challenge. > 2010/01/18 20:47:58| aclCheck: match found, returning 2 > 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 > 2010/01/18 20:47:58| aclCheckCallback: answer=2 > 2010/01/18 20:47:58| cbdataValid: 0x185ca298 > 2010/01/18 20:47:58| The request GET > http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official > > is DENIED, because it matched 'password' > > My acl for this was: > 'http_access deny !password' > > Regards > Umesh > > 2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >> Can you check your DNS you should get for >> >> nslookup name an ip >> and for the reverse >> nslookup ip the same name. >> >> Which Kerberos libraries do you use ? Heimdal or MIT and which release ? >> >> Markus >> >> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >> news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx >> Hi >> >> When I tried >> ./squid_kerb_auth_test proxy1 >> or >> ./squid_kerb_auth_test proxy1.domain.com >> I got >> 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context() >> failed: Unspecified GSS failure. Minor code may provide more >> information. Unknown code krb5 7 >> Token: NULL >> >> But I got a token if I used >> ./squid_kerb_auth_test domain.com >> or >> ./squid_kerb_auth_test adserver.domain.com >> >> Using this token and squid auth in the same directory I got >> >> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS >> failure. Minor code may provide more information. No error >> BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor >> code may provide more information. No error >> >> Using the same token on the latest compiled squid >> /usr/local/squid/libexec/squid_kerb_auth -d >> I got >> >> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with >> rc=102 >> 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information. No >> error >> NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor >> code may provide more information. No error >> >> Any ideas? >> Regards >> Umesh >> >> >> >> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>> >>> There should be a squid_kerb_auth_test application in the same source >>> directory as squid_kerb_auth. >>> >>> Do a kinit user@DOMAIN and then a squid_kerb_auth_test squid-fqdn which >>> should give you a token like: >>> >>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >>> >>> which you can the use with squid_kerb_auth like >>> >>> export KRB5_KTNAME=/path-to-squid.keytab. >>> ./squid_kerb_auth -d >>> YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... >>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR >>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775). >>> 2010/01/15 14:40:29| squid_kerb_auth: Decode >>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577). >>> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx >>> 2010/01/15 14:40:29| squid_kerb_auth: AF >>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== >>> markus@xxxxxxxxx >>> >>> >>> Regards >>> Markus >>> >>> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message >>> news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx >>>> >>>> When you use ktpass or msktutil you have to specify a different AD >>>> object >>>> then your samba object and remove the HTTP/... entries as service >>>> principal >>>> from your samba AD object. If you want to have only one AD object you >>>> have >>>> to use the net keytab command as described in the wiki. >>>> >>>> >>>> Regards >>>> Markus >>>> >>>> >>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>> news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx >>>> Hi >>>> Ok. Did that now and I got: >>>> >>>> kvno HTTP/proxy1.domain.com >>>> HTTP/proxy1@xxxxxxxxxx: kvno = 5 >>>> >>>> This number is different from the the keytab number. >>>> How do I correct this? >>>> >>>> Yes I did use samba (net ads join -U adminuserid). Then I tried the >>>> msktutil. Then finally ktpass. >>>> >>>> During the net ads join I got: >>>> >>>> # net ads join -U userid >>>> userid's password: >>>> Using short domain name -- DOMAIN >>>> DNS update failed! >>>> Joined 'PROXY1' to realm 'DOMAIN.COM' >>>> >>>> Is the DNS update a problem? >>>> >>>> Regards >>>> Umesh >>>> >>>> >>>> >>>> >>>> >>>> 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>> >>>>> Sorry I forgot to say that you have to do a kinit aduser@REALM before >>>>> you >>>>> issue the kvno command. Did you use the sambe netjoin command to >>>>> create >>>>> the as account and the keytab ? >>>>> >>>>> Markus >>>>> >>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx >>>>> Hi Markus >>>>> I've checked with ADSIEDIT and found a single entry for the linux >>>>> server named proxy1. >>>>> Clicking on it's properties I found the following entries for service >>>>> Principal Name: >>>>> >>>>> >>>>> >>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 >>>>> >>>>> >>>>> >>>>> >>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com >>>>> >>>>> >>>>> >>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 >>>>> >>>>> >>>>> >>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com >>>>> >>>>> >>>>> On the linux box: >>>>> >>>>> # klist -ekt /etc/squid/HTTP.keytab >>>>> Keytab name: FILE:/etc/squid/HTTP.keytab >>>>> KVNO Timestamp Principal >>>>> ---- ----------------- >>>>> -------------------------------------------------------- >>>>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour >>>>> with HMAC/md5) >>>>> >>>>> # kvno HTTP/proxy1.domain.com >>>>> kvno: Ticket expired while getting credentials for >>>>> HTTP/proxy1.domain.com@xxxxxxxxxxxxx >>>>> # kvno HTTP/proxy1 >>>>> kvno: Ticket expired while getting credentials for >>>>> HTTP/proxy1@xxxxxxxxxxxxx >>>>> >>>>> Should I remove the entry on AD, rejoin the pc to AD and create the >>>>> keytab again? >>>>> Which mechanism should I use to create the keytab? >>>>> Is my DNS correct if the pc came up on AD as proxy1 should it be the >>>>> fqdn (proxy1.domain.com)? >>>>> >>>>> Regards >>>>> Umesh >>>>> >>>>> >>>>> >>>>> >>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>> >>>>>> On AD you can use ADSIEDIT ( >>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx >>>>>> ) >>>>>> to >>>>>> search for entries and delete,modify them. The best instructions are >>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>> >>>>>> Let me know what you get once you deleted the old entry. Another >>>>>> check >>>>>> is >>>>>> to use the kvno tool which you should have when you use MIT >>>>>> Kerberos. >>>>>> >>>>>> #kvno HTTP/fqdn@REALM should give the same number as klist -ekt >>>>>> squid.keytab >>>>>> e.g. >>>>>> >>>>>> # klist -ekt /etc/squid/squid.keytab >>>>>> Keytab name: FILE:/etc/squid/squid.keytab >>>>>> KVNO Timestamp Principal >>>>>> ---- ----------------- >>>>>> -------------------------------------------------------- >>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour >>>>>> with >>>>>> HMAC/md5) >>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple >>>>>> DES cbc >>>>>> mode with HMAC/sha1) >>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc >>>>>> mode >>>>>> with >>>>>> CRC-32) >>>>>> >>>>>> #kvno HTTP/opensuse11.suse.home >>>>>> HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 >>>>>> >>>>>> >>>>>> Regards >>>>>> Markus >>>>>> >>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx >>>>>> Hi, >>>>>> I'm new to this. I've run the following command on the server: >>>>>> >>>>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b >>>>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" >>>>>> >>>>>> and get >>>>>> # >>>>>> # LDAPv3 >>>>>> # base <OU=name,DC=domain,DC=com> with scope subtree >>>>>> # filter: serviceprincipalname=HTTP/fqdn@REALM >>>>>> # requesting: ALL >>>>>> # >>>>>> >>>>>> # search result >>>>>> >>>>>> # numResponses: 1 >>>>>> >>>>>> Is it possible to check directly on AD if this service principal >>>>>> name >>>>>> exits? >>>>>> How else can I test if this keytab works? >>>>>> If I create a new keytab what is the procedure of getting rid of the >>>>>> old one and retesting (what should be done on AD and the linux box)? >>>>>> >>>>>> Are there any docs that will help me with this? >>>>>> >>>>>> Sorry for being a pain and thanks again. >>>>>> Regards >>>>>> Umesh >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>: >>>>>>> >>>>>>> Can you check with an ldap query (e.g. with ldapadmin from >>>>>>> sourceforge) >>>>>>> or >>>>>>> search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if >>>>>>> you >>>>>>> have >>>>>>> duplicate entries ? >>>>>>> >>>>>>> This kinit -k -t /etc/squid/squid.keytab >>>>>>> HTTP/fqdn@xxxxxxxxxxxxxx will >>>>>>> only >>>>>>> work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I >>>>>>> think >>>>>>> is >>>>>>> not the case with ktpass. >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> Markus >>>>>>> >>>>>>> >>>>>>> "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message >>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I'm trying to get the squid helper squid_kerb_auth to work against >>>>>>>> our >>>>>>>> Active Directory (win 2003 sp2). >>>>>>>> >>>>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on >>>>>>>> CentOS >>>>>>>> 5.4 >>>>>>>> 64 bit. >>>>>>>> >>>>>>>> Squid Cache: Version 2.7.STABLE7 >>>>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>>>>>>> '--disable-wccpv2' '--enable-large-cache-files' >>>>>>>> '--with-large-files' >>>>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>>>>>>> '--enable-ntlm-auth-helpers=SMB' >>>>>>>> '--enable-auth=basic,ntlm,negotiate' >>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>>>>>>> >>>>>>>> >>>>>>>> A keytab file was create on AD for squid >>>>>>>> (HTTP/squid.domain@xxxxxxxxxxxxxx) >>>>>>>> >>>>>>>> ktpass -princ HTTP/fqdn@REALM -mapuser squiduser >>>>>>>> -pass password -out HTTP.keytab >>>>>>>> >>>>>>>> Transferred the file on the CentOS server and placed it >>>>>>>> in /etc/squid/HTTP.keytab >>>>>>>> >>>>>>>> >>>>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx >>>>>>>> >>>>>>>> I get the error message: >>>>>>>> kinit(v5): Client not found in Kerberos database while getting >>>>>>>> initial >>>>>>>> credentials >>>>>>>> >>>>>>>> >>>>>>>> I've also tried creating the keytab file using >>>>>>>> msktutil or samba according to the following doc: >>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>>>>>> >>>>>>>> I get the same error. >>>>>>>> >>>>>>>> How do I sort out this problem? >>>>>>>> >>>>>>>> Thanks in advance. >>>>>>>> Regards >>>>>>>> Umesh >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > >
