Hi JoseCan you install kerbtray from the resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en and start it ? It should list if you have got a TGS for HTTP/squid.domain.
Also can you capture port 88(Kerberos) traffic on the client with wireshark ? When you login you should see an AS REQ and REP and when firefox authenticates to the proxy you should se a TGS REQ for HTTP/squid.domain.
If not can you send me the capture to have a look at it ? Regards Markus"Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message news:4B5596BB.8010103@xxxxxxxxxxxxxxxxx
Hi, I have the same problem. I have already set network.negotiate-auth.trusted-uris to proxy domain. At the firefox (FF) log appears: 0[825140]: service = squid.domain 0[825140]: using negotiate-sspi 0[825140]: nsAuthSSPI::Init 0[825140]: InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]0[825140]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]0[825140]: entering nsAuthSSPI::GetNextToken() 0[825140]: Sending a token of length 400[825140]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]0[825140]: entering nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart authentication sequence! The http messages between squid an FF are: FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] I have already IE working, and the http seems similar. IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...] Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server: squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...] IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]Proxy-Authorization: Negotiate YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...][...] SQUID -> IE HTTP/1.0 200 OK [...]Proxy-Authentication-Info: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...][...] Seems like at first IE use NTLM and at second use kerberos. I think FF is similar, but FF don't allow the second iteration. How can I put kerberos as first iteration? Thanks in advance Regards Jose Markus Moeller wrote:The message parseNegTokenInit failed with rc=102 just means the token is not a GSSAPI token wrapped in a SPNEGO token, but a plain GSSAPI token. When you use firefox you have to do a kinit first to store the AS token in the Kerberos cache for Firefox to use and I think Firfox has to be configured with network.negotiate-auth.trusted-uris to be set to the domains of your proxy server. Regards Markus "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001181054n7091ea3aj761a508938de74e3@xxxxxxxxxxxxxxxxx Hi Markus Sorry yes you were right, it was DNS. In our environment we are running two DNS servers. One using MS DNS and the other using unix BIND. The linux server was added to the unix DNS (with name proxy1.domain.com) but not to the MS DNS which was authority for ad.domain.com. Now that I think about it our MS DNS has issues doing reverse lookups for IPs that the unix DNS is authority for (which in this case was proxy1.domain.com). I changed linux server name to proxy1.ad.domain.com and now the squid_kerb_auth_test works. Using your squid_kerb_auth (version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx 2010/01/18 20:25:10| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx When I try the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx 2010/01/18 20:29:07| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx Is the parseNegTokenInit failed with rc=102 ok? I then tried running squid and used Firefox 3.5.7. I got the following error from squid cache: authenticateNegotiateHandleReply: Failed validating user via Negotiate. Error returned 'type 1 NTLM token' Any ideas? Also I don't get any authentication popups for userid and password... A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth: parseNegTokenInit failed with rc=101 2010/01/18 20:47:58| squid_kerb_auth: received type 1 NTLM token 2010/01/18 20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58| cbdataValid: 0x1838d448 2010/01/18 20:47:58| helperStatefulHandleRead: 30 bytes from negotiateauthenticator #1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18 20:47:58| helperStatefulHandleRead: end of reply found 2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18 20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58| helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58| helperStatefulReset: 0x1838d448 2010/01/18 20:47:58| StatefulGetFirstAvailable: Running servers 10. 2010/01/18 20:47:58| authenticateNegotiateHandleReply: Failed validating user via Negotiate. Error returned 'type 1 NTLM token' 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58| cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking 'http_access deny !password' 2010/01/18 20:47:58| aclMatchAclList: checking !password 2010/01/18 20:47:58| aclMatchAcl: checking 'acl password proxy_auth REQUIRED' 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58| authenticateNegotiateAuthenticateUser: need to challenge client 'received'! 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58| aclAuthenticated: returning 0 sending authentication challenge. 2010/01/18 20:47:58| aclCheck: match found, returning 2 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18 20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58| cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official is DENIED, because it matched 'password' My acl for this was: 'http_access deny !password' Regards Umesh 2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:Can you check your DNS you should get for nslookup name an ip and for the reverse nslookup ip the same name. Which Kerberos libraries do you use ? Heimdal or MIT and which release ? Markus "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx Hi When I tried ./squid_kerb_auth_test proxy1 or ./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Unknown code krb5 7 Token: NULL But I got a token if I used ./squid_kerb_auth_test domain.com or ./squid_kerb_auth_test adserver.domain.com Using this token and squid auth in the same directory I got squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error Using the same token on the latest compiled squid /usr/local/squid/libexec/squid_kerb_auth -d I got 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. No error Any ideas? Regards Umesh 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:There should be a squid_kerb_auth_test application in the same source directory as squid_kerb_auth. Do a kinit user@DOMAIN and then a squid_kerb_auth_test squid-fqdn which should give you a token like: Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... which you can the use with squid_kerb_auth like export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth -d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG...... 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx 2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx Regards Markus "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message news:hipnhp$hs3$1@xxxxxxxxxxxxxxxxWhen you use ktpass or msktutil you have to specify a different AD object then your samba object and remove the HTTP/... entries as service principal from your samba AD object. If you want to have only one AD object you have to use the net keytab command as described in the wiki. Regards Markus "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx Hi Ok. Did that now and I got: kvno HTTP/proxy1.domain.com HTTP/proxy1@xxxxxxxxxx: kvno = 5 This number is different from the the keytab number. How do I correct this? Yes I did use samba (net ads join -U adminuserid). Then I tried the msktutil. Then finally ktpass. During the net ads join I got: # net ads join -U userid userid's password: Using short domain name -- DOMAIN DNS update failed! Joined 'PROXY1' to realm 'DOMAIN.COM' Is the DNS update a problem? Regards Umesh 2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:Sorry I forgot to say that you have to do a kinit aduser@REALM before you issue the kvno command. Did you use the sambe netjoin command to create the as account and the keytab ? Markus "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx Hi Markus I've checked with ADSIEDIT and found a single entry for the linux server named proxy1. Clicking on it's properties I found the following entries for service Principal Name: 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com On the linux box: # klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 7 01/01/70 02:00:00 HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour with HMAC/md5) # kvno HTTP/proxy1.domain.com kvno: Ticket expired while getting credentials for HTTP/proxy1.domain.com@xxxxxxxxxxxxx # kvno HTTP/proxy1 kvno: Ticket expired while getting credentials for HTTP/proxy1@xxxxxxxxxxxxx Should I remove the entry on AD, rejoin the pc to AD and create the keytab again? Which mechanism should I use to create the keytab? Is my DNS correct if the pc came up on AD as proxy1 should it be the fqdn (proxy1.domain.com)? Regards Umesh 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:On AD you can use ADSIEDIT ( http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to search for entries and delete,modify them. The best instructions are http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Let me know what you get once you deleted the old entry. Another check is to use the kvno tool which you should have when you use MIT Kerberos. #kvno HTTP/fqdn@REALM should give the same number as klist -ekt squid.keytab e.g. # klist -ekt /etc/squid/squid.keytab Keytab name: FILE:/etc/squid/squid.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with HMAC/md5) 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc mode with HMAC/sha1) 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode with CRC-32) #kvno HTTP/opensuse11.suse.home HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3 Regards Markus "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx Hi, I'm new to this. I've run the following command on the server: ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn@REALM" and get # # LDAPv3 # base <OU=name,DC=domain,DC=com> with scope subtree # filter: serviceprincipalname=HTTP/fqdn@REALM # requesting: ALL # # search result # numResponses: 1 Is it possible to check directly on AD if this service principal name exits? How else can I test if this keytab works? If I create a new keytab what is the procedure of getting rid of the old one and retesting (what should be done on AD and the linux box)? Are there any docs that will help me with this? Sorry for being a pain and thanks again. Regards Umesh 2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or search with a filter "(serviceprincipalname=HTTP/fqdn@REALM)" if you have duplicate entries ? This kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx will only work if the userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx which I think is not the case with ktpass. Regards Markus "Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxxHi, I'm trying to get the squid helper squid_kerb_auth to work against our Active Directory (win 2003 sp2). I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4 64 bit. Squid Cache: Version 2.7.STABLE7 configure options: '--prefix=/usr/local/squid' '--disable-wccp' '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' A keytab file was create on AD for squid (HTTP/squid.domain@xxxxxxxxxxxxxx) ktpass -princ HTTP/fqdn@REALM -mapuser squiduser -pass password -out HTTP.keytab Transferred the file on the CentOS server and placed it in /etc/squid/HTTP.keytab kinit -k -t /etc/squid/squid.keytab HTTP/fqdn@xxxxxxxxxxxxxx I get the error message: kinit(v5): Client not found in Kerberos database while getting initial credentials I've also tried creating the keytab file using msktutil or samba according to the following doc: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos I get the same error. How do I sort out this problem? Thanks in advance. Regards Umesh
