Search squid archive

Re: Re: Re: Re: squid_kerb_auth problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Firstly for non domain members you can not get SSO with Negotiate/Kerberos (as far as I know). When you get the popup asking for a username/password and you provide user@DOMAIN with the password the client tries to find the domain controller using some Windows protocols. I think if unsuccessful it will try NTLM with its hostname as domain. To help the client finding the AD domain controller you should provide via DHCP or hardcoded a WINS server which has the domain information.

Regards
Markus


"Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message news:4B56F8D7.4060704@xxxxxxxxxxxxxxxxx
Hi Markus,

Using firefox at windows machine (not domain member)
- kerbtray don't show any credentials
- I don't have traffic at port 88.
- Don't work.

Using IE8 at windows machine (not domain member)
- kerbtray don't show any credentials
- At port 88 there are a TGS-REQ and a TGS-REP
- It works

Using firefox at windows machine (domain member of windows server)
- kerbtray show me the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works

Using IE8 at windows machine (domain member of windows server)
- kerbtray show me the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works

Regards
Jose

Markus Moeller wrote:
Hi Jose

Can you install kerbtray from the resource kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
 and start it ? It should list if you have got a TGS for
HTTP/squid.domain.

Also can you capture port 88(Kerberos) traffic on the client with
wireshark ? When you login you should see an AS REQ and REP and
when firefox authenticates to the proxy you should se  a TGS REQ
for HTTP/squid.domain.

If not can you send me the capture to have a look at it ?

Regards Markus

"Jose Lopes" <jlopes@xxxxxxxxxxxxxx> wrote in message
news:4B5596BB.8010103@xxxxxxxxxxxxxxxxx
Hi,

I have the same problem. I have already set
network.negotiate-auth.trusted-uris to proxy domain. At the
firefox (FF) log appears: 0[825140]:   service = squid.domain
0[825140]:   using negotiate-sspi 0[825140]:   nsAuthSSPI::Init
0[825140]:   InitSSPI 0[825140]: Using SPN of [HTTP/squid.domain]
 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate] 0[825140]: entering
nsAuthSSPI::GetNextToken() 0[825140]:   Sending a token of length
40 0[825140]: nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate] 0[825140]: entering
nsAuthSSPI::GetNextToken() 0[825140]: Cannot restart
authentication sequence!

The http messages between squid an FF are:

FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]

SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]

FF -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

SQUID -> FF HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]


I have already IE working, and the http seems similar.

IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]

SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]

IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

SQUID -> IE HTTP/1.0 407 Proxy Authentication Required Server:
squid/3.0.STABLE14 [...] Proxy-Authenticate: Negotiate [...]

IE -> SQUID GET http://www.squid-cache.org/ HTTP/1.1 [...]
Proxy-Authorization: Negotiate
YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...] [...]

SQUID -> IE HTTP/1.0 200 OK [...] Proxy-Authentication-Info:
Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...] [...]


Seems like at first IE use NTLM and at second use kerberos.

I think FF is similar, but FF don't allow the second iteration.

How can I put kerberos as first iteration?

Thanks in advance Regards Jose

Markus Moeller wrote:

The message parseNegTokenInit failed with rc=102 just means the
token is not a GSSAPI token wrapped in a SPNEGO token, but a
plain GSSAPI token. When you use firefox you have to do a kinit
first to store the AS token in the Kerberos cache for Firefox
to use and I think Firfox has to be configured with
network.negotiate-auth.trusted-uris to be set to the domains of
your proxy server.

Regards Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001181054n7091ea3aj761a508938de74e3@xxxxxxxxxxxxxxxxx
 Hi Markus Sorry yes you were right, it was DNS.

In our environment we are running two DNS servers. One using MS
DNS and the other using unix BIND. The linux server was added
to the unix DNS (with name proxy1.domain.com) but not to the MS
DNS which was authority for ad.domain.com. Now that I think
about it our MS DNS has issues doing reverse lookups for IPs
that the unix DNS is authority for (which in this case was
proxy1.domain.com).

I changed linux server name to proxy1.ad.domain.com and now the
 squid_kerb_auth_test works. Using your squid_kerb_auth
(version 1.0.5) I get: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
user@xxxxxxxxxxxxx 2010/01/18 20:25:10| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx When I try
the same thing with the auth from squid-2.7.STABLE7.tar.bz2 I
get 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit
failed with rc=102 AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
user@xxxxxxxxxxxxx 2010/01/18 20:29:07| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user@xxxxxxxxxxxxx Is the
parseNegTokenInit failed with rc=102 ok?

I then tried running squid and used Firefox 3.5.7. I got the
following error from squid cache:

authenticateNegotiateHandleReply: Failed validating user via
Negotiate. Error returned 'type 1 NTLM token'

Any ideas? Also I don't get any authentication popups for
userid and password...

A sample of the log: 2010/01/18 20:47:58| squid_kerb_auth: Got
'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=='
from squid (length: 59). 2010/01/18 20:47:58| squid_kerb_auth:
parseNegTokenInit failed with rc=101 2010/01/18 20:47:58|
squid_kerb_auth: received type 1 NTLM token 2010/01/18
20:47:58| do_comm_select: 1 fds ready 2010/01/18 20:47:58|
cbdataValid: 0x1838d448 2010/01/18 20:47:58|
helperStatefulHandleRead: 30 bytes from negotiateauthenticator
#1. 2010/01/18 20:47:58| commSetSelect: FD 7 type 1 2010/01/18
20:47:58| helperStatefulHandleRead: end of reply found
2010/01/18 20:47:58| cbdataValid: 0x18648bb8 2010/01/18
20:47:58| cbdataValid: 0x185cad18 2010/01/18 20:47:58|
helperStatefulReleaseServer: 0x1838d448 2010/01/18 20:47:58|
helperStatefulReset: 0x1838d448 2010/01/18 20:47:58|
StatefulGetFirstAvailable: Running servers 10. 2010/01/18
20:47:58| authenticateNegotiateHandleReply: Failed validating
user via Negotiate. Error returned 'type 1 NTLM token'
2010/01/18 20:47:58| authenticateValidateUser: Validated
Auth_user request '0x18648960'. 2010/01/18 20:47:58|
cbdataValid: 0x183561a8 2010/01/18 20:47:58| aclCheck: checking
'http_access deny !password' 2010/01/18 20:47:58|
aclMatchAclList: checking !password 2010/01/18 20:47:58|
aclMatchAcl: checking 'acl password proxy_auth REQUIRED'
2010/01/18 20:47:58| authenticateValidateUser: Validated
Auth_user request '0x18648960'. 2010/01/18 20:47:58|
authenticateNegotiateAuthenticateUser: need to challenge client
'received'! 2010/01/18 20:47:58| authenticateValidateUser:
Validated Auth_user request '0x18648960'. 2010/01/18 20:47:58|
aclAuthenticated: returning 0 sending authentication challenge.
 2010/01/18 20:47:58| aclCheck: match found, returning 2
2010/01/18 20:47:58| cbdataUnlock: 0x183561a8 2010/01/18
20:47:58| aclCheckCallback: answer=2 2010/01/18 20:47:58|
cbdataValid: 0x185ca298 2010/01/18 20:47:58| The request GET

http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official



is DENIED, because it matched 'password'

My acl for this was: 'http_access deny !password'

Regards Umesh

2010/1/16 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Can you check your DNS you should get for

nslookup name an ip and for the reverse nslookup ip the same
name.

Which Kerberos libraries do you use ? Heimdal or MIT and
which release ?

Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001160337k68a1313g1863689383a15121@xxxxxxxxxxxxxxxxx
 Hi

When I tried ./squid_kerb_auth_test proxy1 or
./squid_kerb_auth_test proxy1.domain.com I got 2010/01/16
12:31:47| squid_kerb_auth_test: gss_init_sec_context()
failed: Unspecified GSS failure. Minor code may provide more
information. Unknown code krb5 7 Token: NULL

But I got a token if I used ./squid_kerb_auth_test domain.com
 or ./squid_kerb_auth_test adserver.domain.com

Using this token and squid auth in the same directory I got

squid_kerb_auth: gss_accept_sec_context() failed: Unspecified
GSS failure. Minor code may provide more information. No
error BH gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. No error

Using the same token on the latest compiled squid
/usr/local/squid/libexec/squid_kerb_auth -d I got

2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit
failed with rc=102 2010/01/16 12:55:58| squid_kerb_auth:
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. No error NA
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information. No error

Any ideas? Regards Umesh



2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

There should be a squid_kerb_auth_test application in the
same source directory as squid_kerb_auth.

Do a kinit user@DOMAIN and then a squid_kerb_auth_test
squid-fqdn which should give you a token like:

Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......

which you can the use with squid_kerb_auth like

export KRB5_KTNAME=/path-to-squid.keytab. ./squid_kerb_auth
-d YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid
(length: 775). 2010/01/15 14:40:29| squid_kerb_auth: Decode
 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length:
577). AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx
2010/01/15 14:40:29| squid_kerb_auth: AF
oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus@xxxxxxxxx


Regards Markus

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
 news:hipnhp$hs3$1@xxxxxxxxxxxxxxxx

When you use ktpass or msktutil you have to specify a
different AD object then your samba object and remove the
HTTP/... entries as service principal from your samba AD
object. If you want to have only one AD object you have
to use the net keytab command as described in the wiki.


Regards Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in message
news:c3b47c041001150053n290d6443q830770300636a0ca@xxxxxxxxxxxxxxxxx


Hi Ok. Did that now and I got:

kvno HTTP/proxy1.domain.com HTTP/proxy1@xxxxxxxxxx: kvno
= 5

This number is different from the the keytab number. How
do I correct this?

Yes I did use samba (net ads join -U adminuserid). Then I
tried the msktutil. Then finally ktpass.

During the net ads join I got:

# net ads join -U userid userid's password: Using short
domain name -- DOMAIN DNS update failed! Joined 'PROXY1'
to realm 'DOMAIN.COM'

Is the DNS update a problem?

Regards Umesh





2010/1/15 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Sorry I forgot to say that you have to do a kinit
aduser@REALM before you issue the kvno command. Did you
use the sambe netjoin command to create the as account
and the keytab ?

Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in
message
news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd@xxxxxxxxxxxxxxxxx


Hi Markus I've checked with ADSIEDIT and found a single
entry for the linux server named proxy1. Clicking on
it's properties I found the following entries for
service Principal Name:




28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1







28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com






28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1






28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com




On the linux box:

# klist -ekt /etc/squid/HTTP.keytab Keytab name:
FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
 7 01/01/70 02:00:00
HTTP/proxy1.domain.com@xxxxxxxxxxxxx (ArcFour with
HMAC/md5)

# kvno HTTP/proxy1.domain.com kvno: Ticket expired
while getting credentials for
HTTP/proxy1.domain.com@xxxxxxxxxxxxx # kvno HTTP/proxy1
 kvno: Ticket expired while getting credentials for
HTTP/proxy1@xxxxxxxxxxxxx

Should I remove the entry on AD, rejoin the pc to AD
and create the keytab again? Which mechanism should I
use to create the keytab? Is my DNS correct if the pc
came up on AD as proxy1 should it be the fqdn
(proxy1.domain.com)?

Regards Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

On AD you can use ADSIEDIT (
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx


) to search for entries and delete,modify them. The
best instructions are
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos


Let me know what you get once you deleted the old
entry. Another check is to use the kvno tool which
you should have when you use MIT Kerberos.

#kvno HTTP/fqdn@REALM should give the same number as
klist -ekt squid.keytab e.g.

# klist -ekt /etc/squid/squid.keytab Keytab name:
FILE:/etc/squid/squid.keytab KVNO Timestamp Principal
 ---- -----------------
--------------------------------------------------------
 3 11/25/08 20:54:17
HTTP/opensuse11.suse.home@xxxxxxxxx (ArcFour with
HMAC/md5) 3 11/25/08 20:54:17
HTTP/opensuse11.suse.home@xxxxxxxxx (Triple DES cbc
mode with HMAC/sha1) 3 11/25/08 20:54:17
HTTP/opensuse11.suse.home@xxxxxxxxx (DES cbc mode
with CRC-32)

#kvno HTTP/opensuse11.suse.home
HTTP/opensuse11.suse.home@xxxxxxxxx: kvno = 3


Regards Markus

"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in
message
news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f@xxxxxxxxxxxxxxxxx


Hi, I'm new to this. I've run the following command
on the server:

ldapsearch -L -x -D "aduser" -w "password" -h
domainfqdn -p 389 -b "OU=name,DC=domain,DC=com"
"serviceprincipalname=HTTP/fqdn@REALM"

and get # # LDAPv3 # base <OU=name,DC=domain,DC=com>
with scope subtree # filter:
serviceprincipalname=HTTP/fqdn@REALM # requesting:
ALL #

# search result

# numResponses: 1

Is it possible to check directly on AD if this
service principal name exits? How else can I test if
this keytab works? If I create a new keytab what is
the procedure of getting rid of the old one and
retesting (what should be done on AD and the linux
box)?

Are there any docs that will help me with this?

Sorry for being a pain and thanks again. Regards
Umesh




2010/1/13 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Can you check with an ldap query (e.g. with
ldapadmin from sourceforge) or search with a filter
 "(serviceprincipalname=HTTP/fqdn@REALM)" if you
have duplicate entries ?

This kinit -k -t /etc/squid/squid.keytab
HTTP/fqdn@xxxxxxxxxxxxxx will only work if the
userprincipal name is HTTP/fqdn@xxxxxxxxxxxxxx
which I think is not the case with ktpass.


Regards Markus


"Umesh Bodalina" <u.bodalina@xxxxxxxxx> wrote in
message
news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0@xxxxxxxxxxxxxxxxx



Hi,

I'm trying to get the squid helper
squid_kerb_auth to work against our Active
Directory (win 2003 sp2).

I've compiled the latest squid version
(squid-2.7.STABLE7)on CentOS 5.4 64 bit.

Squid Cache: Version 2.7.STABLE7 configure
options: '--prefix=/usr/local/squid'
'--disable-wccp' '--disable-wccpv2'
'--enable-large-cache-files' '--with-large-files'
 '--enable-delay-pools'
'--enable-cachemgr-hostname' '=fqdn'
'--enable-ntlm-auth-helpers=SMB'
'--enable-auth=basic,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
 '--enable-snmp'


A keytab file was create on AD for squid
(HTTP/squid.domain@xxxxxxxxxxxxxx)

ktpass -princ HTTP/fqdn@REALM -mapuser squiduser
-pass password -out HTTP.keytab

Transferred the file on the CentOS server and
placed it in /etc/squid/HTTP.keytab


kinit -k -t /etc/squid/squid.keytab
HTTP/fqdn@xxxxxxxxxxxxxx

I get the error message: kinit(v5): Client not
found in Kerberos database while getting initial
credentials


I've also tried creating the keytab file using
msktutil or samba according to the following doc:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos



I get the same error.

How do I sort out this problem?

Thanks in advance. Regards Umesh





























[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux