Search squid archive

Problems setting up Kerberos authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,
I am trying to set up Kerberos authentication with Squid 2.7.stable7 on Linux. I use Heimdal 1.3.1. I already had success doing so on two proxies, but in a third environment, authentication fails. 

In squid.conf I have the following entries:
auth_param negotiate program /opt/squid/libexec/squid_kerb_auth -d -s HTTP/proxy.example.com@xxxxxxxxxxx 
acl REQUIRE_AUTH proxy_auth REQUIRED
http_access allow src_localhost
http_access deny !REQUIRE_AUTH
http_access allow all
Environmental variables KRB5_CONFIG and KRB5_KTNAME are set. By using kinit on the proxy it is possible to obtain a user ticket (auth with a password) and obtaining the service principal ticket (HTTP/proxy.example.com@xxxxxxxxxxx, auth with the keytab file) works fine, too. 

When a client tries to use the proxy, the conversation is as following:

* User requests website

* Proxy responds with 407 and sets header "Proxy-Authenticate: Negotiate"
* User sends another request for the website and sends the ticket. From Wireshark: 
OID: 1.3.6.1.5.5.2 (SPNEGO)
negTokenInit
MechTypes: 1.2.840.48018.1.2.2 (MS KRB5), 1.2.840.113554.1.2.2 (KRB5), 1.3.6.1.4.1.311.2.2.10 (NTLMSSP) 
krb5_blob:
  Kerberos AP-REQ
  Realm: EXAMPLE.COM
  Server Name (type 2, service and instance): HTTP/proxy.domain.com

* squid_kerb_auth reports:
squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
squid_kerb_auth: parseNegTokenInit failed with rc=102
squid_kerb_auth: continuation needed.

* Proxy replies with 407:
GSS-API:SPNEGO:negTokenTarg
negResult: accept-incomplete
supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP)
* Client gets an authentication pop-up where he can enter a username and password, but this does not work. This is probably related to the suggested NTLMSSP. 

* User requests URL again, this time with an NTLM authenticator
GSS-API:SNPEGO:negTokenTarg
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE

* squid_kerb_auth reports:
squid_kerb_auth: Got 'KKoS...' from squid (length: 67)
squid_kerb_auth: parseNegTokenInit failed with rc=300
squid_kerb_auth: Invalid GSS-SPNEGO  query [KKoS...].
NA Invalid GSS-SPNEGO query.

* Server replies to client with "Proxy-Authenticate: Negotiate Invalid"
Does anyone have an idea what is going wrong, i.e. why the authentication helper replies with "continuation needed" and what I should try to debug? 

Best regards,

Fabian
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux