Continuation needed means that the GSSAPI exchange has not finished and the
server needs more data from the client. Can you see in wireshark if the
token length is the one squid_kerb_auth says it is
> squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
Markus
"Fabian Hugelshofer" <fh@xxxxxxx> wrote in message
news:4B8E5CF1.3030802@xxxxxxxxxx
Hi all,
I am trying to set up Kerberos authentication with Squid 2.7.stable7 on
Linux. I use Heimdal 1.3.1. I already had success doing so on two proxies,
but in a third environment, authentication fails.
In squid.conf I have the following entries:
auth_param negotiate program /opt/squid/libexec/squid_kerb_auth -d -s
HTTP/proxy.example.com@xxxxxxxxxxx
acl REQUIRE_AUTH proxy_auth REQUIRED
http_access allow src_localhost
http_access deny !REQUIRE_AUTH
http_access allow all
Environmental variables KRB5_CONFIG and KRB5_KTNAME are set. By using
kinit on the proxy it is possible to obtain a user ticket (auth with a
password) and obtaining the service principal ticket
(HTTP/proxy.example.com@xxxxxxxxxxx, auth with the keytab file) works
fine, too.
When a client tries to use the proxy, the conversation is as following:
* User requests website
* Proxy responds with 407 and sets header "Proxy-Authenticate: Negotiate"
* User sends another request for the website and sends the ticket. From
Wireshark:
OID: 1.3.6.1.5.5.2 (SPNEGO)
negTokenInit
MechTypes: 1.2.840.48018.1.2.2 (MS KRB5), 1.2.840.113554.1.2.2 (KRB5),
1.3.6.1.4.1.311.2.2.10 (NTLMSSP)
krb5_blob:
Kerberos AP-REQ
Realm: EXAMPLE.COM
Server Name (type 2, service and instance): HTTP/proxy.domain.com
* squid_kerb_auth reports:
squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
squid_kerb_auth: parseNegTokenInit failed with rc=102
squid_kerb_auth: continuation needed.
* Proxy replies with 407:
GSS-API:SPNEGO:negTokenTarg
negResult: accept-incomplete
supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP)
* Client gets an authentication pop-up where he can enter a username and
password, but this does not work. This is probably related to the
suggested NTLMSSP.
* User requests URL again, this time with an NTLM authenticator
GSS-API:SNPEGO:negTokenTarg
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE
* squid_kerb_auth reports:
squid_kerb_auth: Got 'KKoS...' from squid (length: 67)
squid_kerb_auth: parseNegTokenInit failed with rc=300
squid_kerb_auth: Invalid GSS-SPNEGO query [KKoS...].
NA Invalid GSS-SPNEGO query.
* Server replies to client with "Proxy-Authenticate: Negotiate Invalid"
Does anyone have an idea what is going wrong, i.e. why the authentication
helper replies with "continuation needed" and what I should try to debug?
Best regards,
Fabian
