Search squid archive

squid_kerb_auth (parseNegTokenInit failed with rc=102)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I am unable to do kerberos authentication in my live enviroment as appose to the test enviroment where it was successful. My environment is Active Direcory Single Forest Multidomain with each domain having multiple domain controllers.

SPN was created through:

msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h squidlhr1.v.local -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose


Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.

My kerb5.conf Settings:
[libdefaults]
default_realm = MAILSERVER.V.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = ldc-v-dc2.v.local
admin_server = ldc-v-dc2.v.local
}
MAILSERVER.V.LOCAL = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.V.LOCAL = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.V.LOCAL
.v.local = V.LOCAL
v.local = V.LOCAL
.mailserver.v.local = MAILSERVER.V.LOCAL
mailserver.v.local = MAILSERVER.V.LOCAL
#.bt.v.local= BT.V.LOCAL
#bt.v.local = BT.V.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log







I have tried this on multiple client computers but not seem to be working....
Below are the files for your reference.


Dump through wire shark :
-------------------------

Hypertext Transfer Protocol
GET http://www.google.com/ HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; InfoPath.2; AskTB5.5)\r\n
Accept-Encoding: gzip, deflate\r\n
Proxy-Connection: Keep-Alive\r\n
[truncated] Cookie: PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM=1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe;
NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpJiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
[truncated] Proxy-Authorization: Negotiate
YIIFTwYGKwYBBQUCoIIFQzCCBT+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE+KADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEE
TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: MAILSERVER.V.LOCAL
Server Name (Service and Instance): HTTP/squidlhr1.v.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squidlhr1.v.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
Host: www.google.com\r\n
\r\n

Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Server: squid\r\n
Date: Fri, 25 Jun 2010 15:00:57 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 1295\r\n
Content length: 1295
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: Negotiate\r\n
Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
GSS-API Generic Security Service Application Program Interface
[Malformed Packet: GSS-API]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Message: Malformed Packet (Exception occurred)
Severity level: Error
Group: Malformed
X-Cache: MISS from squidlhr1\r\n
X-Cache-Lookup: NONE from squidlhr1:8080\r\n
Via: 1.0 squidlhr1main:8080 (squid)\r\n
Connection: close\r\n
\r\n

squid_kerb_auth -d output:
---------------------------

2010/06/28 10:03:24| squid_kerb_auth: Got 'YR YIIFTgYGKwYBBQUCoIIFQjCCBT6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRQEggUQYIIFDAYJKoZIhvcSAQICAQBuggT7MIIE96ADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEETCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDtzCCA7OgAwIBF6EDAgECooIDpQSCA6HbSpgWaybiErloUupurbZsJqE/Frw2OkXksREX3nh6Nx3kZyKSLkO0P0ey+SF8KSn/bHPagvN8fLo7tUMgIXY2Q6Ok1UJkryz7HO+vztztxDYvir3vkzyc67kaV2xug4cZEPlu7FJJYwVGvgmwl3b3UGMprG+TC59GN9M5AKFq97blDGfCoKv2tSO4TaeOC5hG6Qa/KJUMVOh4U8k/fb92XzcrkOWPZOpySLVDfgXHGEpaIrsnzZ4dFTL2hrfd5bswjAGXmWmcSF57LY7BW0sD2HoNyNDkge6GtprrCMtEmaiqZUrsP6PosH9lMDplZWDNlfsKJb2lFRJh1gO0g9Drin4tX/UTAQNY2meu5urFQfHh4goVVyav2rjmdFQPvo16hiwHtrLOElK7Sa/XhiL2Lon/TrDu/0OYvXmNUMWcHCmMPo2JlYBetEMRX4EWMBxwy15cILOFx1b0zFwC3OQ59rk2eZz4ZI0cECaSLK0OVAxHAELL+xIgCaOn72RoyX4Zph3sjjTKzaxMiHMkkoo3flWODARLT6xJZ/FzjOUcEWNPlJaQhbp4HRba9AwzdSyjUT1VGzNDdYQeNfQU6qnDQQdTG8rTkb9ojv4uP4rjK7sjUyQOtOZDkxbr0rFo/8ilaXwgTOJyhZHps8fpW/6s1UzDs2AwbhCGjQVj4a7dnzfbYvzttrx8MRGX0iLVUt2Ugv9GxcOY+RT8U0PT7DvbeRkEdVQL6oy2E74CauMSxL/3ID3Bjh5B/YNB8bkOub5crSisnWQ+hB9DD4ABMTOubyAND06lDmeOewDkmwU3HYVAQhCcSpdbTGrGylXH5MBkEZPx9p0amGmPdqm5SVloE+qNFwsKiNkoUE8/24l8dGka2kYGP1e9/UaC5oMzTPRVVd2aHIDHcrv82eBZfRq6FL00jtZKKSIlZLEZ/m89p7Gfzafh3Ahh/7RZUOlx6zyXJYsRpa/Re/QouqoQ4igwxXWqtDLntncNKtPN/ksZmLYEF80DJZ7HfUR5s82ZRmfZgxojOnF7iGeX31dF6wSpbQX5G+TMIfZ9vHU123zJu1coJsQlJHjOurdFfm2Bb4v+aOL+U3U8XRH5ykKiAXagfopdWOOTV5BVnsMuO5fayZB2HIUGSEgdCY7PWxvUWy1Wv90j6jrvBdKDNzEQz8FAENlqVBCGYXa1nVQAoRmbgod8o2kyBRaXtbh+ut3lPFiwyafNUMSzIklpweBb4Bp6FKSByDCBxaADAgEXooG9BIG6QYc3eYt+8W+X0Zjiedx4J7FxcY+qZexmLowJf8JWFaXNS8vcDhCNnZU5oNYau2E8H78yzgPzPLJV3+ci/apcksEqrgbwPi9vmywxKyGhTW9CXXWIJmyftYSb5bIXnOHx0bfINJAqNFjoaaIQfwIJgUE4ZxWiUdfNNHcuYZoB3OdDg8LU8WheWZpyj64WCBUeaLz2JsVpefG3i3pDYgX6PpAaGRKwTqgDbrHDln8uLhSvwlHSheRSLmHQ' from squid (length: 1819).
2010/06/28 10:03:24| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/06/28 10:03:24| squid_kerb_auth: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No principal in keytab matches desired name
 
Please your help will be required
 
regards,
 
Bilal 
 

  		 	   		  
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux