Can you add the option -d -i to squid_kerb_auth and squid_kerb_ldap to
create more debut output and send the cache.log extract
Regards
Markus
"GIGO ." <gigoz@xxxxxxx> wrote in message
news:SNT134-w34626D5C8EC65F9D8495B1B9CB0@xxxxxxxxxx
Hi Henrik/Markus/All
Every setting(keeping in view your recommendation) was correct i many a
times confirmed that.Even i tried re-creating the SPN but in vain. However i
just realized that most of the users were required to logoff and login to
get authenticated through squid. I wonder why a user even with a valid TGT
was require to do that as he should be able to get the TGS for every new
kerberized service???
Anyways of the few users i tried only one was able to access it without
re-login. Bottom line is that its working.
Now the authorization portion is not seems like behaving properly can you
please check the syntax for correctness before i probe further. I have
appended at the bottom my squid.conf portion relevant to this.
e.g. After the authorization few of the clients were showing this wheter in
the group or not:
--------------------------------------------------------------
Internet explorer cannot display the webpage
what you can try:
Diagnose connection problems
More Info
--------------------------------------------------------------
Further i think IE7(and latest) and FireFox 3.6.x above are supportive for
kerberos. Am i right? is there any special configuration required on the
client side(other than the proxy settings).??
#After allowing IP based clients and the access controls related to them.
http_access allow ipbc
# Part 2 Authentication/Authorization
auth_param negotiate program
/usr/libexec/squid/squid_kerb_auth/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
# basic auth ACL controls to make use of it are.(if and only if
squid_kerb_ldap(authorization) is not used)
#acl auth proxy_auth REQUIRED
#http_access deny !auth
#http_access allow auth
#Groups fom Mailserver Domain:
external_acl_type squid_kerb_ldap_ms_group1 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR1@xxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_ms_group2 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR2@xxxxxxxxxxxxxxxxxx
external_acl_type squid_kerb_ldap_ms_group3 ttl=3600 negative_ttl=3600
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g
INETGRLHR3@xxxxxxxxxxxxxxxxxx
acl ms_group1 external squid_kerb_ldap_ms_group1
acl ms_group2 external squid_kerb_ldap_ms_group2
acl ms_group3 external squid_kerb_ldap_ms_group3
http_access deny ms_group2 msnd
http_access deny ms_group3 msnd
http_access deny ms_group2 msn
http_access deny ms_group3 msn
http_access deny ms_group2 msn1
http_access deny ms_group3 msn1
http_access deny ms_group2 numeric_IPs
http_access deny ms_group3 numeric_IPs
http_access deny ms_group2 Skype_UA
http_access deny ms_group3 Skype_UA
http_access deny ms_group2 ym
http_access deny ms_group3 ym
http_access deny ms_group2 ymregex
http_access deny ms_group3 ymregex
###----Most Restricted settings Exclusive for Normal users......###
http_access deny ms_group3 Movies
http_access deny ms_group3 MP3s
http_access deny ms_group3 FTP
http_access deny ms_group3 MP3url
http_reply_access deny ms_group3 deny_rep_mime_flashvideo
http_access deny ms_group3 youtube_domains
http_access deny ms_group3 facebook_sites
http_access deny ms_group3 BIP
http_access deny ms_group3 downloads
http_access deny ms_group3 torrentSeeds
http_access deny ms_group3 dlSites
##----- Time based ACLs--------------------
http_access deny ms_group2 youtube_domains wh
http_access deny ms_group2 BIP wh
http_access deny ms_group2 facebook_sites wh
http_access allow ms_group1
http_access allow ms_group2
http_access allow ms_group3
http_access deny all
Squid version: squid 2.7 stable 9 on CENTOS 5.4 64 bit.
To: squid-users@xxxxxxxxxxxxxxx
From: huaraz@xxxxxxxxxxxxxxxx
Date: Mon, 28 Jun 2010 23:56:51 +0100
Subject: Re: squid_kerb_auth (parseNegTokenInit failed with
rc=102)
Make sure the squid servers hostname matches squidhr1.v.local. If not
use -s
HTTP/squidhr1.v.local as an option to squid_kerb_auth.
Regards
Markus
"GIGO ." <gigoz@xxxxxxx> wrote in message
news:SNT134-w64257C53609757CD3CF006B9CA0@xxxxxxxxxx
Hi all,
I am unable to do kerberos authentication in my live enviroment as appose
to
the test enviroment where it was successful. My environment is Active
Direcory Single Forest Multidomain with each domain having multiple domain
controllers.
SPN was created through:
msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h
squidlhr1.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose
Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.
My kerb5.conf Settings:
[libdefaults]
default_realm = MAILSERVER.V.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = ldc-v-dc2.v.local
admin_server = ldc-v-dc2.v.local
}
MAILSERVER.V.LOCAL = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.V.LOCAL = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.V.LOCAL
.v.local = V.LOCAL
v.local = V.LOCAL
.mailserver.v.local = MAILSERVER.V.LOCAL
mailserver.v.local = MAILSERVER.V.LOCAL
#.bt.v.local= BT.V.LOCAL
#bt.v.local = BT.V.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log
I have tried this on multiple client computers but not seem to be
working....
Below are the files for your reference.
Dump through wire shark :
-------------------------
Hypertext Transfer Protocol
GET http://www.google.com/ HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; InfoPath.2; AskTB5.5)\r\n
Accept-Encoding: gzip, deflate\r\n
Proxy-Connection: Keep-Alive\r\n
[truncated] Cookie:
PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM=1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe;
NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpJiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
[truncated] Proxy-Authorization: Negotiate
YIIFTwYGKwYBBQUCoIIFQzCCBT+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE+KADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEE
TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security
Support
Provider)
mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the
session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL
authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: MAILSERVER.V.LOCAL
Server Name (Service and Instance): HTTP/squidlhr1.v.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squidlhr1.v.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
Host: www.google.com\r\n
\r\n
Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Server: squid\r\n
Date: Fri, 25 Jun 2010 15:00:57 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 1295\r\n
Content length: 1295
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: Negotiate\r\n
Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
GSS-API Generic Security Service Application Program Interface
[Malformed Packet: GSS-API]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Message: Malformed Packet (Exception occurred)
Severity level: Error
Group: Malformed
X-Cache: MISS from squidlhr1\r\n
X-Cache-Lookup: NONE from squidlhr1:8080\r\n
Via: 1.0 squidlhr1main:8080 (squid)\r\n
Connection: close\r\n
\r\n
squid_kerb_auth -d output:
---------------------------
2010/06/28 10:03:24| squid_kerb_auth: Got 'YR
YIIFTgYGKwYBBQUCoIIFQjCCBT6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRQEggUQYIIFDAYJKoZIhvcSAQICAQBuggT7MIIE96ADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEETCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDtzCCA7OgAwIBF6EDAgECooIDpQSCA6HbSpgWaybiErloUupurbZsJqE/Frw2OkXksREX3nh6Nx3kZyKSLkO0P0ey+SF8KSn/bHPagvN8fLo7tUMgIXY2Q6Ok1UJkryz7HO+vztztxDYvir3vkzyc67kaV2xug4cZEPlu7FJJYwVGvgmwl3b3UGMprG+TC59GN9M5AKFq97blDGfCoKv2tSO4TaeOC5hG6Qa/KJUMVOh4U8k/fb92XzcrkOWPZOpySLVDfgXHGEpaIrsnzZ4dFTL2hrfd5bswjAGXmWmcSF57LY7BW0sD2HoNyNDkge6GtprrCMtEmaiqZUrsP6PosH9lMDplZWDNlfsKJb2lFRJh1gO0g9Drin4tX/UTAQNY2meu5urFQfHh4goVVyav2rjmdFQPvo16hiwHtrLOElK7Sa/XhiL2Lon/TrDu/0OYvXmNUMWcHCmMPo2JlYBetEMRX4EWMBxwy15cILOFx1b0zFwC3OQ59rk2eZz4ZI0cECaSLK0OVAxHAELL+xIgCaOn72RoyX4Zph3sjjTKzaxMiHMkkoo3flWODARLT6xJZ/FzjOUcEWNPlJaQhbp4HRba9AwzdSyjUT1VGzNDdYQeNfQU6qnDQQdTG8rTkb9ojv4uP4rjK7sjUyQOtOZDkxbr0rFo/8ilaXwgTOJyhZHps8fpW/6s1UzDs2AwbhCGjQVj4a7dnzfbYvzttrx8MRGX0iLVUt2Ugv9GxcOY+RT8U0PT7DvbeRkEdVQL6oy2E74CauMSxL/3ID3Bjh5B/YNB8bkOub5crSisnWQ+hB9DD4ABMTOubyAND06lDmeOewDkmwU3HYVAQhCcSpdbTGrGylXH5MBkEZPx9p0amGmPdqm5SVloE+qNFwsKiNkoUE8/24l8dGka2kYGP1e9/UaC5oMzTPRVVd2aHIDHcrv82eBZfRq6FL00jtZKKSIlZLEZ/m89p7Gfzafh3Ahh/7RZUOlx6zyXJYsRpa/Re/QouqoQ4igwxXWqtDLntncNKtPN/ksZmLYEF80DJZ7HfUR5s82ZRmfZgxojOnF7iGeX31dF6wSpbQX5G+TMIfZ9vHU123zJu1coJsQlJHjOurdFfm2Bb4v+aOL+U3U8XRH5ykKiAXagfopdWOOTV5BVnsMuO5fayZB2HIUGSEgdCY7PWxvUWy1Wv90j6jrvBdKDNzEQz8FAENlqVBCGYXa1nVQAoRmbgod8o2kyBRaXtbh+ut3lPFiwyafNUMSzIklpweBb4Bp6FKSByDCBxaADAgEXooG9BIG6QYc3eYt+8W+X0Zjiedx4J7FxcY+qZexmLowJf8JWFaXNS8vcDhCNnZU5oNYau2E8H78yzgPzPLJV3+ci/apcksEqrgbwPi9vmywxKyGhTW9CXXWIJmyftYSb5bIXnOHx0bfINJAqNFjoaaIQfwIJgUE4ZxWiUdfNNHcuYZoB3OdDg8LU8WheWZpyj64WCBUeaLz2JsVpefG3i3pDYgX6PpAaGRKwTqgDbrHDln8uLhSvwlHSheRSLmHQ'
from squid (length: 1819).
2010/06/28 10:03:24| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/06/28 10:03:24| squid_kerb_auth: gss_acquire_cred() failed:
Unspecified
GSS failure. Minor code may provide more information. No principal in
keytab
matches desired name
Please your help will be required
regards,
Bilal
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
