I changed my approach a lil bit and swicthed to centos from ubuntu hehe. I installed centos and configured kerberos/squid as mentioned in squid-cache kerberos guide, I used msktutil to create the keytab file. On the windows server I checked the machine, it was listed as a workstation I went on to properties and selected delegation tab and tried to allow delagation of kerberos but it didnt work. So I right clicked on the computer name and clicked on properties >> security and given full permission to Administrator and then gave full permission to same computer name. Now im able to authenticate users and use squid to browse. I will be monitoring squid for next couple of days and see if it gives that log entries of libntlmssp. How safe is it to use negotiate_wrapper in production? What is the difference between using negogiate_wrapper and a 2nd auth param statement for ntlm in squid.conf Regards On 2 May 2011 09:20, Go Wow <gowows@xxxxxxxxx> wrote: > I will check that and inform you. But how did you troubleshoot that > the entry is missing from AD? > > On 1 May 2011 14:51, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >> It looks like you do not have an entry in AD. Can you search AD for entries >> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? >> >> Markus >> >> >> "Go Wow" <gowows@xxxxxxxxx> wrote in message >> news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ@xxxxxxxxxxxxxxxxx >> On 1 May 2011 00:00, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>> >>> Hi Go, >>> >>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? >> >> Yes I used --enctypes 28 >> >>> >>> what does klist -e show and what does >>> kinit <user> >>> kvno HTTP/proxyserver.orangegroup.com >>> >>> show (<user> being your userid ) ? >> >> Here is the complete output >> >> root@proxyserver:/home/owner# whoami >> root >> root@proxyserver:/home/owner# klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> root@proxyserver:/home/owner# klist -e >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> root@proxyserver:/home/owner# kinit Administrator >> Password for Administrator@xxxxxxxxxxxxxxx: >> root@proxyserver:/home/owner# klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: Administrator@xxxxxxxxxxxxxxx >> >> Valid starting Expires Service principal >> 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/ORANGEGROUP.COM@xxxxxxxxxxxxxxx >> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with >> HMAC/md5,ArcFour with HMAC/md5 >> root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com >> kvno: Server not found in Kerberos database while getting credentials >> for http/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx >> root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com >> kvno: Server not found in Kerberos database while getting credentials >> for HTTP/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx >> >>> When you purge tickets (with kerbtray) , start wireshark with a filter on >>> port 88 and access a webpage via the proxy do you see any errors in >>> wireshark ? Can you send me the capture ? >> >> I will email you the port 88 capture in a sec. >> >> Thanks for your help. >> >>> Markus >>> >>> >>> "Go Wow" <gowows@xxxxxxxxx> wrote in message >>> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw@xxxxxxxxxxxxxxxxx >>> I tried with msktutil version 0.4 but same thing is happening. >>> >>> I followed your guide, firstly with samba/winbind, I created the >>> keytab and configure negotiate parameters in squid.conf but when I >>> open browser pointing to squid3 as proxy server (with fqdn not IP) it >>> prompts for username/password. This system is Windows 7 64 Bit. >>> >>> Then I tried msktutil. The command I used is same as I mentioned below. >>> >>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >>> ad01.orangegroup.com --verbose >>> >>> The output of the command gives me one error saying but creates the keytab >>> file >>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >>> (Client not found in Kerberos database) >>> >>> I have kerbtray installed on client system and I can see my domains >>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint >>> server which uses the same method to authenticate and im able to login >>> to it without entering username/password. I tried with purging tickets >>> but no change. >>> >>> Regards >>> >>> >>> On 30 April 2011 16:17, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>>> >>>> Hi Go, >>>> >>>> Can you describe in detail what you did ( e.g. exact msktutil command). >>>> BTW >>>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4) >>>> which you should try in the case you use an older version. >>>> >>>> It looks to me that your client is not able to get the Kerberos ticket >>>> from >>>> AD why the client falls back to NTLM and the negotiate wrapper deals now >>>> with these case. >>>> >>>> To find out why the client does not get the ticket you can run wireshark >>>> and look for traffic on port 88. >>>> >>>> Markus >>>> >>>> >>>> "Go Wow" <gowows@xxxxxxxxx> wrote in message >>>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ@xxxxxxxxxxxxxxxxx >>>> When I run msktutil I get this line in the output. >>>> >>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >>>> >>>> I did kinit before issuing msktutil and it ran successfully. I can see >>>> tickets when I issue klist. >>>> >>>> >>>> >>>> On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I'm trying to configure Kerberos Authentication for squid. I'm >>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>>>> kerberos authentication guide on squid-cache and many other guides, I >>>>> always end up with these logs in my cache.log. My client browser keeps >>>>> prompting for username/password. Even a valid set of credentials are >>>>> not accepted. >>>>> >>>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM >>>>> token >>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>>> token' >>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >>>>> (length: 59). >>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >>>>> length: 40). >>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM >>>>> token >>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>>> token' >>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >>>>> (length: 59). >>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >>>>> length: 40). >>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM >>>>> token >>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>>> token' >>>>> >>>>> >>>>> I want to check and make sure my keytab entries are good. How do I do >>>>> that? My client System can list the tickets for client principal. >>>>> >>>>> Please have a look at my krb5.conf & keytab file here >>>>> http://pastebin.com/vTBr3r5D >>>>> >>>>> I'm using this command to create the keytab file. >>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >>>>> ad01.orangegroup.com --verbose >>>>> >>>>> All the domains are resolving properly to IPs. >>>>> >>>>> Thanks for your help. >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> >
