Hi Markus, Thanks for your reply. Is it safe to use negotiate wrapper with squid 3.1.8? I didnt add delegation to that system, I have just given full permisions to admin user and that computer. Does it matter? Regards On 2 May 2011 17:56, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Go, > > There is no need to use delegation and you must not enable delegation as it > creates a risk that your squid system can create tickets for other users > (e.g. impersonate another user). > > Negotiate handles both Kerberos and NTLM authentication. If Kerberos is > setup correctly it is the preferred option for the client, but if Kerberos > fails for some reason the client will fall back to NTLM and replies to an > Negotiate authentication request with a NTLM token. To deal with this > situation I created the negotiate wrapper which sends Kerberos tokens to the > kerberos authentication handler and NTLM token to the NTLM authentication > handler. Unfortunately there are applications like IM clients which use > proxies, but only support NTLM (not Negotiate). To cater for this case squid > has to offer NTLM too. So you need: > > negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate > Kerberos/NTLM > > and > > ntlm_auth for pure NTLM > > Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM. I > haven't found the reason yet. > > Markus > > > "Go Wow" <gowows@xxxxxxxxx> wrote in message > news:BANLkTi=iKAhHuL8tuoght4Qn08cKcdzyLA@xxxxxxxxxxxxxxxxx > I changed my approach a lil bit and swicthed to centos from ubuntu hehe. > > I installed centos and configured kerberos/squid as mentioned in > squid-cache kerberos guide, I used msktutil to create the keytab file. > On the windows server I checked the machine, it was listed as a > workstation I went on to properties and selected delegation tab and > tried to allow delagation of kerberos but it didnt work. So I right > clicked on the computer name and clicked on properties >> security and > given full permission to Administrator and then gave full permission > to same computer name. > > Now im able to authenticate users and use squid to browse. > > I will be monitoring squid for next couple of days and see if it gives > that log entries of libntlmssp. > > How safe is it to use negotiate_wrapper in production? What is the > difference between using negogiate_wrapper and a 2nd auth param > statement for ntlm in squid.conf > > > Regards > > On 2 May 2011 09:20, Go Wow <gowows@xxxxxxxxx> wrote: >> >> I will check that and inform you. But how did you troubleshoot that >> the entry is missing from AD? >> >> On 1 May 2011 14:51, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>> >>> It looks like you do not have an entry in AD. Can you search AD for >>> entries >>> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? >>> >>> Markus >>> >>> >>> "Go Wow" <gowows@xxxxxxxxx> wrote in message >>> news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ@xxxxxxxxxxxxxxxxx >>> On 1 May 2011 00:00, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>>> >>>> Hi Go, >>>> >>>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? >>> >>> Yes I used --enctypes 28 >>> >>>> >>>> what does klist -e show and what does >>>> kinit <user> >>>> kvno HTTP/proxyserver.orangegroup.com >>>> >>>> show (<user> being your userid ) ? >>> >>> Here is the complete output >>> >>> root@proxyserver:/home/owner# whoami >>> root >>> root@proxyserver:/home/owner# klist >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >>> root@proxyserver:/home/owner# klist -e >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >>> root@proxyserver:/home/owner# kinit Administrator >>> Password for Administrator@xxxxxxxxxxxxxxx: >>> root@proxyserver:/home/owner# klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: Administrator@xxxxxxxxxxxxxxx >>> >>> Valid starting Expires Service principal >>> 05/01/11 09:36:33 05/01/11 19:36:38 >>> krbtgt/ORANGEGROUP.COM@xxxxxxxxxxxxxxx >>> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with >>> HMAC/md5,ArcFour with HMAC/md5 >>> root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com >>> kvno: Server not found in Kerberos database while getting credentials >>> for http/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx >>> root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com >>> kvno: Server not found in Kerberos database while getting credentials >>> for HTTP/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx >>> >>>> When you purge tickets (with kerbtray) , start wireshark with a filter >>>> on >>>> port 88 and access a webpage via the proxy do you see any errors in >>>> wireshark ? Can you send me the capture ? >>> >>> I will email you the port 88 capture in a sec. >>> >>> Thanks for your help. >>> >>>> Markus >>>> >>>> >>>> "Go Wow" <gowows@xxxxxxxxx> wrote in message >>>> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw@xxxxxxxxxxxxxxxxx >>>> I tried with msktutil version 0.4 but same thing is happening. >>>> >>>> I followed your guide, firstly with samba/winbind, I created the >>>> keytab and configure negotiate parameters in squid.conf but when I >>>> open browser pointing to squid3 as proxy server (with fqdn not IP) it >>>> prompts for username/password. This system is Windows 7 64 Bit. >>>> >>>> Then I tried msktutil. The command I used is same as I mentioned below. >>>> >>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >>>> ad01.orangegroup.com --verbose >>>> >>>> The output of the command gives me one error saying but creates the >>>> keytab >>>> file >>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >>>> (Client not found in Kerberos database) >>>> >>>> I have kerbtray installed on client system and I can see my domains >>>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint >>>> server which uses the same method to authenticate and im able to login >>>> to it without entering username/password. I tried with purging tickets >>>> but no change. >>>> >>>> Regards >>>> >>>> >>>> On 30 April 2011 16:17, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>>>> >>>>> Hi Go, >>>>> >>>>> Can you describe in detail what you did ( e.g. exact msktutil command). >>>>> BTW >>>>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4) >>>>> which you should try in the case you use an older version. >>>>> >>>>> It looks to me that your client is not able to get the Kerberos ticket >>>>> from >>>>> AD why the client falls back to NTLM and the negotiate wrapper deals >>>>> now >>>>> with these case. >>>>> >>>>> To find out why the client does not get the ticket you can run >>>>> wireshark >>>>> and look for traffic on port 88. >>>>> >>>>> Markus >>>>> >>>>> >>>>> "Go Wow" <gowows@xxxxxxxxx> wrote in message >>>>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ@xxxxxxxxxxxxxxxxx >>>>> When I run msktutil I get this line in the output. >>>>> >>>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos >>>>> database) >>>>> >>>>> I did kinit before issuing msktutil and it ran successfully. I can see >>>>> tickets when I issue klist. >>>>> >>>>> >>>>> >>>>> On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I'm trying to configure Kerberos Authentication for squid. I'm >>>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>>>>> kerberos authentication guide on squid-cache and many other guides, I >>>>>> always end up with these logs in my cache.log. My client browser keeps >>>>>> prompting for username/password. Even a valid set of credentials are >>>>>> not accepted. >>>>>> >>>>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM >>>>>> token >>>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>>>> token' >>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >>>>>> (length: 59). >>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >>>>>> length: 40). >>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM >>>>>> token >>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>>>> token' >>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >>>>>> (length: 59). >>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >>>>>> length: 40). >>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM >>>>>> token >>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>>>> token' >>>>>> >>>>>> >>>>>> I want to check and make sure my keytab entries are good. How do I do >>>>>> that? My client System can list the tickets for client principal. >>>>>> >>>>>> Please have a look at my krb5.conf & keytab file here >>>>>> http://pastebin.com/vTBr3r5D >>>>>> >>>>>> I'm using this command to create the keytab file. >>>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >>>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >>>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >>>>>> ad01.orangegroup.com --verbose >>>>>> >>>>>> All the domains are resolving properly to IPs. >>>>>> >>>>>> Thanks for your help. >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> > > >
