You don't have to give permissions to the admin user. Any user could own and
manage that account. If I remember right the wrapper should work with 3.1
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTikz_WCcVfbNAin==uHU-FenPgQ3yg@xxxxxxxxxxxxxxxxx
Hi Markus,
Thanks for your reply. Is it safe to use negotiate wrapper with squid
3.1.8?
I didnt add delegation to that system, I have just given full
permisions to admin user and that computer. Does it matter?
Regards
On 2 May 2011 17:56, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Go,
There is no need to use delegation and you must not enable delegation as
it
creates a risk that your squid system can create tickets for other users
(e.g. impersonate another user).
Negotiate handles both Kerberos and NTLM authentication. If Kerberos is
setup correctly it is the preferred option for the client, but if Kerberos
fails for some reason the client will fall back to NTLM and replies to an
Negotiate authentication request with a NTLM token. To deal with this
situation I created the negotiate wrapper which sends Kerberos tokens to
the
kerberos authentication handler and NTLM token to the NTLM authentication
handler. Unfortunately there are applications like IM clients which use
proxies, but only support NTLM (not Negotiate). To cater for this case
squid
has to offer NTLM too. So you need:
negotiate_wrapper with negotiate_kerberos_auth and ntlm_auth for Negotiate
Kerberos/NTLM
and
ntlm_auth for pure NTLM
Squid trunk (3.2) has still a problem with the negotiate_wrapper and NTLM.
I
haven't found the reason yet.
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTi=iKAhHuL8tuoght4Qn08cKcdzyLA@xxxxxxxxxxxxxxxxx
I changed my approach a lil bit and swicthed to centos from ubuntu hehe.
I installed centos and configured kerberos/squid as mentioned in
squid-cache kerberos guide, I used msktutil to create the keytab file.
On the windows server I checked the machine, it was listed as a
workstation I went on to properties and selected delegation tab and
tried to allow delagation of kerberos but it didnt work. So I right
clicked on the computer name and clicked on properties >> security and
given full permission to Administrator and then gave full permission
to same computer name.
Now im able to authenticate users and use squid to browse.
I will be monitoring squid for next couple of days and see if it gives
that log entries of libntlmssp.
How safe is it to use negotiate_wrapper in production? What is the
difference between using negogiate_wrapper and a 2nd auth param
statement for ntlm in squid.conf
Regards
On 2 May 2011 09:20, Go Wow <gowows@xxxxxxxxx> wrote:
I will check that and inform you. But how did you troubleshoot that
the entry is missing from AD?
On 1 May 2011 14:51, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
It looks like you do not have an entry in AD. Can you search AD for
entries
with serviceprincipalname = HTTP/proxyserver.orangegroup.com ?
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ@xxxxxxxxxxxxxxxxx
On 1 May 2011 00:00, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Go,
For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
Yes I used --enctypes 28
what does klist -e show and what does
kinit <user>
kvno HTTP/proxyserver.orangegroup.com
show (<user> being your userid ) ?
Here is the complete output
root@proxyserver:/home/owner# whoami
root
root@proxyserver:/home/owner# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@proxyserver:/home/owner# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@proxyserver:/home/owner# kinit Administrator
Password for Administrator@xxxxxxxxxxxxxxx:
root@proxyserver:/home/owner# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
05/01/11 09:36:33 05/01/11 19:36:38
krbtgt/ORANGEGROUP.COM@xxxxxxxxxxxxxxx
renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
HMAC/md5,ArcFour with HMAC/md5
root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx
root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for HTTP/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx
When you purge tickets (with kerbtray) , start wireshark with a filter
on
port 88 and access a webpage via the proxy do you see any errors in
wireshark ? Can you send me the capture ?
I will email you the port 88 capture in a sec.
Thanks for your help.
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw@xxxxxxxxxxxxxxxxx
I tried with msktutil version 0.4 but same thing is happening.
I followed your guide, firstly with samba/winbind, I created the
keytab and configure negotiate parameters in squid.conf but when I
open browser pointing to squid3 as proxy server (with fqdn not IP) it
prompts for username/password. This system is Windows 7 64 Bit.
Then I tried msktutil. The command I used is same as I mentioned below.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
ad01.orangegroup.com --verbose
The output of the command gives me one error saying but creates the
keytab
file
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
I have kerbtray installed on client system and I can see my domains
krtgt/domain.com listed. As a matter of fact I'm using sharepoint
server which uses the same method to authenticate and im able to login
to it without entering username/password. I tried with purging tickets
but no change.
Regards
On 30 April 2011 16:17, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Go,
Can you describe in detail what you did ( e.g. exact msktutil
command).
BTW
I updated yesterday the wiki pointing to a newer msktutil (version
0.4)
which you should try in the case you use an older version.
It looks to me that your client is not able to get the Kerberos ticket
from
AD why the client falls back to NTLM and the negotiate wrapper deals
now
with these case.
To find out why the client does not get the ticket you can run
wireshark
and look for traffic on port 88.
Markus
"Go Wow" <gowows@xxxxxxxxx> wrote in message
news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ@xxxxxxxxxxxxxxxxx
When I run msktutil I get this line in the output.
krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)
I did kinit before issuing msktutil and it ran successfully. I can see
tickets when I issue klist.
On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote:
Hi,
I'm trying to configure Kerberos Authentication for squid. I'm
running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
kerberos authentication guide on squid-cache and many other guides, I
always end up with these logs in my cache.log. My client browser
keeps
prompting for username/password. Even a valid set of credentials are
not accepted.
2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
token
2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1
NTLM
token'
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
token
2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1
NTLM
token'
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
token
2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1
NTLM
token'
I want to check and make sure my keytab entries are good. How do I do
that? My client System can list the tickets for client principal.
Please have a look at my krb5.conf & keytab file here
http://pastebin.com/vTBr3r5D
I'm using this command to create the keytab file.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
ad01.orangegroup.com --verbose
All the domains are resolving properly to IPs.
Thanks for your help.