Re: Re: problems squid_kerb_auth

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

> Hi,
>
> I testing with Internet Explorer and obtain this error
>
> 2011/05/30 22:06:36| squid_kerb_auth: gss_acquire_cred() failed:
> Unspecified GSS failure.  Minor code may provide more information. Key
> table entry not found

That looks better, but not quite right.  What does klist -ekt <squid-keytab> 
(for MIT) or ktutil  -k <squid-keytab> list (for Heimdal) give ?
Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I assume 
MIT here)  ?

klist -ekt /etc/squid/squid.keytab
Keytab name: WRFILE:/etc/squid/squid.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  41 05/28/11 14:40:42 HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx  (ArcFour 
with HMAC/md5)


#  kinit mm@xxxxxxxxxxxxxx
Password for mm@xxxxxxxxxxxxxx:
# kvno  HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx
HTTP/w2k3r2.win2003r2.home@xxxxxxxxxxxxxx: kvno = 41

The kvno must be the same (in my case here 41) !

Also can you lock/unlock your desktop to get new credentials and run 
wireshark again when you use IE ?

You should see a TGS-REQ and TGS-REP and the TGS-REP looks like:

No.     Time            Source                Destination           Protocol 
Info
     8 23:51:18.941121 192.168.1.12          192.168.1.27          KRB5 
TGS-REP

Frame 8 (1300 bytes on wire, 1300 bytes captured)
Ethernet II, Src: Vmware_d0:e5:e9 (00:0c:29:d0:e5:e9), Dst: Vmware_8e:33:fe 
(00:0c:29:8e:33:fe)
Internet Protocol, Src: 192.168.1.12 (192.168.1.12), Dst: 192.168.1.27 
(192.168.1.27)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 43611 (43611)
Kerberos TGS-REP
   Pvno: 5
   MSG Type: TGS-REP (13)
   Client Realm: WIN2003R2.HOME
   Client Name (Principal): mm
       Name-type: Principal (1)
       Name: mm
   Ticket
       Tkt-vno: 5
       Realm: WIN2003R2.HOME
       Server Name (Principal): HTTP/w2k3r2.win2003r2.home
           Name-type: Principal (1)
           Name: HTTP
           Name: w2k3r2.win2003r2.home
       enc-part rc4-hmac
           Encryption type: rc4-hmac (23)
           Kvno: 41
           enc-part: 7435AE25CA1CA6B2BA3E2C29D62A7F80D38B3A96E1528168...
   enc-part rc4-hmac
       Encryption type: rc4-hmac (23)
       enc-part: BA59EF1595A8CDAEE212C41EBE29C68E9D427D49995919D8...


Can you check that the keytab details (name, encryption type and kvno) match 
with what you see in the TGS-REP ?

> Regards
>
> On 05/30/2011 05:52 PM, spiderslack wrote:
> > Hi,
> >
> > For the log can not see any connection against the Active Directory on
> > port 88 (kerberos, right). Attached is the. pcap. I did the
> > configuration of firefox as below
> >
> > firefox set variables as follows:
> >
> > network.negotiate-auth.delegation-uris=vialactea.corp
> > network.negotiate-auth.trusted-uris= vialactea.corp
> >
> > where vialactea.corp is the domain of the Active Directory. I tried in
> > IE but he keeps asking for login and password infinitely
> >
> > Regards
> >
> > On 05/29/2011 09:39 AM, Markus Moeller wrote:
> > > Hi,
> > >
> > >  The squid log file says that the client could not use Kerberos and
> > > fell back to NTLM.
> > >
> > >  Can you capture the traffic from the client to the proxy and to your
> > > Kerberos servers (e.g. active directory) with wireshark  and send me
> > > the cap file (if not too big) ?
> > >
> > > Markus

Regards
Markus