Hi Ming,
That looks correct. I have three suggestions:
1) Can you reset the AD account password for the squid user and re-extract
the keytab ?
2) Use another tool like msktutil (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )
3) Clear the kerberos cache on the client with kerbtray. It might be that
the client cached an old key.
Additionally if you want to support Win 7 and Win 2008 you must use
RC4-HMAC encryption as DES has been declared as a weak encryption method and
is not anymore supported in Win 7 / Win 2008.
Regards
Markus
"Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E5EA6@es05co...
Hi Markus,
My keytab file is generated from the win 2003 DC using ktpass command.
On Liunx where the squid is running:
klist -ekt /usr/local/squid/etc/squid27.keytab
Keytab name: WRFILE:/usr/local/squid/etc/squid27.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
9 12/31/69 19:00:00 HTTP/squid.sit27.borderware.com@xxxxxxxxxxxxxxxxxxxx
(DES cbc mode with RSA-MD5)
[root@squid etc]# ^C
[root@squid etc]# echo $KRB5_KTNAME
/usr/local/squid/etc/squid27.keytab
On windows 2003
C:\Documents and Settings\Administrator>ktpass -princ
HTTP/squid.sit27.borderwar
e.com@xxxxxxxxxxxxxxxxxxxx -mapuser squid -crypto DES-CBC-MD5 +DesOnly -pass
xxxxxxxx
-ptype KRB5_NT_PRINCIPAL -out squid27.keytab
Targeting domain controller: 27dc.sit27.borderware.com
Using legacy password setting method
Successfully mapped HTTP/squid.sit27.borderware.com to squid.
Key created.
Output keytab to squid27.keytab:
Keytab version: 0x502
keysize 79 HTTP/squid.sit27.borderware.com@xxxxxxxxxxxxxxxxxxxx ptype 1
(KRB5_NT
_PRINCIPAL) vno 9 etype 0x3 (DES-CBC-MD5) keylength 8 (0x10bf6eea2531436b)
Account squid has been set for DES-only encryption.
C:\Documents and Settings\Administrator>setspn -L squid
Registered ServicePrincipalNames for
CN=Squid,CN=Users,DC=sit27,DC=borderware,DC
=com:
HTTP/squid.sit27.borderware.com
Best Regards,
Ming
-----Original Message-----
From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
Sent: Thursday, July 28, 2011 3:09 PM
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Re: squid 3.1.14 kerberos single sign on
Hi Ming,
This indicates that now your client got the ticket from AD, but it
does
not match the entry in your keytab. Did you set the environment variable
KRB5_KTNAME correctly ? Can you do a klist -ekt <squid.keytab> and
compare
the entries with the wireshark information of the encoded HTTP Negotiate
request ?
Does the name, encryption type and , key version number (kvno) match ?
Markus
"Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E58B8@es05co...
Hi Markus,
I tried the same test on a Windows 2003 domain with XP clients. I was
able
to get pass the SGT from DC to the XP. Now my problem is the following
squid
error: Any suggestion how to debug further?
2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR
YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGC
NwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAA
AACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEk
MCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEE
ooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+a
kRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4
haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgr
HNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB0
3v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OH
Yhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzB
K1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEc
PkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3Nf
qfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081
xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94U
WGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2c
GiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE
6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQ
vx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gsa
mYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00g
k22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FD
YnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz
6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT
3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsds
Rad56U'
from squid (length: 1647).
2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode
'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAG
CNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACA
AAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqE
kMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgE
EooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+
akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC
4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwg
rHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB
03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868O
HYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnz
BK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeE
cPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3N
fqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD08
1xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94
UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2
cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYd
E6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQ
Qvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gs
amYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00
gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4F
DYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhP
z6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FT
T3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsd
sRad56U'
(decoded length: 1233).
2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information. Key
table
entry not found
2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error validating
user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified
GSS
failure. Minor code may provide more information. Key table entry not
found'
Thanks
Ming
> -----Original Message-----
> From: Ming Fu [mailto:Ming.Fu@xxxxxxxxxxxxxx]
> Sent: Wednesday, July 27, 2011 4:21 PM
> To: Markus Moeller; squid-users@xxxxxxxxxxxxxxx
> Subject: RE: Re: squid 3.1.14 kerberos single sign on
>
> Hi Markus,
>
> From the windows domain controller:
> =======================================================
> Microsoft Windows [Version 6.0.6002]
> Copyright (c) 2006 Microsoft Corporation. All rights reserved.
>
> C:\Users\Administrator>setspn -L squid
> Registered ServicePrincipalNames for
> CN=squid,CN=Users,DC=sit26,DC=borderware,DC
> =com:
> HTTP/squid.sit26.borderware.com
>
> C:\Users\Administrator>
> =========================================================
>
> From the wireshark:
> ==============================================================
> The Kerberos response error is
> Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Realm: SIT26.BORDERWARE.COM
> Server Name (Service and Instance): HTTP/squid.sit26.borderware.com
> Name-type: service and instance (2)
> Name: HTTP
> Name: squid.sit26.borderware.com
> ===============================================================
>
> I can attach the whole tcpdump if necessary.
>
> Regards,
> Ming
>
>
>
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz@xxxxxxxxxxxxxxxx]
> > Sent: Monday, July 25, 2011 4:27 PM
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject: Re: squid 3.1.14 kerberos single sign on
> >
> > This looks like the client does not get a Kerberos token, which can
> have
> > several reasons.
> >
> > 1) Is the proxy name used in the browser the fqdn used in the
> > serviceprincipaname in AD e.g. HTTP/<fqdn> ?
> > 2) Is the right encryption type used (Win7 / 2008 do not support
DES
> > out
> > of the box)
> >
> > Can you capture with wireshark the communication between your Win7
> > client
> > and AD on port 88 ( Kerberos port ) and send me the capture file ?
> >
> > Regards
> > Markus
> >
> >
> > "Ming Fu" <Ming.Fu@xxxxxxxxxxxxxx> wrote in message
> > news:09177155B3E82945AD8AF1F744B326458A7E1581@es05co...
> > Hi,
> >
> > I am trying to setup squid 3.1.14 on linux with Kerberos SSO against
> > windows
> > 2008 server and win7 client.
> > But both firefox 5.0.1 and IE 8 generate same log from squid.
> >
> > Is this a problem with squid or the browsers?
> >
> > ---- squid logs ----
> > 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD
31.
> > 2011/07/25 10:54:29| HTCP Disabled.
> > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > 2011/07/25 10:54:29| Loaded Icons.
> > 2011/07/25 10:54:29| Ready to serve requests.
> > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> > (length: 59).
> > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
> > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> > length:
> > 40).
> > 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1 NTLM
> > token
> > 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error
> validating
> > user
> > via Negotiate. Error returned 'BH received type 1 NTLM token'
> >
> >
> > --- HTTP exchange Firefox to squid -----
> > GET http://www.google.ca/ HTTP/1.1
> > Host: www.google.ca
> > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > Firefox/5.0.1
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Proxy-Connection: keep-alive
> > Referer: http://www.google.ca/
> > Cookie:
> >
>
PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > 0546:S=CwtXJNRFT1U2j2O8;
> >
>
NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> >
> > HTTP/1.0 407 Proxy Authentication Required
> > Server: squid/3.1.14
> > Mime-Version: 1.0
> > Date: Mon, 25 Jul 2011 15:38:05 GMT
> > Content-Type: text/html
> > Content-Length: 3945
> > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> > Vary: Accept-Language
> > Content-Language: en-us
> > Proxy-Authenticate: Negotiate
> > X-Cache: MISS from squid.sit26.borderware.com
> > Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
> > Connection: keep-alive
> >
> > GET http://www.google.ca/ HTTP/1.1
> > Host: www.google.ca
> > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > Firefox/5.0.1
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-us,en;q=0.5
> > Accept-Encoding: gzip, deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Proxy-Connection: keep-alive
> > Referer: http://www.google.ca/
> > Cookie:
> >
>
PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > 0546:S=CwtXJNRFT1U2j2O8;
> >
>
NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> > Proxy-Authorization: Negotiate
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> >
> >
> > Regards,
> > Ming
> >
