I've found this today. why is the last ticket not renewed ?? Could that point the problem
[root@http-proxy ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/http-proxy.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
10/30/12 14:47:38 10/31/12 00:47:37 krbtgt/JUSTIZ.NIEDERSACHSEN.DE@xxxxxxxxxxxxxxxxxxxxxxx
renew until 10/31/12 14:47:38
10/30/12 15:24:49 10/31/12 00:47:37 ldap/justizhadc01.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx
renew until 10/31/12 14:47:38
10/30/12 15:24:49 10/30/12 15:26:49 kadmin/changepw@xxxxxxxxxxxxxxxxxxxxxxx
renew until 10/30/12 15:26:49
-----Ursprüngliche Nachricht-----
Von: Jarosch, Ralph [mailto:Ralph.Jarosch@xxxxxxxxxxxxxxxxxxxxxxx]
Gesendet: Dienstag, 30. Oktober 2012 15:27
An: Bastien Ceriani
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: AW: No Kerberos Auth
I think encrypte Type is already 28.
This is the output with -- encrypt 28
-- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
Von: Jarosch, Ralph
Gesendet: Dienstag, 30. Oktober 2012 15:24
An: 'Bastien Ceriani'
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: AW: No Kerberos Auth
Oh ok.. yes it work fine until ten minute i wrote the mail. There it crashed from one minute to the other I'am just troubleshoot the problem..
Von: Bastien Ceriani [mailto:bastien.ceriani@xxxxxxxxxxxx]
Gesendet: Dienstag, 30. Oktober 2012 15:16
An: Jarosch, Ralph
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: Re: No Kerberos Auth
Ok Thx,
With Windows Server 2008 you should use --enctypes 28 parameter with msktutils command.
Did your ntlm authentification work fine ? How did you configure it ? With Samba/Winbind ?
On Tue, Oct 30, 2012 at 3:08 PM, Jarosch, Ralph <Ralph.Jarosch@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
OK for wireshark i must wait for tonight because no one here can work If enable authentication
My keytab
Keytab name: WRFILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (arcfour-hmac)
6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 http-proxy$@JUSTIZ.NIEDERSACHSEN.DE (aes256-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx (arcfour-hmac)
6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HTTP/http-proxy.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HTTP/http-proxy@xxxxxxxxxxxxxxxxxxxxxxx (arcfour-hmac)
6 10/30/12 09:47:42 HTTP/http-proxy@xxxxxxxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HTTP/http-proxy@xxxxxxxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HOST/HTTP-PROXY@xxxxxxxxxxxxxxxxxxxxxxx (arcfour-hmac)
6 10/30/12 09:47:42 HOST/HTTP-PROXY@xxxxxxxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
6 10/30/12 09:47:42 HOST/HTTP-PROXY@xxxxxxxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
My Squid.conf
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -i -s HTTP/http-proxy.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx
auth_param negotiate children 100
auth_param negotiate keep_alive on
auth_param ntlm keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 200
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 200 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours
and my msktutil
msktutil -c -b "OU=Sonstige Server,OU=Globale Dienste,DC=justiz,DC=niedersachsen,DC=de" -s HTTP/http-proxy.justiz.niedersachsen.de -h http-proxy.justiz.niedersachsen.de -k /etc/HTTP.keytab --computer-name http-proxy --upn HTTP/http-proxy.justiz.niedersachsen.de --server justizhadc01.justiz.niedersachsen.de --verbose
We use Windows 2008 R2 Server
Von: Bastien Ceriani [mailto:bastien.ceriani@xxxxxxxxxxxx]
Gesendet: Dienstag, 30. Oktober 2012 15:00
An: Jarosch, Ralph
Betreff: Re: No Kerberos Auth
I'm in the same case..
Try to check kerberos TGS REQ and TGS REP with wireshark ?
Can you display :
- your keytab ? (klist -ekt HTTP.keytab)
- your auth_param squid config
- your mskutils command
What version of windows server is running ?
Regards,
On Tue, Oct 30, 2012 at 2:49 PM, Jarosch, Ralph <Ralph.Jarosch@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
i have some trouble to authenticate our web browser over Kerberos.
I Always get the following error message.
2012/10/30 14:27:55| squid_kerb_auth: DEBUG: Decode 'YIIJsQYGKwYBBQUCoIIJpTCCCaGgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCWsEgglnYIIJYwYJKoZIhvcSAQICAQBugglSMIIJTqADAgEFoQMCAQ6iBwMFACAAAACjggfWYYIH0jCCB86gAwIBBaEZGxdKVVNUSVouTklFREVSU0FDSFNFTi5ERaI1MDOgAwIBAqEsMCobBEhUVFAbImh0dHAtcHJveHkuanVzdGl6Lm5pZWRlcnNhY2hzZW4uZGWjggdzMIIHb6ADAgESoQMCAQaiggdhBIIHXZD9kqImwo4/wUYTAbzyxxCatVyvPJhdun6qKBUu8B9aMyWDY+7uyG36Uuu0i908tL8oHL+2x8CnoEYrascLrGifZrr9dldia7rKPg2uEl8lgqPAYGAZk/0HD5moUBmy4DrnWUtOEyfaqA4zWIW0rxAHbujQjDEfiWEG1/dwuDY/rXlXAGJ3HheS6DR/+L19bp79WsEVh8y/OS55bKOtpk0WdP3Ge/QqjnzrCZ2PWtEnAnTRcRhUpVc94VKG1KmedYcoMYclgP9CBukfO5NdV/g+sfCvfCbCO809nimrdu+0qUm746Xi5kEsBEOCUlW7OEtqrjssXZPxpjUmzJXBPF9cLGPyjpI66CDPuu6hwr5BEFvpqZyocQAFWoibzvTDY+ODtAZlQ24rhlWmVjlELEl8ebJLy72/sEJbtQYT6Xq4gtIurYmoH8g6gw1ERopvzA8s4ROJGeGK1qP3F81LWmO6+hJKTGrCJnFYg3IK2R15svPpwJxmEGSbr4cuiHdjYPLQEJCNnGhVv+ci0pvIeu4ttgJ4fl1Mp3Pk/TQgSegwMUHVWNqG0pyJL0TkoKA8giJ0G8tNU0EiSmvjk2eip7aJPIJxGO1mYha7lHCO7c+8wypYyAGSVg8mVUCSiGeYDOKurIZmkuUNvuwYOLM2d5v80TCxP2Xc42vdqy/1OZWi+6QdkrcSRCC+ZfFKYXQSlmaU/phIBx0GUY974Tvn+UW4q4/PcFkQhSCE3nXgVyOyNAt7Vd7ncwWfOkASNZtQWLkdEQefWzx25oUktkBraUw/FBEZ2JBIv/SQfLDXXUAcdt86U9pnkxVUd9RsBPTJPyOMvZi5KXHOfOkB9DIrh0VjGwGVduXGvn37MyceVLgHspYa0YoWzWuVlSh9AdsVpSyrmgqWWcgrlROQkrrQm8KV655FuAzFG+YM+FgQubu89DRPpn27l7EltnyxuSblMbH6OCvnPRC5bEUzDHp3CudI9dopetMPUjA5nkZ0qObIFA+CpUcXqEcTq1DM5jGGPT5ZPzfDy0tGr/yGPq4daBQoTTER2gU3CLHY4pQHgqLW/ZsNEjf6wwbONQXUjMsh969LY3r99AVTAtq0Ne6rwmuHXyIg7MMWnoA0rLoWwVVasQTFaf0QrK+iQ208fqGmAEVnAihGMng6M7hsasDNchfu/xQi5pxLoAO2CSPOqkbhgAQ6HpP9CbWStIyw19iTnVcPMDmxZNFLfBQeMbxBr3hunuCCzEhSZwOo/+ES01+D+vnZxDEWUbP2LYF5N7p4crxi8QxJ6YANmY/3M1+KSoIB0AoB9yFQsfGQmfhGNkxzdkFuhUfxi5kWbS9I9AVj2QuMOcL4wDuQXGKvTJiIBcI+oKsEqZaP/g8pwp9xURZuAmV3B/s1yFi7MaxTiMkJa+WKkX/KuZqNkFmsAnSFvOdsY1ZqTUXByRqIeDIEDHwYLjegSc2CIGXEmOktXzdWXTNEj0CQt+YTS+rx0sGMM/BD5t/naw9D9K2wzFBdsbxEtMHC3nijCoQ/nurfYV2jTrUIT3vNa/jpfSx0vF0K1zo6dvoNf7wzbn6lmJ2MXS3R/YUmSF3bE+4xYp7OmHCYhnf9SxLy0nkqJdZX1pz5giPp+2dW8BYokfPiPZpWeLuqZHXdS9mE8I4HvDc8IRL9oboLhGO1t4KEd/JhcFWO26rfIwmvF7rqAm9wpG5vx/RE2sN5vwaZ2KR63OFTEx/uTLdrAqJ/PDgQouwpD6pfmR4usHK1CQ+T6JX1GoPbAqJymMkowNNWHjPC10GZaeORmJAd8n3WVRbiqS7P3wloP1XjOX5NeQZt9rlVhiDW/ZBDNnT3gJCLc+Y0RU94glCuBE5zsU4BUr1Tf6lOq5orTstZo9lMVBYZOaEJEEvBnbHvssMLgyIbCo+9IsgXs2zmL4z03fBv4aiXZOuJ9SijTMWvUh43HRVZuoChpG+J9Sfp66bMq1Tq7WFedrzTItxFCFMRRKtIoYzEWg3zcALJ2PXDTh4hElp1/Twjgt/Tss9RKfpY+PMDFAnnhenEHx/UtSCyC5Dc/+4i6DDT7qMtDq1z6RmJTCeMGjW7N/NFiVzw+VciXvb+cN0OLwaKY4czzTxWMBlCt0cSixpZ4IQN+OZhYB5xzW48YNbPkBKUvq9RcNru5cM4TXrG+etLkWQVhrv3yR6t8WF4BNtaRl4kIUaZI1ER1UfpwKG32oENtivB/tUQlXT8CfTBgyll9r9jxkkfjseryg+SBwa190yW/c5zVoHGEk8qOs1JpAJzCPDMf7HbmC+IWrORp/8fOn3t8p3MYymVFyXKWvxu53ZtShDwjFbvc6cql9vfvYLg2qyrDa5kkQkNO+Dx51sOW6zG5w+iqlwR1wjPmWpZKRUw9I+LXB78gd3bUiraLt3DUa7BrV6Bv5mLljq+BjmwlTKIZe2121dLr4E1f3434TqR9KylNNOAQZUHq/stPB5DME41pupAGbABkpqw8Oz94e7FxDK+S1kG7iq10TbiujykggFdMIIBWaADAgESooIBUASCAUx+Eta8YNrsrH6y0iZa+KSlNWe/s93OLW9cvzDB+B60WDt56R7jV119CZ2uIqJcbPYvMrw/QeS4vYf+TlcaUwYMdsPKZyeDXsiiJE5PYKh7CXpIZ4u7aMJPLuawZIpcXUtffmcRdz+zn18SXL+nrfA4af7AtBvUWWS4ybGDWDH72Uhd/08qnYEYd7IIWViu52G+0/EFkog6BnYVjyd1yYsoH/p6ztmIMVK12VXu9wh3wClHvpEtIM8ZkSvmvhIgYrkKO1LlriVwypSh8QmCUESjd36WNIM1HmUeshFu+Rk6+AZIxy+f71+qoU6dQom0oIB7vQ7gwRMa1tBuvf8RJagXnxjTaEJHQULkBfhGUcQ3VABR0J7ElLc4EPAshWBnJri10rNTz2O+oB4w2Uf01ieyu+Ks9apN8Ygf6ceH9sci+CZkEIwcgW24Wa8uHA==' (decoded length: 2485).
2012/10/30 14:27:55| squid_kerb_auth: ERROR: gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error
2012/10/30 14:27:55| squid_kerb_auth: INFO: User not authenticated
2012/10/30 14:27:55| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. Unknown error'
I followed the manual on http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos.
Everything worked fine an I created the HTTP.keytab with the msktutil.
I checked all with
[root@http-proxy /]# kinit -V -k -t /etc/squid/HTTP.keytab HTTP/http-proxy.justiz.niedersachsen.de
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/http-proxy.justiz.niedersachsen.de@xxxxxxxxxxxxxxxxxxxxxxx
Using keytab: /etc/squid/HTTP.keytab
Authenticated to Kerberos v5
So I have no idea what I'm doing wrong.
Is there any other way to troubleshoot the problem. ????
Thank you
Ralph
