Re: Squid 3.2 kerberos authentication

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi Ludovit,

  As background information the Negotiate protocol is a protocol which can 
handle Kerberos and NTLM tokens and the client decides based on its 
configuration (and actice Directory) if  Kerberos or NTLM  will be used. 
Usually if Kerberos is not correctly setup the client will use NTLM. What 
you are seeing is that the client uses NTLM and squid/samba/ntlm_auth seems 
to not allow it. Is your NTLM setup working ?

 To check why the client uses NTLM look at a Network trace on port 88. You 
should see a Kerberos AS request/AS reply followed by a TGS request/TGS 
reply. Have a look at the TGS reply details. I assume in your case it 
contains an error message.

Markus

"Ludovit Koren" <ludovit.koren@xxxxxxxxx> wrote in message 
news:20130129.134941.1568838937885763075.koren@xxxxxxxxxx...
> Hi,
>
> I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.
>
> The /etc/krb5.conf file:
>
> [logging]
> default = FILE:/var/log/krb.log
> kdc = FILE:/var/log/krb.log
> admin_server = FILE:/var/log/krb.log
> default_keytab_name = /usr/local/etc/squid/HTTP.keytab
>
> [libdefaults]
> default_realm = MDPT.LOCAL
> dns_lookup_realm = no
> dns_lookup_kdc = no
> ticket_lifetime = 24h
> forwardable = yes
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc 
> des-cbc-md5
>
> [realms]
> EXAMPLE.LOCAL = {
>  kdc = ads01.example.local:88
>  admin_server = ads01.example.local:464
>  default_domain = EXAMPLE.LOCAL
> }
>
> [domain_realm]
> .domain.local = EXAMPLE.LOCAL
> domain.local = EXAMPLE.LOCAL
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 1
> }
>
>
>
> # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>        Principal: xkoren@EXAMPLE.LOCAL
>
>  Issued           Expires          Principal
> Jan 29 13:26:54  Jan 29 23:26:54  HTTP/squid2@EXAMPLE.LOCAL
>
>
> and I get the following error:
>
> 2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator helpers...
> 2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32 
> 'negotiate_wrapper_auth' processes
> 2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation not 
> permitted
> 2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
> 2013/01/29 13:36:30| negotiate_wrapper: NTLM command: 
> /usr/local/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> 2013/01/29 13:36:30| negotiate_wrapper: Kerberos command: 
> /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> 2013/01/29 13:36:30| negotiate_wrapper: Got 'YR 
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid 
> (length: 59).
> 2013/01/29 13:36:30| negotiate_wrapper: Decode 
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded 
> length: 40).
> 2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
> negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30| 
> negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> 2013/01/29 13:36:30| negotiate_wrapper: Return 'TT 
> TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
> '
> 2013/01/29 13:36:30| negotiate_wrapper: Got 'KK 
> TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD' 
> from squid (length: 571).
> 2013/01/29 13:36:30| negotiate_wrapper: Decode 
> 'TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD' 
> (decoded length: 426).
> 2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
> 2013/01/29 13:36:30| negotiate_wrapper: Return 'NA = 
> NT_STATUS_UNSUCCESSFUL
>
> I tried google, but I cannot resolve the problem. Please could you be
> so kind as far as to point me in the right direction?
>
> Thank you very much in advance.
>
> regards,
>
> lk