Re: Re: Squid 3.2 kerberos authentication

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

"Ludovit Koren" <ludovit.koren@xxxxxxxxx> wrote in message 
news:20130201.141430.1568838938187755043.koren@xxxxxxxxxx...
> > > > > > On Wed, 30 Jan 2013 23:16:46 -0000
> > > > > > huaraz@xxxxxxxxxxxxxxxx("Markus Moeller")  said:
> >
> > Hi Ludovit,
> >
> >   As background information the Negotiate protocol is a protocol which
> > can handle Kerberos and NTLM tokens and the client decides based on
> > its configuration (and actice Directory) if  Kerberos or NTLM  will be
> > used. Usually if Kerberos is not correctly setup the client will use
> > NTLM. What you are seeing is that the client uses NTLM and
> > squid/samba/ntlm_auth seems to not allow it. Is your NTLM setup
> > working ?
>
> It used to, but 10 days ago I got the following error to the log and
> it stopped to work:

It being Kerberos authenticaion ?

> 2013/01/22 11:04:20| authenticateNTLMHandleReply: Error validating user 
> via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
> Login for user [<domain>]\[<loginname>]@[<machinename>] failed due to 
> [Access denied]
> NTLMSSP BH: NT_STATUS_ACCESS_DENIED

One reason could be that when using Kerberos and NTLM with samba on the same 
AD account the samba daemon changes the account password and the Kerberos 
keytab get out of sync with the AD account.  If you use NTLM with samba and 
Kerberos do not use the same AD account.

> I must change it to LDAP authentication.
>
> Afterwards, I started configuring kerberos authentication. (Do you
> know about some security patches from MS that could change the behavior?)
Not that I am waware off

> >  To check why the client uses NTLM look at a Network trace on port
> > 88. You should see a Kerberos AS request/AS reply followed by a TGS
> > request/TGS reply. Have a look at the TGS reply details. I assume in
> > your case it contains an error message.
>
> Could you, please, specify the MS client configuration. (I have a hard
> time with windows people to get it working...)

The MS client hsa no specific configuration it is all handled by AD.

> lk
>
> > Markus
> >
> > "Ludovit Koren" <ludovit.koren@xxxxxxxxx> wrote in message
> > news:20130129.134941.1568838937885763075.koren@xxxxxxxxxx...
> > >
> > > Hi,
> > >
> > > I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.
> > >
> > > The /etc/krb5.conf file:
> > >
> > > [logging]
> > > default = FILE:/var/log/krb.log
> > > kdc = FILE:/var/log/krb.log
> > > admin_server = FILE:/var/log/krb.log
> > > default_keytab_name = /usr/local/etc/squid/HTTP.keytab
> > >
> > > [libdefaults]
> > > default_realm = MDPT.LOCAL
> > > dns_lookup_realm = no
> > > dns_lookup_kdc = no
> > > ticket_lifetime = 24h
> > > forwardable = yes
> > > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> > > des-cbc-md5
> > > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> > > des-cbc-md5
> > > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> > > des-cbc-md5
> > >
> > > [realms]
> > > EXAMPLE.LOCAL = {
> > >  kdc = ads01.example.local:88
> > >  admin_server = ads01.example.local:464
> > >  default_domain = EXAMPLE.LOCAL
> > > }
> > >
> > > [domain_realm]
> > > .domain.local = EXAMPLE.LOCAL
> > > domain.local = EXAMPLE.LOCAL
> > >
> > > [appdefaults]
> > > pam = {
> > > ticket_lifetime = 1d
> > > renew_lifetime = 1d
> > > forwardable = true
> > > proxiable = false
> > > retain_after_close = false
> > > minimum_uid = 1
> > > }
> > >
> > >
> > >
> > > # klist
> > > Credentials cache: FILE:/tmp/krb5cc_0
> > >        Principal: xkoren@EXAMPLE.LOCAL
> > >
> > >  Issued           Expires          Principal
> > > Jan 29 13:26:54  Jan 29 23:26:54  HTTP/squid2@EXAMPLE.LOCAL
> > >
> > >
> > > and I get the following error:
> > >
> > > 2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator 
> > > helpers...
> > > 2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32
> > > negotiate_wrapper_auth' processes
> > > 2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation
> > > not permitted
> > > 2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
> > > 2013/01/29 13:36:30| negotiate_wrapper: NTLM command:
> > > /usr/local/bin/ntlm_auth --diagnostics
> > > --helper-protocol=squid-2.5-ntlmssp
> > > 2013/01/29 13:36:30| negotiate_wrapper: Kerberos command:
> > > /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> > > 2013/01/29 13:36:30| negotiate_wrapper: Got 'YR
> > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
> > > (length: 59).
> > > 2013/01/29 13:36:30| negotiate_wrapper: Decode
> > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
> > > length: 40).
> > > 2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
> > > negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30|
> > > negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> > > 2013/01/29 13:36:30| negotiate_wrapper: Return 'TT
> > > TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
> > > '
> > > 2013/01/29 13:36:30| negotiate_wrapper: Got 'KK
> > > TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> > > from squid (length: 571).
> > > 2013/01/29 13:36:30| negotiate_wrapper: Decode
> > > TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> > > (decoded length: 426).
> > > 2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
> > > 2013/01/29 13:36:30| negotiate_wrapper: Return 'NA =
> > > NT_STATUS_UNSUCCESSFUL
> > >
> > > I tried google, but I cannot resolve the problem. Please could you be
> > > so kind as far as to point me in the right direction?
> > >
> > > Thank you very much in advance.
> > >
> > > regards,
> > >
> > > lk
> > >