On 23/03/2013 9:52 a.m., Carlos Daniel Perez wrote:
Hi,
I configure Squid with Kerberos athentication, but when a client with
windows 7 try to surf web appear:
==> /var/log/squid3/cache.log <==
2013/03/22 16:07:09| negotiate_wrapper: Got 'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).
2013/03/22 16:07:09| negotiate_wrapper: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).
2013/03/22 16:07:09| negotiate_wrapper: received Kerberos token
2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Got 'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).
2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).
2013/03/22 16:07:09| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: An unsupported mechanism was requested.
2013/03/22 16:07:09| negotiate_wrapper: Return 'BH
gss_accept_sec_context() failed: An unsupported mechanism was
requested.
'
2013/03/22 16:07:09| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: An unsupported mechanism was
requested. '
if i put the username (in format username and not in Domain\username
format) all is fine and client can surf... but i need authentication
without popup...
If a Windows XP client try to surf this error appear:
==> /var/log/squid3/cache.log <==
2013/03/22 16:07:39| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M='
from squid (length: 231).
2013/03/22 16:07:39| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M='
(decoded length: 170).
2013/03/22 16:07:39| negotiate_wrapper: received type 120 NTLM token
2013/03/22 16:07:39| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL
"type 120" ? Something is getting the decoding wrong in the helper.
That is a type-3 (credentials, handshake complete) token.
Doesn't work if i put the username like Windows 7...
The first lines of my squid.conf have:
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ENT --kerberos
/usr/lib/squid3/squid_kerb_auth -d -s HTTP/squid-proxy.enterprise.com
auth_param negotiate children 10
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ENT
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
-b dc=enterprise,dc=com \
-D soporte@xxxxxxxxxxxxxx \
-w 12345 \
-f sAMAccountName=%s \
-h svq-wsus.enterprise.com
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
external_acl_type internet_users %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K -S \
-b dc=enterprise,dc=com \
-D soporte@xxxxxxxxxxxxxx \
-w 12345 \
-f (&(objectclass=person)(sAMAccountName=%v)(memberof=ou=%a,ou=Vip,dc=enterprise,dc=com))
\
-h svq-wsus.enterprise.com
I create my .keytab without problem follow this guide:
http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter
and http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Why happend these errors? PD. My domain is ENTERPRISE.COM and the
users use ENT\username to acces Domain and network resources...
Thank you very much!
