You have any idea about what can be that? Something in my sentences is wrong? What i need to check? On 23/03/2013 9:52 a.m., Carlos Daniel Perez wrote: > > Hi, > > I configure Squid with Kerberos athentication, but when a client with > windows 7 try to surf web appear: > > ==> /var/log/squid3/cache.log <== > 2013/03/22 16:07:09| negotiate_wrapper: Got 'YR > YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' > from squid (length: 219). > 2013/03/22 16:07:09| negotiate_wrapper: Decode > 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' > (decoded length: 161). > 2013/03/22 16:07:09| negotiate_wrapper: received Kerberos token > 2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Got 'YR > YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' > from squid (length: 219). > 2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Decode > 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' > (decoded length: 161). > 2013/03/22 16:07:09| squid_kerb_auth: ERROR: gss_accept_sec_context() > failed: An unsupported mechanism was requested. > 2013/03/22 16:07:09| negotiate_wrapper: Return 'BH > gss_accept_sec_context() failed: An unsupported mechanism was > requested. > ' > 2013/03/22 16:07:09| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH > gss_accept_sec_context() failed: An unsupported mechanism was > requested. ' > > if i put the username (in format username and not in Domain\username > format) all is fine and client can surf... but i need authentication > without popup... > > If a Windows XP client try to surf this error appear: > > ==> /var/log/squid3/cache.log <== > 2013/03/22 16:07:39| negotiate_wrapper: Got 'KK > TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M=' > from squid (length: 231). > 2013/03/22 16:07:39| negotiate_wrapper: Decode > 'TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M=' > (decoded length: 170). > 2013/03/22 16:07:39| negotiate_wrapper: received type 120 NTLM token > 2013/03/22 16:07:39| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL "type 120" ? Something is getting the decoding wrong in the helper. That is a type-3 (credentials, handshake complete) token. > > Doesn't work if i put the username like Windows 7... > > The first lines of my squid.conf have: > > > ### negotiate kerberos and ntlm authentication > auth_param negotiate program /usr/local/bin/negotiate_wrapper -d > --ntlm /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=ENT --kerberos > /usr/lib/squid3/squid_kerb_auth -d -s HTTP/squid-proxy.enterprise.com > auth_param negotiate children 10 > auth_param negotiate keep_alive off > > ### pure ntlm authentication > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics > --helper-protocol=squid-2.5-ntlmssp --domain=ENT > auth_param ntlm children 10 > auth_param ntlm keep_alive off > > > > auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \ > -b dc=enterprise,dc=com \ > -D soporte@xxxxxxxxxxxxxx \ > -w 12345 \ > -f sAMAccountName=%s \ > -h svq-wsus.enterprise.com > auth_param basic children 10 > auth_param basic realm Internet Proxy > auth_param basic credentialsttl 1 minute > > external_acl_type internet_users %LOGIN > /usr/lib/squid3/squid_ldap_group -R -K -S \ > -b dc=enterprise,dc=com \ > -D soporte@xxxxxxxxxxxxxx \ > -w 12345 \ > -f (&(objectclass=person)(sAMAccountName=%v)(memberof=ou=%a,ou=Vip,dc=enterprise,dc=com)) > \ > -h svq-wsus.enterprise.com > > I create my .keytab without problem follow this guide: > > http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter > and http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > > Why happend these errors? PD. My domain is ENTERPRISE.COM and the > users use ENT\username to acces Domain and network resources... > > Thank you very much!
