Search squid archive

Re: squid_kerb_auth: Unspecified GSS failure (W2K8)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Mihail,

I use mostly msktutil and not the samba tools. So I don't know what extra rights you might need for samba. I give myself write access to a separate OU to manage Unix service principals with msktutil.

Regards
Markus

"Mihail Lukin" wrote in message news:CAAmm_rZyAg2WA7rOkK43G14Ot6w1PNkm=1fYPfW_N-H1jGZR6A@xxxxxxxxxxxxxx...

I've just noticed that there is also LDAP modify request in captured
traffic that is trying to set servicePrincipalName attribute and ends
up with insufficientAccessRights result! I will ask for additional
privileges from our domain admin and see if it solves the issue.

On Sun, Nov 3, 2013 at 9:36 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> wrote:
I wonder why `net ads keytab add HTTP` doesn't change the keytab. The
output of this command is:

<pre>Warning: "kerberos method" must be set to a keytab method to use
keytab functions.
Processing principals to add...</pre>

and exit code is 0, so there is no sign of an error.
I sniffed network traffic while running this command and found that
there was an LDAP search query and the result contained this
computer's entry which has servicePrincipalName with 4 values and
HTTP/squidsrv.my.doma.in is there.

Unfortunately, this service principal didn't appear in keytab.


On Sun, Nov 3, 2013 at 4:20 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Exactly you need the HTTP service principal in the keytab.

Regards
Markus


"Mihail Lukin"  wrote in message
news:CAAmm_rYG0GiLjvaT50eeFL4JTzU9Ux0k01CvDCXH7D5H2C=0uQ@xxxxxxxxxxxxxx...


Thanks for the tip!

Here is what it shows:
Server Name (Service and Instance): HTTP/squidsrv.my.doma.in

So, it is the right protocol and host name. But I do not see exact
much in keytab. I'm not sure if it is the issue. I created keytab
exactly as was shown here:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab
(samba version, not msktutil).


On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
wrote:

Hi Mihail,

 If you use wireshark you can expand the details of:

 Proxy-Authorization: Negotiate YIIHoAYGKwYBB...

 It will tell you which service principal the client is sending to the
server ?  I wonder if the name  matches the names in your keytab.


Markus

-----Original Message----- From: Mihail Lukin
Sent: Saturday, November 02, 2013 9:15 PM
To: Markus Moeller
Cc: squid-users
Subject: Re:  Re: squid_kerb_auth: Unspecified GSS failure
(W2K8)


Hi, Markus!

1) Here is the output:
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
  2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-crc)
  2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-md5)
  2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (arcfour-hmac)
  2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx
(aes128-cts-hmac-sha1-96)
  2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx
(aes256-cts-hmac-sha1-96)
  2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-crc)
  2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-md5)
  2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (arcfour-hmac)
  2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes128-cts-hmac-sha1-96)
  2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes256-cts-hmac-sha1-96)
  2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc)
  2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5)
  2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac)
  2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96)
  2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96)

2) I see request header "Proxy-Authorization: Negotiate YIIHoAYGKwYBB..."
3) It worth to mention that using ntlm_auth instead of squid_kerb_auth
works fine on this server.


On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
wrote:


Hi Mihail,

What does a klist -ekt <keytab> show ? ( I assume you use MIT Kerberos
on
the squid server)

  What do you see with wireshark in the authentication header send to
squid
?

Markus

"Mihail Lukin"  wrote in message

news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ@xxxxxxxxxxxxxx...


I don't know why access-time is not being updated, but strace has
shown that keytab is being read successfully by squid_kerb_auth
process.

On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx>
wrote:



Hello, Markus!

Sorry for not mentioning it at once, KRB5_KTNAME is being exported in
/etc/sysconfig/squid and is readable by squid group. But there is
still something wrong with it: keytab's access time is not changed
neither when I restart squid not when I request an URL through the
proxy.

I think I should strace squid_kerb_auth to see what happens. Thanks
for the hint!

On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller
<huaraz@xxxxxxxxxxxxxxxx> wrote:



Hi Mihail,

Did you use export KRB5_KTNAME to point to the right keytab ? Is the
keytab readable by the user under which squid runs ?

Markus

"Mihail Lukin"  wrote in message



news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx...

Hello,

I'm trying to configure Squid 3.1 to authenticate through AD with W2K8
DC with Kerberos. I used this how-to:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on
CentOS 6 box that I've joined to domain with `net ads join`.

Now I'm getting the error in cache.log when I'm trying to visit any
URL through this proxy:

2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded
data' from squid (length: 2295).
2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded
data' (decoded length: 1717).
2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code may provide more
information.
2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code may provide more
information. '

I could not figure out what the "minor code" is... I googled a lot with
no
luck.
Any help is very appreciated. Thanks in advance!




--
С уважением,
Михаил Лукин






--
С уважением,
Михаил Лукин











[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux