Hello all, I have installed an ubuntu 14.04 x64 with squid v3.3.8, and i need to make sso with Windows microsoft active directory 2008 server r2. so i make this : i used the official how to here --> http://wiki.squid-cache.org/ConfigExamp … e/Kerberos SO after a frech install of ubuntu : 1> Pre-requisites for Active Directory integration Serveur active directory : ip active directory : 192.168.1.60 hostname : ws2008 Nom de domaine : sonsofanarchy.fr Utilisateur de l'active directory : - administrateur password - jteller P@ssword1 Serveur squid : ip : 192.168.1.62 hostname : srv-proxy-01 user administrateur password : password Config du serveur proxy : 1.1> Install des prérequis : sudo apt-get install krb5-user msktutil squid samba-common-bin - Vérification configuration DNS : sudo nano /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN domain sonsofanarchy.fr search sonsofanarchy.fr nameserver 192.168.1.60 - Synchronisation de la date avec l'Active directory : sudo nano /etc/default/ntpdate # The settings in this file are used by the program ntpdate-debian, but not # by the upstream program ntpdate. # Set to "yes" to take the server list from /etc/ntp.conf, from package ntp, # so you only have to keep it in one place. NTPDATE_USE_NTP_CONF=yes # List of NTP servers to use (Separate multiple servers with spaces.) # Not used if NTPDATE_USE_NTP_CONF is yes. NTPSERVERS="ws2008.sonsofanarchy.fr" # Additional options to pass to ntpdate NTPOPTIONS="" root@srv-proxy-01:~# ntpdate ws2008.sonsofanarchy.fr 13 Oct 18:16:27 ntpdate[1632]: adjust time server 192.168.1.60 offset 0.032533 sec -Création du keytab : (If no message it will be good) root@srv-proxy-01:~# kinit administrateur Password for administrateur@xxxxxxxxxxxxxxxx: root@srv-proxy-01:~# root@srv-proxy-01:~# msktutil -c -b "CN=COMPUTERS" -s HTTP/srv-proxy-01.sonsofanarchy.fr -k /etc/squid3/PROXY.keytab --computer-name SRV-PROXY-01-K --upn HTTP/srv-proxy-01.sonsofanarchy.fr --server ws2008.sonsofanarchy.fr --verbose --enctypes 28 -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 85 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-p1Stna -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: SRV-PROXY-01-K$ -- try_machine_keytab_princ: Trying to authenticate for SRV-PROXY-01-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/srv-proxy-01 from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for SRV-PROXY-01-K$ with password. -- create_default_machine_password: Default machine password for SRV-PROXY-01-K$ is srv-proxy-01-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: ws2008.sonsofanarchy.fr try_tls=YES -- ldap_connect: Connecting to LDAP server: ws2008.sonsofanarchy.fr try_tls=NO SASL/GSSAPI authentication started SASL username: administrateur@xxxxxxxxxxxxxxxx SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=SONSOFANARCHY,dc=FR -- ldap_check_account: Checking that a computer account for SRV-PROXY-01-K$ exists -- ldap_check_account: Computer account not found, create the account No computer account for SRV-PROXY-01-K found, creating a new one. dn: cn=SRV-PROXY-01-K,CN=COMPUTERS,dc=SONSOFANARCHY,dc=FR -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to srv-proxy-01 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/srv-proxy-01.sonsofanarchy.fr@xxxxxxxxxxxxxxxx -- ldap_set_supportedEncryptionTypes: DEE dn=cn=SRV-PROXY-01-K,CN=COMPUTERS,dc=SONSOFANARCHY,dc=FR old=7 new=28 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 130576908153384910 -- set_password: Successfully set password, waiting for it to be reflected in LDAP. -- ldap_get_pwdLastSet: pwdLastSet is 130576908153853660 -- set_password: Successfully reset computer's password -- ldap_add_principal: Checking that adding principal HTTP/srv-proxy-01.sonsofanarchy.fr to SRV-PROXY-01-K$ won't cause a conflict -- ldap_add_principal: Adding principal HTTP/srv-proxy-01.sonsofanarchy.fr to LDAP entry -- ldap_add_principal: Checking that adding principal host/srv-proxy-01 to SRV-PROXY-01-K$ won't cause a conflict -- ldap_add_principal: Adding principal host/srv-proxy-01 to LDAP entry -- execute: Updating all entries for srv-proxy-01 in the keytab WRFILE:/etc/squid3/PROXY.keytab -- update_keytab: Updating all entires for SRV-PROXY-01-K$ -- ldap_get_kvno: KVNO is 2 -- add_principal_keytab: Adding principal to keytab: SRV-PROXY-01-K$ -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3, enctype=23 -- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3, enctype=17 -- add_principal_keytab: Deleting SRV-PROXY-01-K$@SONSOFANARCHY.FR kvno=3, enctype=18 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: HTTP/srv-proxy-01.sonsofanarchy.fr -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Deleting HTTP/srv-proxy-01.sonsofanarchy.fr@xxxxxxxxxxxxxxxx kvno=3, enctype=23 -- add_principal_keytab: Deleting HTTP/srv-proxy-01.sonsofanarchy.fr@xxxxxxxxxxxxxxxx kvno=3, enctype=17 -- add_principal_keytab: Deleting HTTP/srv-proxy-01.sonsofanarchy.fr@xxxxxxxxxxxxxxxx kvno=3, enctype=18 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: host/srv-proxy-01 -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of SONSOFANARCHY.FRhostsrv-proxy-01-k.sonsofanarchy.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context root@srv-proxy-01:~# Good rights on files : root@srv-proxy-01:~# chgrp proxy /etc/squid3/PROXY.keytab root@srv-proxy-01:~# chmod g+r /etc/squid3/PROXY.keytab squid.conf files : # Listen on Port 8080 http_port 8080 auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth http_access deny all and now i have always a popup with login/password, but nothig work and i have this on the log : /var/log/squid/cache.log 2014/10/13 19:15:52| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' negotiate_kerberos_auth.cc(315): pid=3418 :2014/10/13 19:15:52| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid (length: 59). negotiate_kerberos_auth.cc(378): pid=3418 :2014/10/13 19:15:52| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded length: 40). negotiate_kerberos_auth.cc(388): pid=3418 :2014/10/13 19:15:52| negotiate_kerberos_auth: WARNING: received type 1 NTLM token 2014/10/13 19:15:52| ERROR: Negotiate Authentication validating user. Error returned 'BH received type 1 NTLM token' can someone can help me to fix this problem please thanks to all. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
