Hi Markus,
Sorry about the delay, but I had a couple of urgent fires to put out. Anyway, I'm back to vanquishing this hellish beast that is Squid with Kerberos.
I did a little more testing and I've concluded the following:
Windows 8.1
Everything seems to work just fine. In debug mode, I see kerberos information being thrown around in cache log and I can surf sites just fine. Oddly enough, I don't see any traffic on port 88 with Wireshark (I could just be doing something stupid there).
Windows 7
Same as before, I simply can't surf any site that requires authentication. If I surf to a site that I explicitly set not to require auth, then all is fine. If however I try a site that requires it, it simply fails and goes in to a loop of requeste credentials, I enter them, it asks again and again until it fails. I've attached the wireshark capture for you to look into.
I also noticed something off in cache.log. When things fail, it seems as though no information is being sent over about the user. I see this is the log:
negotiate_kerberos_auth.cc(315): pid=1456 :2014/10/30 12:21:47| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHLw---<cut>---fmcqUg2C0CjXimVz8Lx5lNux7qfmaxGvLX4Mm4OgllOsTRB7Ng==' from squid (length: 2463).
negotiate_kerberos_auth.cc(378): pid=1456 :2014/10/30 12:21:47| negotiate_kerberos_auth: DEBUG: Decode 'YIIHLw---<cut>---fmcqUg2C0CjXimVz8Lx5lNux7qfmaxGvLX4Mm4OgllOsTRB7Ng==' (decoded length: 1843).
negotiate_kerberos_auth.cc(200): pid=1456 :2014/10/30 12:21:47| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
2014/10/30 12:21:47| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
Notice that there is no username after decoding =='
from squid...
In successful casses, I see something akin to:
negotiate_kerberos_auth.cc(315): pid=1463 :2014/10/30 12:54:44| negotiate_kerberos_auth: DEBUG: Got 'YR YIIGnw---<cut>---vSSEll5Cl5H2pngowpplrKoJwLbahwnoSkFOzWqFoNq9qv1IXcyi4Ym7PbMadwDq4FpUdfDA84D6eGxospx8aPmJKZ0AuQMrtw==' from squid (length: 2271).
negotiate_kerberos_auth.cc(378): pid=1463 :2014/10/30 12:54:44| negotiate_kerberos_auth: DEBUG: Decode 'YIIGnw---<cut>---vSSEll5Cl5H2pngowpplrKoJwLbahwnoSkFOzWqFoNq9qv1IXcyi4Ym7PbMadwDq4FpUdfDA84D6eGxospx8aPmJKZ0AuQMrtw==' (decoded length: 1699).
negotiate_kerberos_auth.cc(462): pid=1463 :2014/10/30 12:54:45| negotiate_kerberos_auth: DEBUG: AF oYGgMIGdoAMKAQChCwYJKoZIhvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWnc+iBxbOhzQ36fAORmtdcn09xrBAmdvisZ2BxTPeuj8IxMULD9BJylCXHE8DVqqgyhS1Gzy1Y+BfyPvKyugBo1NnY3r7o3wYCnmbGli2NgcdrhQekHg1fbk8w== echironteste
Notice the extra line with username (echironteste). I'm not sure if this is relevant, but it does look like it.
Windows XP
Just like Windows 8.1, surfing worked fine and I did see kerberos activity in cache.log, however I saw nothing being captured by Wireshark on port 88 or even widening the query, nothing for krb5rpc. What's happening here, anybody have an idea?
Cheers all and thanks for the help.
On 27 Oct 2014, at 20:53, Markus Moeller wrote:
Hi Pedro,
Can you capture the traffic from one Windows 7 on XP client on port 88 ( just after the login before access a website via squid until successful or unsuccessful accessing the website) using wireshark ? Send me the .cap files to check.
Markus
<<attachment: win7.pcapng.zip>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users