Hi Ludovit,
Yes the client determines the encryption strength and squid needs to have
all of them in the keytab (You can disallow DES or other weak encryption by
not adding these encryptions to the keytab).
Regards
Markus
"Ludovit Koren" wrote in message news:86lhk0j2xe.fsf@xxxxxxxxx...
Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> writes:
> It could be the new AD server is setup to be backward compatible
> meaning it use RC4 despite being able to use AES. I suggest you crate
> an additional keytab entry for RC4. How did you create the keytab ?
Now it seems to work:
# /usr/local/libexec/squid/negotiate_kerberos_auth_test proxy.mdpt.local |
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s HTTP/proxy.mdpt.local
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== HTTP/proxy.mdpt.local
BH quit command
respectively with debug output
# /usr/local/libexec/squid/negotiate_kerberos_auth_test proxy.mdpt.local |
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |
/usr/local/libexec/squid/negotiate_kerberos_auth -d -r -s
HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(212): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIFkgYGKwYBBQUCoIIFhjCCBYKgDTALBgkqhkiG9xIBAgKiggVvBIIFa2CCBWcGCSqGSIb3EgECAgEAboIFVjCCBVKgAwIBBaEDAgEOogcDBQAAAAAAo4IEQGGCBDwwggQ4oAMCAQWhDBsKTURQVC5MT0NBTKIjMCGgAwIBA6EaMBgbBEhUVFAbEHByb3h5Lm1kcHQubG9jYWyjggP8MIID+KADAgEXoQMCAQaiggPqBIID5sVhPZfpC5bIQPSFoRRkg/yI1a3e+rJhYMx9v8sahJtT0prtSF715Q1TAqiXKDZJ479BKKPA27BL63p/mwvu7bf4gznZNTZLFIfHYU/ImK//RrvgkDv1uFSqm/skfzEECQBth4rxozQMfqLgmADCvAdEQVBIeG3D/QlhJ6LNdk4V4f0RBPr8zsagJ7529iSJK0otclE8McAg/5ZB4uA4L9PW6db+UOE3wR1LXK1w40dJkh3YRZX7SjZTEEpT003IRCulEq+fqIfLOPbL8+bbTrECYvvShaMuZF+RAlRZTrxS8P4KPk1f7muLEvA5/EvsGKXmtyTeytd9eRdfAhw5LBuUbwjDsuoliD1ARTPXL1syTtUy4CgJUNu6a6GGgh3uBF2zdDu7cY/4wtU1do3DJRq2NFzjQxcc4TzT64/HjYR+pi2MgchXJBbD3J79AQmKAvtO2B0xI9w/qSCH2uLoPwwzGEXGvr4DsXNgBbkaandw0UtpUyyfd6Gk313mc58dc+G10J3xPhsUOz9a1EOmmETquEPLgjkfpUQY6/MTRbWk/aRl9l681664Ywb6gp9mJioNfz6cxcF7C7fIGKrvBDSyZCBEGH+HOBfBr0REYkqKOqw1xVg0LfYYX4/6pE9ZfJMk3XTHmWKDa+EIahs5ibMsfi+MBx5iEOva3SC8s+rEZyWiG3soowE3U2BCgkGihRAI1thGJVUKLMQy3AokSX7xZF/RiYA4C4MdnFbDdCUJ14vNH4gYZs3A15wbbBUe6aUz3hblSHhFM/vjc4+EyMMyhiJLLYJ9wqe+Y2+eAl0H8wErSjb4ivFv8pNUZuGgbtT4buAE4AHYahWn+f/0S0r05T9uV+273KyA56+KZ4tXnbzhMo9ybqSA6B0BYpsEeDvZDYfUfrDyo4fyT/W2Rem+UMvuJ/o5HRrZWiSP45ANGkqLQcOXwjSDPQQUQaytPeClrqUamnZxbD/XsBosKUUbOfvxnQgWOrVbaDwNN8WfQ+Tv1ZQO8tXoDt9RE1fewaKF8cJS9zsbcSuucBsmQGcMHKn035bsEni8JoiWU1g9ieXeqvRTg5nAkf6bzP3rs4awhXTa3if11liCSZojMUi1Q2d/HZ8X9ZJhu2VS6+EVNQ0dlHspnH3nV8GMz5JI0eQuwPfE2rTOcv4vFZldK2+jJVlCOHu/sMW+gojLjoTg4yrMp1RFq9P3JIlo388eoInu94nAjrbcRgX6W/t+tdUMxGs7+xEoVuCwvnl7jbny31QHzSV2B2n5bGH04z0kAzgOfZmUkJyZivOR8fFisBEX69BWAPXuhQaJFhRsA1pHPPASEYcApIH4MIH1oAMCAReige0Eger41GqgKOrnmoPBzgQ+QQQICBbu/8WBFqzn7Cn4vVSrhsU5umcgSpzTIioLSNQWktPeZQRh/ZcPb+gIWZHaP9LvUEeqXbIT0oYTyStS1bgMCl/yfI4WzGpCKhZbd43jShcQB6SOjQlua7V/0dFOpUv+q1LVD//FFl2dIGoKZHXU5NYpf1yl9dX5Cgd4oKlJUyqgXWclIRzPeGl8nJ8oPvi2af9GGPazSF31Cu7jA/fG9mM4Tses4gI3EPBQBgCAThJ7QeNASK0GEXKsoQE2gYcmaQBTOUP0mhMs43vPqCQckoOcK3/l7SsPwg0='
from squid (length: 1911).
negotiate_kerberos_auth.cc(311): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Decode
'YIIFkgYGKwYBBQUCoIIFhjCCBYKgDTALBgkqhkiG9xIBAgKiggVvBIIFa2CCBWcGCSqGSIb3EgECAgEAboIFVjCCBVKgAwIBBaEDAgEOogcDBQAAAAAAo4IEQGGCBDwwggQ4oAMCAQWhDBsKTURQVC5MT0NBTKIjMCGgAwIBA6EaMBgbBEhUVFAbEHByb3h5Lm1kcHQubG9jYWyjggP8MIID+KADAgEXoQMCAQaiggPqBIID5sVhPZfpC5bIQPSFoRRkg/yI1a3e+rJhYMx9v8sahJtT0prtSF715Q1TAqiXKDZJ479BKKPA27BL63p/mwvu7bf4gznZNTZLFIfHYU/ImK//RrvgkDv1uFSqm/skfzEECQBth4rxozQMfqLgmADCvAdEQVBIeG3D/QlhJ6LNdk4V4f0RBPr8zsagJ7529iSJK0otclE8McAg/5ZB4uA4L9PW6db+UOE3wR1LXK1w40dJkh3YRZX7SjZTEEpT003IRCulEq+fqIfLOPbL8+bbTrECYvvShaMuZF+RAlRZTrxS8P4KPk1f7muLEvA5/EvsGKXmtyTeytd9eRdfAhw5LBuUbwjDsuoliD1ARTPXL1syTtUy4CgJUNu6a6GGgh3uBF2zdDu7cY/4wtU1do3DJRq2NFzjQxcc4TzT64/HjYR+pi2MgchXJBbD3J79AQmKAvtO2B0xI9w/qSCH2uLoPwwzGEXGvr4DsXNgBbkaandw0UtpUyyfd6Gk313mc58dc+G10J3xPhsUOz9a1EOmmETquEPLgjkfpUQY6/MTRbWk/aRl9l681664Ywb6gp9mJioNfz6cxcF7C7fIGKrvBDSyZCBEGH+HOBfBr0REYkqKOqw1xVg0LfYYX4/6pE9ZfJMk3XTHmWKDa+EIahs5ibMsfi+MBx5iEOva3SC8s+rEZyWiG3soowE3U2BCgkGihRAI1thGJVUKLMQy3AokSX7xZF/RiYA4C4MdnFbDdCUJ14vNH4gYZs3A15wbbBUe6aUz3hblSHhFM/vjc4+EyMMyhiJLLYJ9wqe+Y2+eAl0H8wErSjb4ivFv8pNUZuGgbtT4buAE4AHYahWn+f/0S0r05T9uV+273KyA56+KZ4tXnbzhMo9ybqSA6B0BYpsEeDvZDYfUfrDyo4fyT/W2Rem+UMvuJ/o5HRrZWiSP45ANGkqLQcOXwjSDPQQUQaytPeClrqUamnZxbD/XsBosKUUbOfvxnQgWOrVbaDwNN8WfQ+Tv1ZQO8tXoDt9RE1fewaKF8cJS9zsbcSuucBsmQGcMHKn035bsEni8JoiWU1g9ieXeqvRTg5nAkf6bzP3rs4awhXTa3if11liCSZojMUi1Q2d/HZ8X9ZJhu2VS6+EVNQ0dlHspnH3nV8GMz5JI0eQuwPfE2rTOcv4vFZldK2+jJVlCOHu/sMW+gojLjoTg4yrMp1RFq9P3JIlo388eoInu94nAjrbcRgX6W/t+tdUMxGs7+xEoVuCwvnl7jbny31QHzSV2B2n5bGH04z0kAzgOfZmUkJyZivOR8fFisBEX69BWAPXuhQaJFhRsA1pHPPASEYcApIH4MIH1oAMCAReige0Eger41GqgKOrnmoPBzgQ+QQQICBbu/8WBFqzn7Cn4vVSrhsU5umcgSpzTIioLSNQWktPeZQRh/ZcPb+gIWZHaP9LvUEeqXbIT0oYTyStS1bgMCl/yfI4WzGpCKhZbd43jShcQB6SOjQlua7V/0dFOpUv+q1LVD//FFl2dIGoKZHXU5NYpf1yl9dX5Cgd4oKlJUyqgXWclIRzPeGl8nJ8oPvi2af9GGPazSF31Cu7jA/fG9mM4Tses4gI3EPBQBgCAThJ7QeNASK0GEXKsoQE2gYcmaQBTOUP0mhMs43vPqCQckoOcK3/l7SsPwg0='
(decoded length: 1430).
negotiate_kerberos_pac.cc(368): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Got PAC data of lengh 464
negotiate_kerberos_pac.cc(186): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Found 2 rids
negotiate_kerberos_pac.cc(193): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(193): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: Info: Got rid: 8830
negotiate_kerberos_pac.cc(255): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Got DomainLogonId
S-1-5-21-770342266-1452753317-1341851483
negotiate_kerberos_pac.cc(277): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(325): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Got ExtraSid S-1-18-1
negotiate_kerberos_pac.cc(448): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: INFO: Read 464 of 464 bytes
negotiate_kerberos_auth.cc(426): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Groups
group=AQUAAAAAAAUVAAAAen3qLaVBl1ZbB/tPAQIAAA==
group=AQUAAAAAAAUVAAAAen3qLaVBl1ZbB/tPfiIAAA== group=AQEAAAAAABIBAAAA
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(431): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
HTTP/proxy.mdpt.local
negotiate_kerberos_auth.cc(258): pid=59316 :2015/02/14 09:40:23|
negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command
It looks like there should be specified all ciphers which could use
different MS clients...
Am I right?
lk
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
