Re: Squit with NTLM and Kerberos auth => a error

Olivier CALVANO <o.calvano@xxxxxxxxx> · Fri, 6 Nov 2015 08:29:18 +0100

Hi Marcus,

no i don't know if user if NegoEx, on the network they have more 25000 desktop.

I change auth, put only NTLM but same problems, a lot of users are not allowed

GENSEC login failed: NT_STATUS_INVALID_PARAMETER
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE
GENSEC login failed: NT_STATUS_LOGON_FAILURE

they have commercial support on squid ?

regards
olivier

2015-11-05 22:39 GMT+01:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Hi Olivier,

  I think on some of your newer clients you have an issue with 
Negotiate and NTLM fallback. If I look at 

https://msdn.microsoft.com/en-us/library/ff468736.aspx 
I see this  https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif 

If I interpret this correctly the client will try NegoEx after failing with 
Kerberos and before trying NTLM.  If on the client NegoEx is successful 
then NTLM will not be attempted.  And I think that is the case here.  
Do you know if NegoEx is used on the client ?  

Does anybody else know about NegoEx ?

Markus

From: 
Olivier 
CALVANO 

Sent: Tuesday, November 03, 2015 9:22 AM
To: Markus Moeller 
Subject: Re:  Squit with NTLM and Kerberos auth 
=> a error

that's said that squid can by used with Windows AD 
?

2015-11-02 22:46 GMT+01:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

  Hi Olivier,

  If I decode a token I see

  /base64> hexdump -c base64_dec.out
  0000000   ` 201 236 006 006   + 006 001 005 005 002 
  240 201 223   0 201
  0000010 220 240 032   0 030 006  \n   + 006 001 
  004 001 202   7 002 002
  0000020 036 006  \n   + 006 001 004 001 202   7 
  002 002  \n 242   r 004
  0000030   p   N   E   
  G   O   E   X   T   S  
  \0  \0  \0  \0  \0  \0  \0
  0000040  \0   `  \0  \0  \0   
  p  \0  \0  \0 020 366   L   3   
  & 023 256
  0000050   O 271 216   4 305  \f 200   
  !  \t 034 340   # 327 322 177   _
  0000060 211 202   > 254   {   g 234 325 
  225 001 022 225  \f 323 276   A
  0000070 206 024   6 367   ;   .  
  \0   C 273  \0  \0  \0  \0  \0  
  \0  \0
  0000080  \0   `  \0  \0  \0 001  
  \0  \0  \0  \0  \0  \0  \0  \0  
  \0  \0
  0000090  \0   E   r   |   
  2   2   E 213   H 277 331   
  *   k 240   ^ 244
  00000a0  \n
  00000a1

  It says NEGOEXTS  which points me to https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 
  That is not supported.

  Markus

  "Olivier CALVANO" <o.calvano@xxxxxxxxx> wrote in message 
  news:CAJajPefqOygT5zsYW7fWszwRTTxN-r1Pd-U73XDfoNax9dLHkA@xxxxxxxxxxxxxx...

  Hi

i test a authentification AD with 
  Kerberos/Ntlm

### negotiate kerberos and ntlm 
  authentication
auth_param negotiate program 
  /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics 
  --helper-protocol=squid-2.5-ntlmssp --kerberos 
  /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate 
  children 160 startup=5 idle=1
auth_param negotiate keep_alive on

## 
  Module d'authentification NTLM
auth_param ntlm program /usr/bin/ntlm_auth 
  --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 
  160 startup=5 idle=1
auth_param ntlm keep_alive on

## Si echec du 
  NTLM proposer la fenetre d'authentification
auth_param basic program 
  /usr/bin/ntlm_auth --diagnostics 
  --helper-protocol=squid-2.5-basic
auth_param basic children 40 startup=5 
  idle=1
auth_param basic realm Company proxy-caching web 
  server
auth_param basic credentialsttl 2 hours

i have a 
  lot of user that works, but for other user, squid request Login/pass in 
  loop.

In cache.log i have:

2015/11/02 17:37:57| 
  squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was 
  requested. Unknown error
2015/11/02 17:37:57 kid1| ERROR: Negotiate 
  Authentication validating user. Error returned 'BH gss_accept_sec_context() 
  failed: An unsupported mechanism was requested. Unknown error'
GENSEC login 
  failed: NT_STATUS_LOGON_FAILURE
2015/11/02 17:37:58| squid_kerb_auth: Got 
  'YR 
  YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' 
  from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
  'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' 
  (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: 
  gss_accept_sec_context() failed: An unsupported mechanism was requested. 
  Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication 
  validating user. Error returned 'BH gss_accept_sec_context() failed: An 
  unsupported mechanism was requested. Unknown error'
2015/11/02 17:37:58| 
  squid_kerb_auth: Got 'YR 
  YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' 
  from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
  'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' 
  (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: 
  gss_accept_sec_context() failed: An unsupported mechanism was requested. 
  Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication 
  validating user. Error returned 'BH gss_accept_sec_context() failed: An 
  unsupported mechanism was requested. Unknown error'
2015/11/02 17:37:58| 
  squid_kerb_auth: Got 'YR 
  YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' 
  from squid (length: 219).
2015/11/02 17:37:58| squid_kerb_auth: Decode 
  'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=' 
  (decoded length: 161).
2015/11/02 17:37:58| squid_kerb_auth: 
  gss_accept_sec_context() failed: An unsupported mechanism was requested. 
  Unknown error
2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication 
  validating user. Error returned 'BH gss_accept_sec_context() failed: An 
  unsupported mechanism was requested. Unknown error'
GENSEC login failed: 
  NT_STATUS_LOGON_FAILURE
GENSEC login failed: 
  NT_STATUS_LOGON_FAILURE

anyone know this problems 
  ?

regards
Olivier

  _______________________________________________
squid-users mailing 
  list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users 
  mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users