|
Hai, What is the output of ktutil list (of the squid keytab. ) And you can try adding To krb5.conf ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5 ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > Victor Sudakov > Verzonden: vrijdag 4 maart 2016 13:54 > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: Kerberos (Negotiate) problem with win2008 AD > users > > Victor Sudakov wrote: > > > > I have squid 3.5.14 successfully authenticating users from a Windows > 2003 > > domain, but there is a problem authenticating Windows 2008R2 domain > > users from another realm. I am using the standard > > negotiate_kerberos_auth helper with "-s GSS_C_NO_NAME". > > > > I have collected a traffic dump of failed HTTP sessions, could someone > > knowledgeable look at them and give me a hint what to debug? Does > > anything look suspicious? It's at > > ftp://ftp.sibptus.ru/pub/vas/badkrb1.zip > > I have tried debugging it like this: > > > KRB5_KTNAME=/usr/local/etc/squid/squid.keytab ; export KRB5_KTNAME > KRB5_CONFIG=/usr/local/etc/squid/krb5.conf ; export KRB5_CONFIG > /usr/local/libexec/squid//negotiate_kerberos_auth_test proxy2.sibptus.ru > |\ > awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |\ > /usr/local/libexec/squid/negotiate_kerberos_auth -d -s > GSS_C_NO_NAME > > And below is what I get. What I am doing wrong? I am trying to > authenticate users from the STN.TN.CORP realm. > > negotiate_kerberos_auth.cc(487): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: INFO: Starting version 3.0.4sq > negotiate_kerberos_auth.cc(546): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: INFO: Setting keytab to > /usr/local/etc/squid/squid.keytab > negotiate_kerberos_auth.cc(570): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: INFO: Changed keytab to > MEMORY:negotiate_kerberos_auth_37067 > negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: DEBUG: Got 'YR > YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3Eg > ECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0lC > UFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBIj > CCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJMo > rycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQw > i5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kRo > pa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh+ > Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7x > kIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTAY > E/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i8 > et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj7 > FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M4 > doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLVN > Lk5qxOKxiNnyo=' from squid (length: 979). > negotiate_kerberos_auth.cc(663): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: DEBUG: Decode > 'YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3E > gECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0l > CUFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBI > jCCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJM > orycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQ > wi5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kR > opa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh > +Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7 > xkIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTA > YE/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i > 8et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj > 7FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M > 4doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLV > NLk5qxOKxiNnyo=' (decoded length: 731). > negotiate_kerberos_auth.cc(725): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: INFO: continuation needed > TT oRQwEqADCgEBoQsGCSqGSIb3EgECAg== > negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22| > negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2). > BH quit command > > /usr/local/etc/squid/squid.keytab: > > Vno Type Principal > 1 arcfour-hmac-md5 > HTTP/proxy.sibptus.transneft.ru@xxxxxxxxxxxxxxxxxxxx > 1 arcfour-hmac-md5 squiduser@xxxxxxxxxxxxxxxxxxxx > 1 arcfour-hmac-md5 HTTP/proxy2.sibptus.ru@xxxxxxxxxxxxxxxxxxxx > 1 arcfour-hmac-md5 HTTP/proxy2.SIBPTUS.ru@xxxxxxxxxxxxxxxxxxxx > 1 arcfour-hmac-md5 HTTP/proxy2.sibptus.ru@xxxxxxxxxxx > > /usr/local/etc/squid/krb5.conf: > [libdefaults] > default_realm = SIBPTUS.TRANSNEFT.RU > default_keytab_name = FILE:/usr/local/etc/squid/squid.keytab > > [domain_realm] > .sibptus.transneft.ru = SIBPTUS.TRANSNEFT.RU > .stn.tn.corp = STN.TN.CORP > > [logging] > default = FILE:/var/tmp/krb5lib.log > libkrb5 = FILE:/var/tmp/krb5lib.log > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:sudakov@xxxxxxxxxxxxxxxx > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
