Kerberos authentication only working with 1 domain server

[Drikus Brits <drikus@xxxxxxxxxxxxxxx>]

 

Hi Experts,

After much struggling it seems i've reached some point of success but yet still not. I've checked a multitude of websites for help before coming here, but didn't get anything valuable yet.  My problem as follows :

I have 1x win2008R2 server that works with kerberos authentication, but none of the other PC's in the network wants to work, the others all come up with a login challenge/

My Configs :

/etc/krb5.conf

<snip>
   #cat /etc/krb5.conf
   [logging]
  
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
  
   [libdefaults]
       default_realm = DOMAIN.CO.ZA
       dns_lookup_kdc = yes
       dns_lookup_realm = yes
       ticket_lifetime = 24h
       default_keytab_name = /etc/squid/PROXY.keytab
  
   #; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
  
   [realms]
  
   DOMAIN.CO.ZA = {
        kdc = mw-ad.domain.co.za
        admin_server = mw-ad.domain.co.za
        default_domain = domain.co.za
    }
  
   [domain_realm]
  
        .domain.co.za = DOMAIN.CO.ZA
        domain.co.za = DOMAIN.CO.ZA
  
   [login]
   krb4_convert = true
   krb4_get_tickets = false
</snip>

my /etc/squid/squid.conf

   <snip>
   #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i       ###WORKING - half/half
   auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
   #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
  
  
   auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
   auth_param ntlm children 10
   auth_param ntlm keep_alive off
  
  
   auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H ldap://MW-AD.domain.co.za -R
   auth_param basic realm Web-Proxy
   auth_param basic credentialsttl 1 minute
  
   acl proxy-auth proxy_auth REQUIRED
  
   http_access allow proxy-auth
   </snip>

When the Win2008R2 connectes is get the following in /var/log/squid3/cache.log

   <snip>

   2016/04/05 12:26:46| negotiate_wrapper: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc=' from squid (length: 2419).
   2016/04/05 12:26:46| negotiate_wrapper: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811).
   2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token
   negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' from squid (length: 2419).
   negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811).
   2016/04/05 12:26:46| negotiate_wrapper: Return 'AF oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw= Administrator@xxxxxxxxxxxx

   </snip>

But when other PC's connect of which another win2008R2 or win10 or win7 i get :

   <snip>

   negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid (length: 2419).
   negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded length: 1811).
   negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information.
   2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information. '

   </snip>

My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not supposed to say that :). I've had others that had Successfully authenticated to Kerberos V5 as well, but then the working win2008r2 doesn't work -- see below..

   <snip>

   # kinit -V -kt /etc/squid3/PROXY.keytab
   Using default cache: /tmp/krb5cc_0
   Using principal: host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx
   Using keytab: /etc/squid3/PROXY.keytab
   kinit: Preauthentication failed while getting initial credentials

   </snip>

working with "authenticated with kerberos but no srv or pc working

   <snip>

   msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k /etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn HOST/mw-sqproxy-test.domain.co.za --server    mw-ad.domain.co.za --verbose --enctypes 28

   </snip>

my working klist entries

   <snip>

   klist -ekt /etc/squid3/PROXY.keytab

   Keytab name: FILE:/etc/squid3/PROXY.keytab
   KVNO Timestamp           Principal
   ---- ------------------- ------------------------------------------------------
   2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac)
   2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
   2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
   2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
   2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
   2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
   2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
   2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
   3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
   3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   4 04/04/2016 16:29:08 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   4 04/04/2016 16:29:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   4 04/04/2016 16:29:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
   3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
   7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
   7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)

   </snip>

I'm using the fqdn in IE to authenticate with kerberos, if i change it to IP it only tries NTLM, which i'm assuming is correct or not?

I've investigated the PC's and all of them have properly joined the domain.

I've checked and i'm getting kvno 3 values from a working win2008r2 as well as kvno 3 values from other pc's but yet, they have a popup asking auth details.

--

Drikus Brits

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users