Extra info :
root@mw-sqproxy-test:/home/geosupport# uname -a Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@mw-sqproxy-test:/home/geosupport# squid3 -v Squid Cache: Version 3.3.8 Ubuntu configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' root@mw-sqproxy-test:/home/geosupport#
Thanks,
Drikus
On 2016-04-05 15:50, Drikus Brits wrote:
Hi Experts,
After much struggling it seems i've reached some point of success but yet still not. I've checked a multitude of websites for help before coming here, but didn't get anything valuable yet. My problem as follows :
I have 1x win2008R2 server that works with kerberos authentication, but none of the other PC's in the network wants to work, the others all come up with a login challenge/
My Configs :
/etc/krb5.conf
<snip> #cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.CO.ZA dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_keytab_name = /etc/squid/PROXY.keytab #; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] DOMAIN.CO.ZA = { kdc = mw-ad.domain.co.za admin_server = mw-ad.domain.co.za default_domain = domain.co.za } [domain_realm] .domain.co.za = DOMAIN.CO.ZA domain.co.za = DOMAIN.CO.ZA [login] krb4_convert = true krb4_get_tickets = false </snip>
my /etc/squid/squid.conf
<snip> #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i ###WORKING - half/half auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H ldap://MW-AD.domain.co.za -R auth_param basic realm Web-Proxy auth_param basic credentialsttl 1 minute acl proxy-auth proxy_auth REQUIRED http_access allow proxy-auth </snip>
When the Win2008R2 connectes is get the following in /var/log/squid3/cache.log
<snip>
2016/04/05 12:26:46| negotiate_wrapper: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc=' from squid (length: 2419). 2016/04/05 12:26:46| negotiate_wrapper: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811). 2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' from squid (length: 2419). negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811). 2016/04/05 12:26:46| negotiate_wrapper: Return 'AF oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw= Administrator@xxxxxxxxxxxx
</snip>
But when other PC's connect of which another win2008R2 or win10 or win7 i get :
<snip>
negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid (length: 2419). negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded length: 1811). negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. 2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
</snip>
My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not supposed to say that :). I've had others that had Successfully authenticated to Kerberos V5 as well, but then the working win2008r2 doesn't work -- see below..
<snip>
# kinit -V -kt /etc/squid3/PROXY.keytab Using default cache: /tmp/krb5cc_0 Using principal: host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx Using keytab: /etc/squid3/PROXY.keytab kinit: Preauthentication failed while getting initial credentials
</snip>
working with "authenticated with kerberos but no srv or pc working
<snip>
msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k /etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn HOST/mw-sqproxy-test.domain.co.za --server mw-ad.domain.co.za --verbose --enctypes 28
</snip>
my working klist entries
<snip>
klist -ekt /etc/squid3/PROXY.keytab
Keytab name: FILE:/etc/squid3/PROXY.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac) 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96) 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96) 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac) 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac) 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac) 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96) 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac) 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac) 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 4 04/04/2016 16:29:08 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 4 04/04/2016 16:29:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 4 04/04/2016 16:29:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac) 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac) 7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
</snip>
I'm using the fqdn in IE to authenticate with kerberos, if i change it to IP it only tries NTLM, which i'm assuming is correct or not?
I've investigated the PC's and all of them have properly joined the domain.
I've checked and i'm getting kvno 3 values from a working win2008r2 as well as kvno 3 values from other pc's but yet, they have a popup asking auth details.
|