i believe i might have fixed it....
will advise soonest.
Extra info :
root@mw-sqproxy-test:/home/geosupport# uname -a
Linux mw-sqproxy-test 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@mw-sqproxy-test:/home/geosupport# squid3 -v
Squid Cache: Version 3.3.8
Ubuntu
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
root@mw-sqproxy-test:/home/geosupport#
Thanks,
Drikus
On 2016-04-05 15:50, Drikus Brits wrote:
Hi Experts,
After much struggling it seems i've reached some point of success but yet still not. I've checked a multitude of websites for help before coming here, but didn't get anything valuable yet. My problem as follows :
I have 1x win2008R2 server that works with kerberos authentication, but none of the other PC's in the network wants to work, the others all come up with a login challenge/
My Configs :
/etc/krb5.conf
<snip>
#cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.CO.ZA
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
#; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
DOMAIN.CO.ZA = {
kdc = mw-ad.domain.co.za
admin_server = mw-ad.domain.co.za
default_domain = domain.co.za
}
[domain_realm]
.domain.co.za = DOMAIN.CO.ZA
domain.co.za = DOMAIN.CO.ZA
[login]
krb4_convert = true
krb4_get_tickets = false
</snip>
my /etc/squid/squid.conf
<snip>
#auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i ###WORKING - half/half
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H ldap://MW-AD.domain.co.za -R
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
acl proxy-auth proxy_auth REQUIRED
http_access allow proxy-auth
</snip>
When the Win2008R2 connectes is get the following in /var/log/squid3/cache.log
<snip>
2016/04/05 12:26:46| negotiate_wrapper: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc=' from squid (length: 2419).
2016/04/05 12:26:46| negotiate_wrapper: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811).
2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token
negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' from squid (length: 2419).
negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811).
2016/04/05 12:26:46| negotiate_wrapper: Return 'AF oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw= Administrator@xxxxxxxxxxxx
</snip>
But when other PC's connect of which another win2008R2 or win10 or win7 i get :
<snip>
negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid (length: 2419).
negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded length: 1811).
negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
</snip>
My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not supposed to say that :). I've had others that had Successfully authenticated to Kerberos V5 as well, but then the working win2008r2 doesn't work -- see below..
<snip>
# kinit -V -kt /etc/squid3/PROXY.keytab
Using default cache: /tmp/krb5cc_0
Using principal: host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx
Using keytab: /etc/squid3/PROXY.keytab
kinit: Preauthentication failed while getting initial credentials
</snip>
working with "authenticated with kerberos but no srv or pc working
<snip>
msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k /etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn HOST/mw-sqproxy-test.domain.co.za --server mw-ad.domain.co.za --verbose --enctypes 28
</snip>
my working klist entries
<snip>
klist -ekt /etc/squid3/PROXY.keytab
Keytab name: FILE:/etc/squid3/PROXY.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac)
2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
4 04/04/2016 16:29:08 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
4 04/04/2016 16:29:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
4 04/04/2016 16:29:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (arcfour-hmac)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
5 04/04/2016 19:19:28 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
6 04/04/2016 19:22:47 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (arcfour-hmac)
7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes128-cts-hmac-sha1-96)
7 04/04/2016 20:40:09 host/mw-sqproxy-test@xxxxxxxxxxxx (aes256-cts-hmac-sha1-96)
</snip>
I'm using the fqdn in IE to authenticate with kerberos, if i change it to IP it only tries NTLM, which i'm assuming is correct or not?
I've investigated the PC's and all of them have properly joined the domain.
I've checked and i'm getting kvno 3 values from a working win2008r2 as well as kvno 3 values from other pc's but yet, they have a popup asking auth details.
