Re: Negotiate Kerberos Auth - BH Invalid request

"L.P.H. van Belle" <belle@xxxxxxxxx> · Tue, 13 Jun 2017 14:54:38 +0200

First, it very handy to know your os and samba and squid 
versions used. 

Second, 
Squid/radius etc anything that uses NTLMv1 with samba stopped 
working after 4.5.0 
I 
think your main problem can be explained by this extract from the release notes 
for 4.5.0:

NTLMv1 authentication disabled by 
default
-----------------------------------------

In order to improve security we have 
changed the default value for the "ntlm auth" option from "yes" to 
"no". 
This may have impact on 
very old clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 
for VPNs and 802.1x.

By default, Samba will only allow 
NTLMv2 via NTLMSSP now, 
as we have the following default "lanman auth = no", 
"ntlm auth = no" and "raw NTLMv2 auth = no".

Greetz, 

Louis

  Van: squid-users 
  [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Kevin 
  M???hlparzer
Verzonden: dinsdag 13 juni 2017 14:00
Aan: 
  squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp:  Negotiate 
  Kerberos Auth - BH Invalid request

  Hello list,

  I asked about a problem with NTLM-Authentication before. (BH SPNEGO 
  request invalid prefix; thats the error of the helper protocol 
  "helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic 
  works fine)
  A user told me I should use negotiate_kerberos_auth instead of 
  ntlm_auth.
  Now here's my new problem:

  root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth 
  -d -s 
  HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): 
  pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version 
  3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| 
  negotiate_kerberos_auth: INFO: Setting keytab to 
  FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 
  :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to 
  MEMORY:negotiate_kerberos_auth_5305
testuser 
  xxxxxxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| 
  negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length: 
  18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| 
  negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx]
BH 
  Invalid requestSo my configuration has mistakes, but I can't find them. 
  I don't really know where to search, or what works for sure. I tried many 
  tutorials on krb5 and samba. Every form of testing I tried works fine except 
  indeed using the required kerberos authentication of my squid-proxy.

  Tests that come to my mind:
  kinit a user
  Warning: Your password will expire in 36 days on Don 20 Jul 
  2017 13:23:54 CEST

  klist
  Ticket cache: FILE:/tmp/krb5cc_0
Default principal: 
  testuser@X-XXX.LOCAL

Valid starting       
  Expires              
  Service principal
2017-06-13 13:38:37  2017-06-13 23:38:37  
  krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
    renew until 2017-06-14 
  13:38:34

  klist -k on my HTTP.keytab

  Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- 
  --------------------------------------------------------------------------

  1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 
  host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 
  host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 
  host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 
  host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 
  host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 
  host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 
  host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 
  host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 
  host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 
  X-X-TESTPROXY01$@X-XXX.LOCAL
   1 
  X-X-TESTPROXY01$@X-XXX.LOCAL
   1 
  X-X-TESTPROXY01$@X-XXX.LOCAL
   1 
  X-X-TESTPROXY01$@X-XXX.LOCAL
   1 
  X-X-TESTPROXY01$@X-XXX.LOCAL

  basic-auth using ntlm

  root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth 
  --helper-protocol=squid-2.5-basic --username=testuser 
  --password=xxxxxxxx
testuser xxxxxxxxxx
OK
testuser@x-xxx.local 
  xxxxxxxx
OK

wbinfo -u
administrator
testuser
...
wbinfo 
  -g
allowed rodc password replication group
enterprise 
  read-only domain controllers
...

  wbinfo --krb5auth=testuser%xxxxxxx
plaintext kerberos password 
  authentication for [testuser%xxxxxxx] succeeded (requesting cctype: 
  FILE)

wbinfo -t
checking the trust secret for domain X-XXX via 
  RPC calls succeeded

  wbinfo --authenticate=testuser%xxxxxxxx
plaintext password 
  authentication succeeded
challenge/response password authentication 
  succeeded

  /usr/lib/squid/negotiate_kerberos_auth_test 
  x-x-testproxy01.x-xxx.local
Token: 
  YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A==

Sorry 
  for posting so many output...
I already read many documentations, but no 
  one really tests in small steps, they just assume that it works for everyone 
  out of the box...

  Does anyone have a clue what could be my mistake?

  Thanks in advance.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users