Search squid archive

Re: Negotiate Kerberos Auth - BH Invalid request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First, it very handy to know your os and samba and squid versions used.
 
Second,
Squid/radius etc anything that uses NTLMv1 with samba stopped working after 4.5.0
I think your main problem can be explained by this extract from the release notes for 4.5.0:
 

NTLMv1 authentication disabled by default

-----------------------------------------

 

In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". 
This may have impact on very old clients which doesn't support NTLMv2 yet.

 

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

 

By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no".

 

 

Greetz,

 

Louis

 

 

 


Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Kevin M???hlparzer
Verzonden: dinsdag 13 juni 2017 14:00
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Negotiate Kerberos Auth - BH Invalid request

Hello list,


I asked about a problem with NTLM-Authentication before. (BH SPNEGO request invalid prefix; thats the error of the helper protocol "helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine)

A user told me I should use negotiate_kerberos_auth instead of ntlm_auth.

Now here's my new problem:


root@x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_5305
testuser xxxxxxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length: 18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx]
BH Invalid request
So my configuration has mistakes, but I can't find them. I don't really know where to search, or what works for sure. I tried many tutorials on krb5 and samba. Every form of testing I tried works fine except indeed using the required kerberos authentication of my squid-proxy.


Tests that come to my mind:

kinit a user

Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST



klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@X-XXX.LOCAL

Valid starting       Expires              Service principal
2017-06-13 13:38:37  2017-06-13 23:38:37  krbtgt/X-XXX.LOCAL@X-XXX.LOCAL
    renew until 2017-06-14 13:38:34


klist -k on my HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/x-x-testproxy01.x-xxx.local@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 host/X-X-TESTPROXY01@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL
   1 X-X-TESTPROXY01$@X-XXX.LOCAL

basic-auth using ntlm

root@x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxx
testuser xxxxxxxxxx
OK
testuser@x-xxx.local xxxxxxxx
OK

wbinfo -u
administrator
testuser
...
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
...

wbinfo --krb5auth=testuser%xxxxxxx
plaintext kerberos password authentication for [testuser%xxxxxxx] succeeded (requesting cctype: FILE)

wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded

wbinfo --authenticate=testuser%xxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded

/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local
Token: YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A==



Sorry for posting so many output...
I already read many documentations, but no one really tests in small steps, they just assume that it works for everyone out of the box...

Does anyone have a clue what could be my mistake?

Thanks in advance.



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux