Re: [squid-users] Re: kerberos (AD) authentication - squid_kerb_auth

From: Jeremy Monnet <jmonnet_at_gmail.com>
Date: Wed, 26 Aug 2009 12:28:15 +0200

On Wed, Aug 26, 2009 at 11:06 AM, Mrvka Andreas<mrv_at_tuv.at> wrote:
> hi,
>
> if you have made the wiki[...]/Kerberos guide through then you are close to
> the goal.
I hope so anyway :-)

>
> it seems that your problem is only configuration error on client side.
I am not so sure anymore. I tried to use the squid_kerb_auth_test
utility, but it still gives me errors on the tokens (see below for
listings). I may add that I compiled both squid3.0 and squid_kerb_auth
1.0.5. I used squid_kerb_auth_test with both squid_kerb_auth from the
squid_kerb_auth1.0.5 package and the squid3.0 package. I get errors in
both cases (though not the same, but that may simply be that one is
older).

I am using a windows server 2003 R2 corporate with SP2, in case there
may be an issue with a SP or something.

Last thing I can think of is the way I created the keytab (but
kerberos seems to like it this way) :
ktpass -out squidproxy.krb5.keytab -pass Password1 -princ
HTTP/squidproxy.ad.simia.fr_at_ad.simia.fr -mapuser host_squid -ptype
KRB5_NT_SRV_HST -crypto DES-CBC-MD5 (could have used RC4-HMAC, but I
had problems before when I put in place unix authentication on
AD/kerberos).

>
> since squid_kerb_auth is a MUST to configure the fqdn name of squid in the IE
> settings.
I did it this way ... :-/

>
> at my place IE 7, IE 8 and FF 3.5 works great with squid_kerb_auth.
Hope I can make it work also.

Thanks,

Jeremy

Squid_kerb_auth_test :
############
squidproxy:~/squid/squid_kerb_auth-1.0.5# kdestroy
squidproxy:~/squid/squid_kerb_auth-1.0.5# kinit jems_at_AD.SIMIA.FR
jems_at_AD.SIMIA.FR's Password:
squidproxy:~/squid/squid_kerb_auth-1.0.5#
/root/squid/squid_kerb_auth-1.0.5/squid_kerb_auth_test
squidproxy.ad.simia.fr | /usr/local/libexec/squid_kerb_auth -d -s
HTTP/squidproxy.ad.simia.fr
2009/08/26 12:17:10| squid_kerb_auth: Got 'Token:
YIIE8QYGKwYBBQUCoIIE5TCCBOGgDTALBgkqhkiG9xIBAgKiggTOBIIEymCCBMYGCSqGSIb3EgECAgEAboIEtTCCBLGgAwIBBaEDAgEOogcDBQAAAAAAo4IDqWGCA6UwggOhoAMCAQWhDRsLQUQuU0lNSUEuRlKiKTAnoAMCAQGhIDAeGwRIVFRQGxZzcXVpZHByb3h5LmFkLnNpbWlhLmZyo4IDXjCCA1qgAwIBA6EDAgEKooIDTASCA0jVFrJW9Hmfkrhd3LmVf3ZLpeqR/87YM7hkqbk75EMhcX+Mb/ciG5h6kuFl7fBKzW/prfmOPmYzAPVc4HdnLchdkXCQNsxe/IrCT/DwkB1pSopcr7N9zqnJ6xN8UR/Zd8vfUnhmoNI4/lQ2pg04GJTv8UFXi3UKVmH7aHENQGB6pLaeoFe6inhK+/c7/9O1m5GHsmNbuawNH3N48gEiFYkfOHVqyAQukuGWLpJHyvVUBS3XTuAj2LhqxqZJzuiyOkUIReb7NU4ZuWVO7oZvp7+AIbCcaikdxU2nsnVrM9EypGpcUzdy3SBd+eqdGIuctW/+pZ0gAtu7/JCmgNpoaJGZH90dnp339/LUIg3nGI8+MoPPhTaE4iWLp6smi/rB/tzpiKYDz8Rr0MIdB5rs0jRr3Kjeg0gcaLsMIaKA2t8ZmFAWUXPq8GQaX57e8DGBTKNut9lzhCsDEV8zhzAIdKmrs6XJm5Vq1GjCbchTUSoRaZhd663S47kjTpxKA9eyTWYkWdExGrvz9fUYRq6QPIv6wmbU9HwkZZTsJ2YH5JrJPAPK2icuQkSCTXiMKBHc4KLMgZ3MFciWAKPBXETwVhDtEy2jeIYfkR4+Imzg9l8qC8qIUOYVQx0PYywS2gcn53FT5JgA6N7CI5jk6jOu7/lf5QrGR33cwk01Qh9AnGQ4pZw3beWZKN1ezZsJlHr6Ucrn63XiDhv8UAsBDdNeuT8pN0RjXpmt7S0xRmi7Ql4SMyljSiCplhQkOPRnM+VOqPvMcfLP/et7f6xCVMY+9mxLcR9dvl19m4+24EM0Hk59ndlUJD0+xsEYygp3sB6obAhg1IHv6Dn7AwKI56zju3i/H6WyAfGx6lqiDX1sv+oqdDjf0slTAlYpm9DNtTx2KSWmGbRlbKx4/DfxtXCjte5ltbttYOiGBcFtePQK2Z0PpTvdgXqPPfq05juN6dDsabDGuz9KyKWyga2RXssxCaIWcU2CDRY75nru6IivHR6HrEUrhj4VLXuMIfzAdw/FPcV4qd+XDqhWON9yc+HiqjfXPTUq8JcHYq9+rSk/4IlkmW/WqgJuvFaQHLicev5KWYw7J+Z/sGfCObXG/e6OlQMcHNIR0JRvMjukge4wgeugAwIBA6KB4wSB4IcbergiZ7uvt8Z9Y1TM62ZQM0pFTFhi8ll0riYdLXVnJI0KHNU1PGg+It5iDIlCJcBJWbAtgDfLfO6N00xEnIpxwZdDo3ZdNF/+eImBHsDpGWx7ZuEygw9R0kKUQozz+bi6JvjN6MUsvquriLecvTcfvLyViZEXdIcBmgRq1fphwambQaRsGi6Ubahd6Q1P6YYNg3Hk2+RzsgaFw/1gOKCoka3VGyLZndVsFv0MS2EXyyb04iXXu37uCkt2py4ou1lGaMS2hTpHfqz2TyMUfPM0cHF8O9iHtc9UuAEVsiXk'
from squid (length: 1699).
2009/08/26 12:17:10| squid_kerb_auth: gss_accept_sec_context() failed:
 A token was invalid. unknown mech-code 0 for mech unknown
NA gss_accept_sec_context() failed: A token was invalid. unknown
mech-code 0 for mech unknown
##############

squid log trying from windows box :
##############
2009/08/26 12:23:30.633| authenticateValidateUser: Auth_user_request was NULL!
2009/08/26 12:23:30.633| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2009/08/26 12:23:30.941| authenticateAuthenticate: no connection
authentication type
2009/08/26 12:23:30.942| AuthUser::AuthUser: Initialised auth_user
'0x9b0e640' with refcount '0'.
2009/08/26 12:23:30.942| AuthUserRequest::AuthUserRequest: initialised
request 0x9b12418
2009/08/26 12:23:30.954| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.955| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.956| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.957| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2009/08/26 12:23:30.957| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.958| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.959| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.960| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:30.961| AuthUserRequest::~AuthUserRequest: freeing
request 0x9b12418
2009/08/26 12:23:32.123| authenticateValidateUser: Auth_user_request was NULL!
2009/08/26 12:23:32.124| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2009/08/26 12:23:32.395| authenticateAuthenticate: no connection
authentication type
2009/08/26 12:23:32.395| AuthUser::AuthUser: Initialised auth_user
'0x9b0e688' with refcount '0'.
2009/08/26 12:23:32.396| AuthUserRequest::AuthUserRequest: initialised
request 0x9b12418
2009/08/26 12:23:32.396| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.397| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.397| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.398| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.399| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'
2009/08/26 12:23:32.399| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.400| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.400| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.401| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.401| authenticateValidateUser: Validated Auth_user
request '0x9b12418'.
2009/08/26 12:23:32.403| AuthUserRequest::~AuthUserRequest: freeing
request 0x9b12418
##############
Received on Wed Aug 26 2009 - 10:28:26 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 26 2009 - 12:00:04 MDT