Re: [squid-users] Re: Re: squid_kerb_auth problem

From: Jose Lopes <jlopes_at_iportalmais.pt>
Date: Tue, 19 Jan 2010 11:25:47 +0000

Hi,

I have the same problem.
I have already set network.negotiate-auth.trusted-uris to proxy domain.
At the firefox (FF) log appears:
0[825140]: service = squid.domain
0[825140]: using negotiate-sspi
0[825140]: nsAuthSSPI::Init
0[825140]: InitSSPI
0[825140]: Using SPN of [HTTP/squid.domain]
0[825140]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
0[825140]: entering nsAuthSSPI::GetNextToken()
0[825140]: Sending a token of length 40
0[825140]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
0[825140]: entering nsAuthSSPI::GetNextToken()
0[825140]: Cannot restart authentication sequence!

The http messages between squid an FF are:

FF -> SQUID
GET http://www.squid-cache.org/ HTTP/1.1
[...]

SQUID -> FF
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE14
[...]
Proxy-Authenticate: Negotiate
[...]

FF -> SQUID
GET http://www.squid-cache.org/ HTTP/1.1
[...]
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

SQUID -> FF
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE14
[...]
Proxy-Authenticate: Negotiate
[...]

I have already IE working, and the http seems similar.

IE -> SQUID
GET http://www.squid-cache.org/ HTTP/1.1
[...]

SQUID -> IE
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE14
[...]
Proxy-Authenticate: Negotiate
[...]

IE -> SQUID
GET http://www.squid-cache.org/ HTTP/1.1
[...]
Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

SQUID -> IE
HTTP/1.0 407 Proxy Authentication Required
Server: squid/3.0.STABLE14
[...]
Proxy-Authenticate: Negotiate
[...]

IE -> SQUID
GET http://www.squid-cache.org/ HTTP/1.1
[...]
Proxy-Authorization: Negotiate YIIE+gYGKwYBBQUCoIIE7jCCBOqgJDAiBgkqhkiC9xIBAgIGC[...]
[...]

SQUID -> IE
HTTP/1.0 200 OK
[...]
Proxy-Authentication-Info: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICoo[...]
[...]

Seems like at first IE use NTLM and at second use kerberos.

I think FF is similar, but FF don't allow the second iteration.

How can I put kerberos as first iteration?

Thanks in advance
Regards
Jose

Markus Moeller wrote:
>
> The message parseNegTokenInit failed with rc=102 just means the token
> is not a GSSAPI token wrapped in a SPNEGO token, but a plain GSSAPI
> token. When you use firefox you have to do a kinit first to store the
> AS token in the Kerberos cache for Firefox to use and I think Firfox
> has to be configured with network.negotiate-auth.trusted-uris to be
> set to the domains of your proxy server.
>
> Regards
> Markus
>
> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
> news:c3b47c041001181054n7091ea3aj761a508938de74e3_at_mail.gmail.com...
> Hi Markus
> Sorry yes you were right, it was DNS.
>
> In our environment we are running two DNS servers. One using MS DNS
> and the other using unix BIND. The linux server was added to the unix
> DNS (with name proxy1.domain.com) but not to the MS DNS which was
> authority for ad.domain.com. Now that I think about it our MS DNS has
> issues doing reverse lookups for IPs that the unix DNS is authority
> for (which in this case was proxy1.domain.com).
>
> I changed linux server name to proxy1.ad.domain.com and now the
> squid_kerb_auth_test works.
> Using your squid_kerb_auth (version 1.0.5) I get:
> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
> 2010/01/18 20:25:10| squid_kerb_auth: AF
> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
> When I try the same thing with the auth from squid-2.7.STABLE7.tar.bz2
> I get
> 2010/01/18 20:29:07| squid_kerb_auth: parseNegTokenInit failed with
> rc=102
> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
> 2010/01/18 20:29:07| squid_kerb_auth: AF
> oRQwEqADCgEAoQsGCSqGSIb3EgECAg== user_at_AD.DOMAIN.COM
> Is the parseNegTokenInit failed with rc=102 ok?
>
> I then tried running squid and used Firefox 3.5.7. I got the following
> error from squid cache:
>
> authenticateNegotiateHandleReply: Failed validating user via
> Negotiate. Error returned 'type 1 NTLM token'
>
> Any ideas? Also I don't get any authentication popups for userid and
> password...
>
> A sample of the log:
> 2010/01/18 20:47:58| squid_kerb_auth: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/01/18 20:47:58| squid_kerb_auth: parseNegTokenInit failed with
> rc=101
> 2010/01/18 20:47:58| squid_kerb_auth: received type 1 NTLM token
> 2010/01/18 20:47:58| do_comm_select: 1 fds ready
> 2010/01/18 20:47:58| cbdataValid: 0x1838d448
> 2010/01/18 20:47:58| helperStatefulHandleRead: 30 bytes from
> negotiateauthenticator #1.
> 2010/01/18 20:47:58| commSetSelect: FD 7 type 1
> 2010/01/18 20:47:58| helperStatefulHandleRead: end of reply found
> 2010/01/18 20:47:58| cbdataValid: 0x18648bb8
> 2010/01/18 20:47:58| cbdataValid: 0x185cad18
> 2010/01/18 20:47:58| helperStatefulReleaseServer: 0x1838d448
> 2010/01/18 20:47:58| helperStatefulReset: 0x1838d448
> 2010/01/18 20:47:58| StatefulGetFirstAvailable: Running servers 10.
> 2010/01/18 20:47:58| authenticateNegotiateHandleReply: Failed
> validating user via Negotiate. Error returned 'type 1 NTLM token'
> 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
> request '0x18648960'.
> 2010/01/18 20:47:58| cbdataValid: 0x183561a8
> 2010/01/18 20:47:58| aclCheck: checking 'http_access deny !password'
> 2010/01/18 20:47:58| aclMatchAclList: checking !password
> 2010/01/18 20:47:58| aclMatchAcl: checking 'acl password proxy_auth
> REQUIRED'
> 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
> request '0x18648960'.
> 2010/01/18 20:47:58| authenticateNegotiateAuthenticateUser: need to
> challenge client 'received'!
> 2010/01/18 20:47:58| authenticateValidateUser: Validated Auth_user
> request '0x18648960'.
> 2010/01/18 20:47:58| aclAuthenticated: returning 0 sending
> authentication challenge.
> 2010/01/18 20:47:58| aclCheck: match found, returning 2
> 2010/01/18 20:47:58| cbdataUnlock: 0x183561a8
> 2010/01/18 20:47:58| aclCheckCallback: answer=2
> 2010/01/18 20:47:58| cbdataValid: 0x185ca298
> 2010/01/18 20:47:58| The request GET
> http://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
>
> is DENIED, because it matched 'password'
>
> My acl for this was:
> 'http_access deny !password'
>
> Regards
> Umesh
>
> 2010/1/16 Markus Moeller <huaraz_at_moeller.plus.com>:
>> Can you check your DNS you should get for
>>
>> nslookup name an ip
>> and for the reverse
>> nslookup ip the same name.
>>
>> Which Kerberos libraries do you use ? Heimdal or MIT and which release ?
>>
>> Markus
>>
>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>> news:c3b47c041001160337k68a1313g1863689383a15121_at_mail.gmail.com...
>> Hi
>>
>> When I tried
>> ./squid_kerb_auth_test proxy1
>> or
>> ./squid_kerb_auth_test proxy1.domain.com
>> I got
>> 2010/01/16 12:31:47| squid_kerb_auth_test: gss_init_sec_context()
>> failed: Unspecified GSS failure. Minor code may provide more
>> information. Unknown code krb5 7
>> Token: NULL
>>
>> But I got a token if I used
>> ./squid_kerb_auth_test domain.com
>> or
>> ./squid_kerb_auth_test adserver.domain.com
>>
>> Using this token and squid auth in the same directory I got
>>
>> squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS
>> failure. Minor code may provide more information. No error
>> BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>> code may provide more information. No error
>>
>> Using the same token on the latest compiled squid
>> /usr/local/squid/libexec/squid_kerb_auth -d
>> I got
>>
>> 2010/01/16 12:55:58| squid_kerb_auth: parseNegTokenInit failed with
>> rc=102
>> 2010/01/16 12:55:58| squid_kerb_auth: gss_accept_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information. No
>> error
>> NA gss_accept_sec_context() failed: Unspecified GSS failure. Minor
>> code may provide more information. No error
>>
>> Any ideas?
>> Regards
>> Umesh
>>
>>
>>
>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>
>>> There should be a squid_kerb_auth_test application in the same source
>>> directory as squid_kerb_auth.
>>>
>>> Do a kinit user_at_DOMAIN and then a squid_kerb_auth_test squid-fqdn which
>>> should give you a token like:
>>>
>>> Token: YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>>
>>> which you can the use with squid_kerb_auth like
>>>
>>> export KRB5_KTNAME=/path-to-squid.keytab.
>>> ./squid_kerb_auth -d
>>> YR YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkqhkiG......
>>> 2010/01/15 14:40:29| squid_kerb_auth: Got 'YR
>>> YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' from squid (length: 775).
>>> 2010/01/15 14:40:29| squid_kerb_auth: Decode
>>> 'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
>>> AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus_at_SUSE.HOME
>>> 2010/01/15 14:40:29| squid_kerb_auth: AF
>>> oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
>>> markus_at_SUSE.HOME
>>>
>>>
>>> Regards
>>> Markus
>>>
>>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>>> news:hipnhp$hs3$1_at_ger.gmane.org...
>>>>
>>>> When you use ktpass or msktutil you have to specify a different AD
>>>> object
>>>> then your samba object and remove the HTTP/... entries as service
>>>> principal
>>>> from your samba AD object. If you want to have only one AD object you
>>>> have
>>>> to use the net keytab command as described in the wiki.
>>>>
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>>
>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>> news:c3b47c041001150053n290d6443q830770300636a0ca_at_mail.gmail.com...
>>>> Hi
>>>> Ok. Did that now and I got:
>>>>
>>>> kvno HTTP/proxy1.domain.com
>>>> HTTP/proxy1_at_DOMAIN.COM: kvno = 5
>>>>
>>>> This number is different from the the keytab number.
>>>> How do I correct this?
>>>>
>>>> Yes I did use samba (net ads join -U adminuserid). Then I tried the
>>>> msktutil. Then finally ktpass.
>>>>
>>>> During the net ads join I got:
>>>>
>>>> # net ads join -U userid
>>>> userid's password:
>>>> Using short domain name -- DOMAIN
>>>> DNS update failed!
>>>> Joined 'PROXY1' to realm 'DOMAIN.COM'
>>>>
>>>> Is the DNS update a problem?
>>>>
>>>> Regards
>>>> Umesh
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2010/1/15 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>
>>>>> Sorry I forgot to say that you have to do a kinit aduser_at_REALM before
>>>>> you
>>>>> issue the kvno command. Did you use the sambe netjoin command to
>>>>> create
>>>>> the as account and the keytab ?
>>>>>
>>>>> Markus
>>>>>
>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>> news:c3b47c041001140513s2af2a25fp7e103af29dfc3cbd_at_mail.gmail.com...
>>>>> Hi Markus
>>>>> I've checked with ADSIEDIT and found a single entry for the linux
>>>>> server named proxy1.
>>>>> Clicking on it's properties I found the following entries for service
>>>>> Principal Name:
>>>>>
>>>>>
>>>>>
>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com
>>>>>
>>>>>
>>>>>
>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1
>>>>>
>>>>>
>>>>>
>>>>> 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com
>>>>>
>>>>>
>>>>> On the linux box:
>>>>>
>>>>> # klist -ekt /etc/squid/HTTP.keytab
>>>>> Keytab name: FILE:/etc/squid/HTTP.keytab
>>>>> KVNO Timestamp Principal
>>>>> ---- -----------------
>>>>> --------------------------------------------------------
>>>>> 7 01/01/70 02:00:00 HTTP/proxy1.domain.com_at_AD.DOMAIN.COM (ArcFour
>>>>> with HMAC/md5)
>>>>>
>>>>> # kvno HTTP/proxy1.domain.com
>>>>> kvno: Ticket expired while getting credentials for
>>>>> HTTP/proxy1.domain.com_at_AD.DOMAIN.COM
>>>>> # kvno HTTP/proxy1
>>>>> kvno: Ticket expired while getting credentials for
>>>>> HTTP/proxy1_at_AD.DOMAIN.COM
>>>>>
>>>>> Should I remove the entry on AD, rejoin the pc to AD and create the
>>>>> keytab again?
>>>>> Which mechanism should I use to create the keytab?
>>>>> Is my DNS correct if the pc came up on AD as proxy1 should it be the
>>>>> fqdn (proxy1.domain.com)?
>>>>>
>>>>> Regards
>>>>> Umesh
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>
>>>>>> On AD you can use ADSIEDIT (
>>>>>> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx
>>>>>> )
>>>>>> to
>>>>>> search for entries and delete,modify them. The best instructions are
>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>
>>>>>> Let me know what you get once you deleted the old entry. Another
>>>>>> check
>>>>>> is
>>>>>> to use the kvno tool which you should have when you use MIT
>>>>>> Kerberos.
>>>>>>
>>>>>> #kvno HTTP/fqdn_at_REALM should give the same number as klist -ekt
>>>>>> squid.keytab
>>>>>> e.g.
>>>>>>
>>>>>> # klist -ekt /etc/squid/squid.keytab
>>>>>> Keytab name: FILE:/etc/squid/squid.keytab
>>>>>> KVNO Timestamp Principal
>>>>>> ---- -----------------
>>>>>> --------------------------------------------------------
>>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (ArcFour
>>>>>> with
>>>>>> HMAC/md5)
>>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (Triple
>>>>>> DES cbc
>>>>>> mode with HMAC/sha1)
>>>>>> 3 11/25/08 20:54:17 HTTP/opensuse11.suse.home_at_SUSE.HOME (DES cbc
>>>>>> mode
>>>>>> with
>>>>>> CRC-32)
>>>>>>
>>>>>> #kvno HTTP/opensuse11.suse.home
>>>>>> HTTP/opensuse11.suse.home_at_SUSE.HOME: kvno = 3
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Markus
>>>>>>
>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>> news:c3b47c041001130210i6299c910g51bb3a2ffa5c45f_at_mail.gmail.com...
>>>>>> Hi,
>>>>>> I'm new to this. I've run the following command on the server:
>>>>>>
>>>>>> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b
>>>>>> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/fqdn_at_REALM"
>>>>>>
>>>>>> and get
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <OU=name,DC=domain,DC=com> with scope subtree
>>>>>> # filter: serviceprincipalname=HTTP/fqdn_at_REALM
>>>>>> # requesting: ALL
>>>>>> #
>>>>>>
>>>>>> # search result
>>>>>>
>>>>>> # numResponses: 1
>>>>>>
>>>>>> Is it possible to check directly on AD if this service principal
>>>>>> name
>>>>>> exits?
>>>>>> How else can I test if this keytab works?
>>>>>> If I create a new keytab what is the procedure of getting rid of the
>>>>>> old one and retesting (what should be done on AD and the linux box)?
>>>>>>
>>>>>> Are there any docs that will help me with this?
>>>>>>
>>>>>> Sorry for being a pain and thanks again.
>>>>>> Regards
>>>>>> Umesh
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2010/1/13 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>>>>
>>>>>>> Can you check with an ldap query (e.g. with ldapadmin from
>>>>>>> sourceforge)
>>>>>>> or
>>>>>>> search with a filter "(serviceprincipalname=HTTP/fqdn_at_REALM)" if
>>>>>>> you
>>>>>>> have
>>>>>>> duplicate entries ?
>>>>>>>
>>>>>>> This kinit -k -t /etc/squid/squid.keytab
>>>>>>> HTTP/fqdn_at_REALM.KERBEROS will
>>>>>>> only
>>>>>>> work if the userprincipal name is HTTP/fqdn_at_REALM.KERBEROS which I
>>>>>>> think
>>>>>>> is
>>>>>>> not the case with ktpass.
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>> Markus
>>>>>>>
>>>>>>>
>>>>>>> "Umesh Bodalina" <u.bodalina_at_gmail.com> wrote in message
>>>>>>> news:c3b47c041001120741n6c2edf4ftd67dbe4b5cf1e2f0_at_mail.gmail.com...
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'm trying to get the squid helper squid_kerb_auth to work against
>>>>>>>> our
>>>>>>>> Active Directory (win 2003 sp2).
>>>>>>>>
>>>>>>>> I've compiled the latest squid version (squid-2.7.STABLE7)on
>>>>>>>> CentOS
>>>>>>>> 5.4
>>>>>>>> 64 bit.
>>>>>>>>
>>>>>>>> Squid Cache: Version 2.7.STABLE7
>>>>>>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp'
>>>>>>>> '--disable-wccpv2' '--enable-large-cache-files'
>>>>>>>> '--with-large-files'
>>>>>>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn'
>>>>>>>> '--enable-ntlm-auth-helpers=SMB'
>>>>>>>> '--enable-auth=basic,ntlm,negotiate'
>>>>>>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp'
>>>>>>>>
>>>>>>>>
>>>>>>>> A keytab file was create on AD for squid
>>>>>>>> (HTTP/squid.domain_at_REALM.KERBEROS)
>>>>>>>>
>>>>>>>> ktpass -princ HTTP/fqdn_at_REALM -mapuser squiduser
>>>>>>>> -pass password -out HTTP.keytab
>>>>>>>>
>>>>>>>> Transferred the file on the CentOS server and placed it
>>>>>>>> in /etc/squid/HTTP.keytab
>>>>>>>>
>>>>>>>>
>>>>>>>> kinit -k -t /etc/squid/squid.keytab HTTP/fqdn_at_REALM.KERBEROS
>>>>>>>>
>>>>>>>> I get the error message:
>>>>>>>> kinit(v5): Client not found in Kerberos database while getting
>>>>>>>> initial
>>>>>>>> credentials
>>>>>>>>
>>>>>>>>
>>>>>>>> I've also tried creating the keytab file using
>>>>>>>> msktutil or samba according to the following doc:
>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>>>>>>>>
>>>>>>>> I get the same error.
>>>>>>>>
>>>>>>>> How do I sort out this problem?
>>>>>>>>
>>>>>>>> Thanks in advance.
>>>>>>>> Regards
>>>>>>>> Umesh
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
Received on Tue Jan 19 2010 - 11:26:10 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 20 2010 - 12:00:04 MST