[squid-users] Problems setting up Kerberos authentication from Fabian Hugelshofer on 2010-03-03 (squid-users)

From: Fabian Hugelshofer <fh_at_open.ch>
Date: Wed, 03 Mar 2010 13:58:25 +0100

Hi all,

I am trying to set up Kerberos authentication with Squid 2.7.stable7 on
Linux. I use Heimdal 1.3.1. I already had success doing so on two
proxies, but in a third environment, authentication fails.

In squid.conf I have the following entries:
auth_param negotiate program /opt/squid/libexec/squid_kerb_auth -d -s
HTTP/proxy.example.com_at_EXAMPLE.COM
acl REQUIRE_AUTH proxy_auth REQUIRED
http_access allow src_localhost
http_access deny !REQUIRE_AUTH
http_access allow all

Environmental variables KRB5_CONFIG and KRB5_KTNAME are set. By using
kinit on the proxy it is possible to obtain a user ticket (auth with a
password) and obtaining the service principal ticket
(HTTP/proxy.example.com_at_EXAMPLE.COM, auth with the keytab file) works
fine, too.

When a client tries to use the proxy, the conversation is as following:

* User requests website

* Proxy responds with 407 and sets header "Proxy-Authenticate: Negotiate"

* User sends another request for the website and sends the ticket. From
Wireshark:
OID: 1.3.6.1.5.5.2 (SPNEGO)
negTokenInit
MechTypes: 1.2.840.48018.1.2.2 (MS KRB5), 1.2.840.113554.1.2.2 (KRB5),
1.3.6.1.4.1.311.2.2.10 (NTLMSSP)
krb5_blob:
   Kerberos AP-REQ
   Realm: EXAMPLE.COM
   Server Name (type 2, service and instance): HTTP/proxy.domain.com

* squid_kerb_auth reports:
squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
squid_kerb_auth: parseNegTokenInit failed with rc=102
squid_kerb_auth: continuation needed.

* Proxy replies with 407:
GSS-API:SPNEGO:negTokenTarg
negResult: accept-incomplete
supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP)

* Client gets an authentication pop-up where he can enter a username and
password, but this does not work. This is probably related to the
suggested NTLMSSP.

* User requests URL again, this time with an NTLM authenticator
GSS-API:SNPEGO:negTokenTarg
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_NEGOTIATE

* squid_kerb_auth reports:
squid_kerb_auth: Got 'KKoS...' from squid (length: 67)
squid_kerb_auth: parseNegTokenInit failed with rc=300
squid_kerb_auth: Invalid GSS-SPNEGO query [KKoS...].
NA Invalid GSS-SPNEGO query.

* Server replies to client with "Proxy-Authenticate: Negotiate Invalid"

Does anyone have an idea what is going wrong, i.e. why the
authentication helper replies with "continuation needed" and what I
should try to debug?

Best regards,

Fabian
Received on Wed Mar 03 2010 - 12:58:39 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 04 2010 - 12:00:06 MST