[squid-users] Re: Problems setting up Kerberos authentication

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 3 Mar 2010 22:25:02 -0000

Continuation needed means that the GSSAPI exchange has not finished and the
server needs more data from the client. Can you see in wireshark if the
token length is the one squid_kerb_auth says it is
> squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)

Markus

"Fabian Hugelshofer" <fh_at_open.ch> wrote in message
news:4B8E5CF1.3030802_at_open.ch...
> Hi all,
>
> I am trying to set up Kerberos authentication with Squid 2.7.stable7 on
> Linux. I use Heimdal 1.3.1. I already had success doing so on two proxies,
> but in a third environment, authentication fails.
>
> In squid.conf I have the following entries:
> auth_param negotiate program /opt/squid/libexec/squid_kerb_auth -d -s
> HTTP/proxy.example.com_at_EXAMPLE.COM
> acl REQUIRE_AUTH proxy_auth REQUIRED
> http_access allow src_localhost
> http_access deny !REQUIRE_AUTH
> http_access allow all
>
> Environmental variables KRB5_CONFIG and KRB5_KTNAME are set. By using
> kinit on the proxy it is possible to obtain a user ticket (auth with a
> password) and obtaining the service principal ticket
> (HTTP/proxy.example.com_at_EXAMPLE.COM, auth with the keytab file) works
> fine, too.
>
> When a client tries to use the proxy, the conversation is as following:
>
> * User requests website
>
> * Proxy responds with 407 and sets header "Proxy-Authenticate: Negotiate"
>
> * User sends another request for the website and sends the ticket. From
> Wireshark:
> OID: 1.3.6.1.5.5.2 (SPNEGO)
> negTokenInit
> MechTypes: 1.2.840.48018.1.2.2 (MS KRB5), 1.2.840.113554.1.2.2 (KRB5),
> 1.3.6.1.4.1.311.2.2.10 (NTLMSSP)
> krb5_blob:
> Kerberos AP-REQ
> Realm: EXAMPLE.COM
> Server Name (type 2, service and instance): HTTP/proxy.domain.com
>
> * squid_kerb_auth reports:
> squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
> squid_kerb_auth: parseNegTokenInit failed with rc=102
> squid_kerb_auth: continuation needed.
>
> * Proxy replies with 407:
> GSS-API:SPNEGO:negTokenTarg
> negResult: accept-incomplete
> supportedMech: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP)
>
> * Client gets an authentication pop-up where he can enter a username and
> password, but this does not work. This is probably related to the
> suggested NTLMSSP.
>
> * User requests URL again, this time with an NTLM authenticator
> GSS-API:SNPEGO:negTokenTarg
> NTLMSSP identifier: NTLMSSP
> NTLM Message Type: NTLMSSP_NEGOTIATE
>
> * squid_kerb_auth reports:
> squid_kerb_auth: Got 'KKoS...' from squid (length: 67)
> squid_kerb_auth: parseNegTokenInit failed with rc=300
> squid_kerb_auth: Invalid GSS-SPNEGO query [KKoS...].
> NA Invalid GSS-SPNEGO query.
>
> * Server replies to client with "Proxy-Authenticate: Negotiate Invalid"
>
>
> Does anyone have an idea what is going wrong, i.e. why the authentication
> helper replies with "continuation needed" and what I should try to debug?
>
> Best regards,
>
> Fabian
>
Received on Wed Mar 03 2010 - 22:25:32 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 04 2010 - 12:00:06 MST