[squid-users] Re: squid_kerb_auth received type 1 NTLM token

Hi Lieven

"Lieven" <lievendp_at_gmail.com> wrote in message
news:4BE6BD24.7090402_at_gmail.com...
> Hello Markus,
>
> Sorry for my slow reaction.
>
>
> 1) I did a klist on the squid server and got this ticket:
>
> squid3-proxy:/var/log/squid-3.1.3# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator_at_DOMAIN.LOCAL
> Valid starting Expires Service principal
> 05/09/10 14:35:00 05/10/10 00:34:04 krbtgt/DOMAIN.LOCAL_at_DOMAIN.LOCAL
> renew until 05/10/10 14:35:00
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> => Do I have to renew this ticket from the server everyday? I thought that
> I
> only needed this ticket once to get my squid server into the AD domain
> with the
> msktutil?
>

As you say this is only for the one time use of msktutil.

>
> 2) I installed the kerbtray tool from the windows 2003 tools on my xp pc.
> My xp pc is connected via a windows vpn for this test, I logon with my
> domain
> credentials, connecting to vpn works fine, As soon as I try to connect to
> a site
> via the squid3-proxy server, I get one ticket in kerbtray.
> This is the only ticket I have in the list:
> krbtgt/DOMAIN.LOCAL for the client principal: bait_at_DOMAIN.LOCAL
> the service name is: krbtgt/DOMAIN.LOCAL_at_DOMAIN.LOCAL
> target name is: krbtgt/DOMAIN_at_DOMAIN.LOCAL
> flags: forwardable, renewable, preauthenticated, initial
> encryption types: ticket encryption time: etype 18 and key encryption
> type: etype 0
>

That looks good

> regarding DNS, I doublechecked and A and PTR lookup are ok from the
> client.
>
>
> 3) When I open a site in my firefox browser on the client where I put the
> fqdn

What you should see is a request from the client to Active Directory asking
for a TGS for HTTP/<fqdn of proxy>. If that does not happen or get refused
by AD the client will fall back to NTLM (wrapped into the Negotiate
response) which is waht you see on the proxy.

> name as proxyserver, I see following in the cache.log on squid:
>
> 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/05/09 14:59:03| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/05/09 14:59:03| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2010/05/09 14:59:03| authenticateNegotiateHandleReply: Error validating
> user via
> Negotiate. Error returned 'BH received type 1 NTLM token'
> 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid
> (length: 59).
> 2010/05/09 14:59:04| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' (decoded
> length: 40).
> 2010/05/09 14:59:04| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2010/05/09 14:59:04| authenticateNegotiateHandleReply: Error validating
> user via
> Negotiate. Error returned 'BH received type 1 NTLM token'
>
>
> 4) It seems that winpcap 4.1 which I installed on my client is not able to
> scan
> the ppp interface which I use to connect to the windows vpn.
> I will send a dump from that traffic as soon as I have access to a pc at
> the
> location. (non vpn)
>
> How do I add a dump from wireshark?
> I got a tcpdump on the squid server which I opened in wireshark and then I
> exported it as a plaintext file (all captured traffic, 49 packets) but
> it's
> quiete large. (about 917 lines)
>

In wireshark you can select the lines you want to export (e.g. only port 88
and port 53) as a .cap file.

>
> Thanks for your help.
>
> kind regards,
> Lieven
>

Regards
Markus
Received on Sun May 09 2010 - 14:37:34 MDT