[squid-users] Re: squid_kerb_auth (parseNegTokenInit failed with rc=102) from Markus Moeller on 2010-06-28 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 28 Jun 2010 23:56:51 +0100

Make sure the squid servers hostname matches squidhr1.v.local. If not use -s
HTTP/squidhr1.v.local as an option to squid_kerb_auth.

Regards
Markus

"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w64257C53609757CD3CF006B9CA0_at_phx.gbl...

Hi all,

I am unable to do kerberos authentication in my live enviroment as appose to
the test enviroment where it was successful. My environment is Active
Direcory Single Forest Multidomain with each domain having multiple domain
controllers.

SPN was created through:

msktutil -c -b "OU=UNIXOU" -s HTTP/squidlhr1.v.local -h squidlhr1.v.local -k
/etc/squid/HTTP.keytab --computer-name squid-http --upn
HTTP/squidlhr1.v.local --server ldc-ms-dc2.v.local --verbose

Through ADSIEDIT & setspn tools SPN is confirmed in the Active Directory.

My kerb5.conf Settings:
[libdefaults]
default_realm = MAILSERVER.V.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5.keytab
; for windows 2003 encryption type configuration.
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
V.LOCAL = {
kdc = ldc-v-dc2.v.local
admin_server = ldc-v-dc2.v.local
}
MAILSERVER.V.LOCAL = {
kdc = ldc-ms-dc2.mailserver.v.local
admin_server = ldc-ms-dc2.mailserver.v.local
}
# BT.V.LOCAL = {
# kdc = dc.bt.v.local
# admin_server = dc.bt.v.local
#}
[domain_realm]
.linux.home = MAILSERVER.V.LOCAL
.v.local = V.LOCAL
v.local = V.LOCAL
.mailserver.v.local = MAILSERVER.V.LOCAL
mailserver.v.local = MAILSERVER.V.LOCAL
#.bt.v.local= BT.V.LOCAL
#bt.v.local = BT.V.LOCAL
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/kdc.log

I have tried this on multiple client computers but not seem to be
working....
Below are the files for your reference.

Dump through wire shark :
-------------------------

Hypertext Transfer Protocol
GET http://www.google.com/ HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; InfoPath.2; AskTB5.5)\r\n
Accept-Encoding: gzip, deflate\r\n
Proxy-Connection: Keep-Alive\r\n
[truncated] Cookie:
PREF=ID=dfcab88fe782b2f3:U=8cc1a776c84c55e1:TM=1273578259:LM=1273579194:S=ec2wG6BXReYHZvWe;
NID=36=iQ9ZARYGAQQvkpoAjK1OHFtg7BF7IE9hh-E__mxd9S8cV8EcNVq_M_9qMHZPatpJiifFPpdWYqJMmTtBxuCdoQMknggCTHJKkJkNigy5I6kewAQTepVnZ0Pb
[truncated] Proxy-Authorization: Negotiate
YIIFTwYGKwYBBQUCoIIFQzCCBT+gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRUEggURYIIFDQYJKoZIhvcSAQICAQBuggT8MIIE+KADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEE
TCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5D
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 3 items
MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support
Provider)
mechToken: 6082050D06092A864886F71201020201006E8204FC308204...
krb5_blob: 6082050D06092A864886F71201020201006E8204FC308204...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the
session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL
authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: MAILSERVER.V.LOCAL
Server Name (Service and Instance): HTTP/squidlhr1.v.local
Name-type: Service and Instance (2)
Name: HTTP
Name: squidlhr1.v.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 60082AD63370B0B25657BB713A74B080C21E261079263809...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: A7B9567AB0F52FD022CD130905ACD67DA268C8222AC6ED97...
Host: www.google.com\r\n
\r\n

Hypertext Transfer Protocol
HTTP/1.0 407 Proxy Authentication Required\r\n
Server: squid\r\n
Date: Fri, 25 Jun 2010 15:00:57 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 1295\r\n
Content length: 1295
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
Proxy-Authenticate: Negotiate\r\n
Proxy-Authenticate: Negotiate gss_acquire_cred()\r\n
GSS-API Generic Security Service Application Program Interface
[Malformed Packet: GSS-API]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)
Message: Malformed Packet (Exception occurred)
Severity level: Error
Group: Malformed
X-Cache: MISS from squidlhr1\r\n
X-Cache-Lookup: NONE from squidlhr1:8080\r\n
Via: 1.0 squidlhr1main:8080 (squid)\r\n
Connection: close\r\n
\r\n

squid_kerb_auth -d output:
---------------------------

2010/06/28 10:03:24| squid_kerb_auth: Got 'YR
YIIFTgYGKwYBBQUCoIIFQjCCBT6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBRQEggUQYIIFDAYJKoZIhvcSAQICAQBuggT7MIIE96ADAgEFoQMCAQ6iBwMFACAAAACjggQVYYIEETCCBA2gAwIBBaEXGxVNQUlMU0VSVkVSLk1DQi5DT00uUEuiMjAwoAMCAQKhKTAnGwRIVFRQGx9zcXVpZGxocjEubWFpbHNlcnZlci5tY2IuY29tLnBro4IDtzCCA7OgAwIBF6EDAgECooIDpQSCA6HbSpgWaybiErloUupurbZsJqE/Frw2OkXksREX3nh6Nx3kZyKSLkO0P0ey+SF8KSn/bHPagvN8fLo7tUMgIXY2Q6Ok1UJkryz7HO+vztztxDYvir3vkzyc67kaV2xug4cZEPlu7FJJYwVGvgmwl3b3UGMprG+TC59GN9M5AKFq97blDGfCoKv2tSO4TaeOC5hG6Qa/KJUMVOh4U8k/fb92XzcrkOWPZOpySLVDfgXHGEpaIrsnzZ4dFTL2hrfd5bswjAGXmWmcSF57LY7BW0sD2HoNyNDkge6GtprrCMtEmaiqZUrsP6PosH9lMDplZWDNlfsKJb2lFRJh1gO0g9Drin4tX/UTAQNY2meu5urFQfHh4goVVyav2rjmdFQPvo16hiwHtrLOElK7Sa/XhiL2Lon/TrDu/0OYvXmNUMWcHCmMPo2JlYBetEMRX4EWMBxwy15cILOFx1b0zFwC3OQ59rk2eZz4ZI0cECaSLK0OVAxHAELL+xIgCaOn72RoyX4Zph3sjjTKzaxMiHMkkoo3flWODARLT6xJZ/FzjOUcEWNPlJaQhbp4HRba9AwzdSyjUT1VGzNDdYQeNfQU6qnDQQdTG8rTkb9ojv4uP4rjK7sjUyQOtOZDkxbr0rFo/8ilaXwgTOJyhZHps8fpW/6s1UzDs2AwbhCGjQVj4a7dnzfbYvzttrx8MRGX0iLVUt2Ugv9GxcOY+RT
8U0PT7DvbeRkEdVQL6oy2E74CauMSxL/3ID3Bjh5B/YNB8bkOub5crSisnWQ+hB9DD4ABMTOubyAND06lDmeOewDkmwU3HYVAQhCcSpdbTGrGylXH5MBkEZPx9p0amGmPdqm5SVloE+qNFwsKiNkoUE8/24l8dGka2kYGP1e9/UaC5oMzTPRVVd2aHIDHcrv82eBZfRq6FL00jtZKKSIlZLEZ/m89p7Gfzafh3Ahh/7RZUOlx6zyXJYsRpa/Re/QouqoQ4igwxXWqtDLntncNKtPN/ksZmLYEF80DJZ7HfUR5s82ZRmfZgxojOnF7iGeX31dF6wSpbQX5G+TMIfZ9vHU123zJu1coJsQlJHjOurdFfm2Bb4v+aOL+U3U8XRH5ykKiAXagfopdWOOTV5BVnsMuO5fayZB2HIUGSEgdCY7PWxvUWy1Wv90j6jrvBdKDNzEQz8FAENlqVBCGYXa1nVQAoRmbgod8o2kyBRaXtbh+ut3lPFiwyafNUMSzIklpweBb4Bp6FKSByDCBxaADAgEXooG9BIG6QYc3eYt+8W+X0Zjiedx4J7FxcY+qZexmLowJf8JWFaXNS8vcDhCNnZU5oNYau2E8H78yzgPzPLJV3+ci/apcksEqrgbwPi9vmywxKyGhTW9CXXWIJmyftYSb5bIXnOHx0bfINJAqNFjoaaIQfwIJgUE4ZxWiUdfNNHcuYZoB3OdDg8LU8WheWZpyj64WCBUeaLz2JsVpefG3i3pDYgX6PpAaGRKwTqgDbrHDln8uLhSvwlHSheRSLmHQ'
from squid (length: 1819).
2010/06/28 10:03:24| squid_kerb_auth: parseNegTokenInit failed with rc=102
2010/06/28 10:03:24| squid_kerb_auth: gss_acquire_cred() failed: Unspecified
GSS failure. Minor code may provide more information. No principal in keytab
matches desired name

Please your help will be required

regards,

Bilal

_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
Received on Mon Jun 28 2010 - 22:59:21 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 29 2010 - 12:00:03 MDT