Re: [squid-users] Re: Help me configure Kerberos Authentication

Thanks Amos.

If I use negotiate_wrapper then I'm able to access websites using
squid (yes I dont get prompt for credentials) but I get many of these
messages in cache.log

2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token
2011/04/30 13:56:33| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAP7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOZTezFHvWzJUXf3Tk1kBg4BAQAAAAAAAC7ki+QcB8wBLHpqvSKv9yAAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAABuHEq3B9Rp3pJ7I5hc5aWd'
from squid (length: 659).
2011/04/30 13:56:33| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAP7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOZTezFHvWzJUXf3Tk1kBg4BAQAAAAAAAC7ki+QcB8wBLHpqvSKv9yAAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAABuHEq3B9Rp3pJ7I5hc5aWd'
(decoded length: 492).
2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token
2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei
'
2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei
'
2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei
'
2011/04/30 13:56:39| negotiate_wrapper: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2011/04/30 13:56:39| negotiate_wrapper: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
length: 40).
2011/04/30 13:56:39| negotiate_wrapper: received type 1 NTLM token
2011/04/30 13:56:39| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAAEgASADAAAAAVgonioXIqyzNaOaMAAAAAAAAAAIgAiABCAAAATABBAEwAUwBHAFIATwBVAFAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAAAAAA==
'
2011/04/30 13:56:39| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAPdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgVcliSQLD7vvZarRF5Sr4BAQAAAAAAAMfbNugcB8wB+xR68ZbrWeIAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAAA5+4TAEwsbC+LD4YC+Npm2'
from squid (length: 659).
2011/04/30 13:56:39| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAPdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgVcliSQLD7vvZarRF5Sr4BAQAAAAAAAMfbNugcB8wB+xR68ZbrWeIAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAAA5+4TAEwsbC+LD4YC+Npm2'
(decoded length: 492).
2011/04/30 13:56:39| negotiate_wrapper: received type 3 NTLM token
2011/04/30 13:56:39| negotiate_wrapper: Return 'AF = tim.panei

Is this something of worry in long term?

On 30 April 2011 13:45, Go Wow <gowows_at_gmail.com> wrote:
> Amos, Do you know where the problem is? Should I move back to squid
> 2.7, will that help?
>
> If I configure my squid to use ntlm auth I get so many NTLM Type 3
> token messages in cache.log. The same config works good on IE6. When I
> test this with firefox 3.6+ or IE8 it keeps prompting the username.
>
> On 30 April 2011 13:30, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 30/04/11 20:13, Go Wow wrote:
>>>
>>> When I run msktutil I get this line in the output.
>>>
>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
>>>
>>> I did kinit before issuing msktutil and it ran successfully. I can see
>>> tickets when I issue klist.
>>>
>>
>> Tickets, klist and keytabs do not matter in this case Kerberos is not
>> involved.
>>
>>>
>>>
>>> On 30 April 2011 10:43, Go Wow wrote:
>>>>
>>>> Hi,
>>>>
>>>>  I'm trying to configure Kerberos Authentication for squid. I'm
>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>>> kerberos authentication guide on squid-cache and many other guides, I
>>>> always end up with these logs in my cache.log. My client browser keeps
>>>> prompting for username/password. Even a valid set of credentials are
>>>> not accepted.
>>>>
>>>>  2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
>>>> token
>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>> token'
>>
>> "type 1 NTLM"  aka NTLM authentication protocol.
>>
>> The Kerberos helpers for Squid only validate type 3 (Kerberos).
>>
>> Markus has developed a negotiate_wrapper helepr which can split the
>> Negotiate auth protocol into Negotiate/Kerberos and Negotiate/NTLM
>> validation. That may be of some help, though there are bugs in the Squid end
>> which prevent is working sometimes.
>>
>> Amos
>> --
>> Please be using
>>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>>
>
Received on Sat Apr 30 2011 - 09:59:06 MDT