[squid-users] Re: Help me configure Kerberos Authentication

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 30 Apr 2011 13:17:04 +0100

Hi Go,

  Can you describe in detail what you did ( e.g. exact msktutil command).
BTW I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
which you should try in the case you use an older version.

  It looks to me that your client is not able to get the Kerberos ticket
from AD why the client falls back to NTLM and the negotiate wrapper deals
now with these case.

  To find out why the client does not get the ticket you can run wireshark
and look for traffic on port 88.

Markus

"Go Wow" <gowows_at_gmail.com> wrote in message
news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ_at_mail.gmail.com...
When I run msktutil I get this line in the output.

krb5_get_init_creds_keytab failed (Client not found in Kerberos database)

I did kinit before issuing msktutil and it ran successfully. I can see
tickets when I issue klist.

On 30 April 2011 10:43, Go Wow <gowows_at_gmail.com> wrote:
> Hi,
>
> I'm trying to configure Kerberos Authentication for squid. I'm
> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
> kerberos authentication guide on squid-cache and many other guides, I
> always end up with these logs in my cache.log. My client browser keeps
> prompting for username/password. Even a valid set of credentials are
> not accepted.
>
> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> (length: 59).
> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> length: 40).
> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
> (length: 59).
> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
> length: 40).
> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
> validating user via Negotiate. Error returned 'BH received type 1 NTLM
> token'
>
>
> I want to check and make sure my keytab entries are good. How do I do
> that? My client System can list the tickets for client principal.
>
> Please have a look at my krb5.conf & keytab file here
> http://pastebin.com/vTBr3r5D
>
> I'm using this command to create the keytab file.
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
> ad01.orangegroup.com --verbose
>
> All the domains are resolving properly to IPs.
>
> Thanks for your help.
>
Received on Sat Apr 30 2011 - 12:17:27 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 30 2011 - 12:00:04 MDT