I changed my approach a lil bit and swicthed to centos from ubuntu hehe.
I installed centos and configured kerberos/squid as mentioned in
squid-cache kerberos guide, I used msktutil to create the keytab file.
On the windows server I checked the machine, it was listed as a
workstation I went on to properties and selected delegation tab and
tried to allow delagation of kerberos but it didnt work. So I right
clicked on the computer name and clicked on properties >> security and
given full permission to Administrator and then gave full permission
to same computer name.
Now im able to authenticate users and use squid to browse.
I will be monitoring squid for next couple of days and see if it gives
that log entries of libntlmssp.
How safe is it to use negotiate_wrapper in production? What is the
difference between using negogiate_wrapper and a 2nd auth param
statement for ntlm in squid.conf
Regards
On 2 May 2011 09:20, Go Wow <gowows_at_gmail.com> wrote:
> I will check that and inform you. But how did you troubleshoot that
> the entry is missing from AD?
>
> On 1 May 2011 14:51, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>> It looks like you do not have an entry in AD. Can you search AD for entries
>> with serviceprincipalname = HTTP/proxyserver.orangegroup.com ?
>>
>> Markus
>>
>>
>> "Go Wow" <gowows_at_gmail.com> wrote in message
>> news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ_at_mail.gmail.com...
>> On 1 May 2011 00:00, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>
>>> Hi Go,
>>>
>>> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
>>
>> Yes I used --enctypes 28
>>
>>>
>>> what does klist -e show and what does
>>> kinit <user>
>>> kvno HTTP/proxyserver.orangegroup.com
>>>
>>> show (<user> being your userid ) ?
>>
>> Here is the complete output
>>
>> root_at_proxyserver:/home/owner# whoami
>> root
>> root_at_proxyserver:/home/owner# klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>> root_at_proxyserver:/home/owner# klist -e
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>> root_at_proxyserver:/home/owner# kinit Administrator
>> Password for Administrator_at_ORANGEGROUP.COM:
>> root_at_proxyserver:/home/owner# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator_at_ORANGEGROUP.COM
>>
>> Valid starting Expires Service principal
>> 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/ORANGEGROUP.COM_at_ORANGEGROUP.COM
>> renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
>> HMAC/md5,ArcFour with HMAC/md5
>> root_at_proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
>> kvno: Server not found in Kerberos database while getting credentials
>> for http/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>> root_at_proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
>> kvno: Server not found in Kerberos database while getting credentials
>> for HTTP/proxyserver.orangegroup.com_at_ORANGEGROUP.COM
>>
>>> When you purge tickets (with kerbtray) , start wireshark with a filter on
>>> port 88 and access a webpage via the proxy do you see any errors in
>>> wireshark ? Can you send me the capture ?
>>
>> I will email you the port 88 capture in a sec.
>>
>> Thanks for your help.
>>
>>> Markus
>>>
>>>
>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw_at_mail.gmail.com...
>>> I tried with msktutil version 0.4 but same thing is happening.
>>>
>>> I followed your guide, firstly with samba/winbind, I created the
>>> keytab and configure negotiate parameters in squid.conf but when I
>>> open browser pointing to squid3 as proxy server (with fqdn not IP) it
>>> prompts for username/password. This system is Windows 7 64 Bit.
>>>
>>> Then I tried msktutil. The command I used is same as I mentioned below.
>>>
>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>> ad01.orangegroup.com --verbose
>>>
>>> The output of the command gives me one error saying but creates the keytab
>>> file
>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>> (Client not found in Kerberos database)
>>>
>>> I have kerbtray installed on client system and I can see my domains
>>> krtgt/domain.com listed. As a matter of fact I'm using sharepoint
>>> server which uses the same method to authenticate and im able to login
>>> to it without entering username/password. I tried with purging tickets
>>> but no change.
>>>
>>> Regards
>>>
>>>
>>> On 30 April 2011 16:17, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>>>
>>>> Hi Go,
>>>>
>>>> Can you describe in detail what you did ( e.g. exact msktutil command).
>>>> BTW
>>>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
>>>> which you should try in the case you use an older version.
>>>>
>>>> It looks to me that your client is not able to get the Kerberos ticket
>>>> from
>>>> AD why the client falls back to NTLM and the negotiate wrapper deals now
>>>> with these case.
>>>>
>>>> To find out why the client does not get the ticket you can run wireshark
>>>> and look for traffic on port 88.
>>>>
>>>> Markus
>>>>
>>>>
>>>> "Go Wow" <gowows_at_gmail.com> wrote in message
>>>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ_at_mail.gmail.com...
>>>> When I run msktutil I get this line in the output.
>>>>
>>>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
>>>>
>>>> I did kinit before issuing msktutil and it ran successfully. I can see
>>>> tickets when I issue klist.
>>>>
>>>>
>>>>
>>>> On 30 April 2011 10:43, Go Wow <gowows_at_gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to configure Kerberos Authentication for squid. I'm
>>>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>>>> kerberos authentication guide on squid-cache and many other guides, I
>>>>> always end up with these logs in my cache.log. My client browser keeps
>>>>> prompting for username/password. Even a valid set of credentials are
>>>>> not accepted.
>>>>>
>>>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>> token
>>>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>> token'
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>> (length: 59).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>>> length: 40).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>> token
>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>> token'
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>>>> (length: 59).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>>>> length: 40).
>>>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM
>>>>> token
>>>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>>>> token'
>>>>>
>>>>>
>>>>> I want to check and make sure my keytab entries are good. How do I do
>>>>> that? My client System can list the tickets for client principal.
>>>>>
>>>>> Please have a look at my krb5.conf & keytab file here
>>>>> http://pastebin.com/vTBr3r5D
>>>>>
>>>>> I'm using this command to create the keytab file.
>>>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>>>> ad01.orangegroup.com --verbose
>>>>>
>>>>> All the domains are resolving properly to IPs.
>>>>>
>>>>> Thanks for your help.
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
Received on Mon May 02 2011 - 11:10:46 MDT
This archive was generated by hypermail 2.2.0 : Mon May 02 2011 - 12:00:02 MDT