[squid-users] Re: Re: Re: Re: squid 3.1.14 kerberos single sign on

As I said use RC4-HMAC instead of DES.

Markus

"Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
news:09177155B3E82945AD8AF1F744B326458A7E8998_at_es05co...
Hi Markus,

I added allow_weak_crypto = yes to the krb.conf file. Now everything worked.
Any suggestion on how to allow safer/stronger cryptos?

Thanks
Ming

> -----Original Message-----
> From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> Sent: Saturday, July 30, 2011 7:51 AM
> To: squid-users_at_squid-cache.org
> Subject: [squid-users] Re: Re: Re: squid 3.1.14 kerberos single sign on
>
> Hi Ming,
>
> That looks correct. I have three suggestions:
>
> 1) Can you reset the AD account password for the squid user and re-
> extract
> the keytab ?
> 2) Use another tool like msktutil (see
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )
> 3) Clear the kerberos cache on the client with kerbtray. It might be
> that
> the client cached an old key.
>
> Additionally if you want to support Win 7 and Win 2008 you must use
> RC4-HMAC encryption as DES has been declared as a weak encryption method
> and
> is not anymore supported in Win 7 / Win 2008.
>
> Regards
> Markus
>
>
> "Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
> news:09177155B3E82945AD8AF1F744B326458A7E5EA6_at_es05co...
> Hi Markus,
>
> My keytab file is generated from the win 2003 DC using ktpass command.
>
> On Liunx where the squid is running:
>
> klist -ekt /usr/local/squid/etc/squid27.keytab
> Keytab name: WRFILE:/usr/local/squid/etc/squid27.keytab
> KVNO Timestamp Principal
> ---- ----------------- -------------------------------------------------
> -------
> 9 12/31/69 19:00:00
> HTTP/squid.sit27.borderware.com_at_SIT27.BORDERWARE.COM
> (DES cbc mode with RSA-MD5)
> [root_at_squid etc]# ^C
> [root_at_squid etc]# echo $KRB5_KTNAME
> /usr/local/squid/etc/squid27.keytab
>
>
> On windows 2003
> C:\Documents and Settings\Administrator>ktpass -princ
> HTTP/squid.sit27.borderwar
> e.com_at_SIT27.BORDERWARE.COM -mapuser squid -crypto DES-CBC-MD5 +DesOnly -
> pass
> xxxxxxxx
> -ptype KRB5_NT_PRINCIPAL -out squid27.keytab
> Targeting domain controller: 27dc.sit27.borderware.com
> Using legacy password setting method
> Successfully mapped HTTP/squid.sit27.borderware.com to squid.
> Key created.
> Output keytab to squid27.keytab:
> Keytab version: 0x502
> keysize 79 HTTP/squid.sit27.borderware.com_at_SIT27.BORDERWARE.COM ptype 1
> (KRB5_NT
> _PRINCIPAL) vno 9 etype 0x3 (DES-CBC-MD5) keylength 8
> (0x10bf6eea2531436b)
> Account squid has been set for DES-only encryption.
>
> C:\Documents and Settings\Administrator>setspn -L squid
> Registered ServicePrincipalNames for
> CN=Squid,CN=Users,DC=sit27,DC=borderware,DC
> =com:
> HTTP/squid.sit27.borderware.com
>
>
> Best Regards,
> Ming
>
>
>
> > -----Original Message-----
> > From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> > Sent: Thursday, July 28, 2011 3:09 PM
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] Re: Re: squid 3.1.14 kerberos single sign on
> >
> > Hi Ming,
> >
> > This indicates that now your client got the ticket from AD, but it
> > does
> > not match the entry in your keytab. Did you set the environment
> variable
> > KRB5_KTNAME correctly ? Can you do a klist -ekt <squid.keytab> and
> > compare
> > the entries with the wireshark information of the encoded HTTP
> Negotiate
> > request ?
> >
> > Does the name, encryption type and , key version number (kvno) match
> ?
> >
> > Markus
> >
> > "Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
> > news:09177155B3E82945AD8AF1F744B326458A7E58B8_at_es05co...
> > Hi Markus,
> >
> > I tried the same test on a Windows 2003 domain with XP clients. I was
> > able
> > to get pass the SGT from DC to the XP. Now my problem is the following
> > squid
> > error: Any suggestion how to debug further?
> >
> > 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Got 'YR
> >
> YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGC
> >
> NwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAA
> >
> AACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqEk
> >
> MCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgEE
> >
> ooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+a
> >
> kRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC4
> >
> haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwgr
> >
> HNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB0
> >
> 3v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868OH
> >
> Yhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnzB
> >
> K1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeEc
> >
> PkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3Nf
> >
> qfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD081
> > xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94U
> >
> >
> WGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2c
> >
> GiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYdE
> >
> 6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQQ
> >
> vx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gsa
> >
> mYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00g
> >
> k22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4FD
> >
> YnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhPz
> >
> 6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FTT
> >
> 3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsds
> > Rad56U'
> > from squid (length: 1647).
> > 2011/07/28 13:13:46| squid_kerb_auth: DEBUG: Decode
> >
> 'YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAG
> >
> CNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACA
> >
> AAACjggOeYYIDmjCCA5agAwIBBaEWGxRTSVQyNy5CT1JERVJXQVJFLkNPTaItMCugAwIBAqE
> >
> kMCIbBEhUVFAbGnNxdWlkLnNpdDI3LmJvcmRlcndhcmUuY29to4IDRjCCA0KgAwIBA6EDAgE
> >
> EooIDNASCAzDb2BHDS95lmejMm5kGJNuwxcAV6OAOcH1hnOdb8sTR1nHSGGlvlbSKSg/G9l+
> >
> akRgv9t9BNrsECoZYlZBsojRnFCVHSKjRCKYn+K3ExFIT8E5Szu+XuyIQvib9RMNPG5poBHC
> >
> 4haBO9gxrkZ+yoPOhIP3lY4o9RltyumIAEPiO+36kqNSnTHu6ycuzImPA7+jlkU8VFyXHiwg
> >
> rHNX7/1N5hpQWuIxl+UkvSJzZb/Tdoro4nM53id0ZrSdxs+Dn1WESc3EgZRwjItGNPHzPKeB
> >
> 03v8IIFZkSCQSGp+GxUeOzxRpMzXN2r3T6PLFLlMHJQeJzFnCOnmJs4stiyW6rY7zF3L868O
> >
> HYhcx9kUZQzUivnwI+lrfRYMlu87CbAnPZBbPc099b0Amp5gF2YlSOOpx2fLdIN2hs5GJCnz
> >
> BK1Z7sGPiIIi2hWfbhAJMvAE8sLnahlD8ffraI3ZrxKfpVnNIxbJMvkq4pA8/Ka2w2DA1jeE
> >
> cPkOg1oggA6+ygmvHZpQrU9twBTtjfHxi0050gdv/DbEbsHofFFDlLNCkQQYB50aDCOubu3N
> >
> fqfNGre/EAJyrfmeRfjTNRtcOfauoUlZmVhqJXM0nkuvlDtvCXcUmjvcVwtG6CE13lqAsD08
> > 1xJPaLnPAKmmqGVZUZNykFUeFzarIlu2r3ELJnkyxfQNbeoKLhSH94
> >
> >
> UWGnE6jCT7yjVvpmzQV4n0DbKyFWn/wgEytE/lq28DpK8WmeCZodtOaQ2TU25HDK/egQMaw2
> >
> cGiYmOatTUUGBcE736EPKcpXHxX7Cb7WlcEC0Ijingr50LHBM1spE+ZAvgynkNTUS7Dd8qYd
> >
> E6Zc1lBRvqTaK5OKiaVMNztydy9pqufk9lyQbDGsmNyFLgEgz2TDSxJkaTFQm8KlZLY2nlxQ
> >
> Qvx4QyY4DI6vmkeHHjCxP5/vUGFlFyq3t7j8qfBrDyg1mq/95cHLyLfTXSwVZE9ODXnP70Gs
> >
> amYLk4xmnp5FEO+3Kmdn+gzhUFLQA5bowGtXyyauKUNbiYftsy5VKsj4Sr1iGMJyxRiG1C00
> >
> gk22RYtuVaMoTnkXZM6Nc2FZ8fMHtnxB8se7QOkgb4wgbugAwIBA6KBswSBsMOpCOW2cOM4F
> >
> DYnUbyhrDFzo5gRJryTHFUGDYvEKJ0gooC+sg0ejhbcIrFvlp51m+BvvuvTqPVdjCj+goPhP
> >
> z6Ogv+7kgAhyKEW4Qr2QzYGD/Fy6fUPEXLGqD7d3ih0/JlbpMtT7fxgZV/FEnRdlMpLd68FT
> >
> T3dffkPjxPOgAlk/rY2KVM6tLyE0zk0SzuIN/ZAgaBoIBrwnnLpsoU7tFTIzVwSGUkv1+Jsd
> > sRad56U'
> > (decoded length: 1233).
> > 2011/07/28 13:13:47| squid_kerb_auth: ERROR: gss_acquire_cred()
> failed:
> > Unspecified GSS failure. Minor code may provide more information. Key
> > table
> > entry not found
> > 2011/07/28 13:13:47| authenticateNegotiateHandleReply: Error
> validating
> > user
> > via Negotiate. Error returned 'BH gss_acquire_cred() failed:
> Unspecified
> > GSS
> > failure. Minor code may provide more information. Key table entry not
> > found'
> >
> >
> > Thanks
> > Ming
> >
> > > -----Original Message-----
> > > From: Ming Fu [mailto:Ming.Fu_at_watchguard.com]
> > > Sent: Wednesday, July 27, 2011 4:21 PM
> > > To: Markus Moeller; squid-users_at_squid-cache.org
> > > Subject: RE: [squid-users] Re: squid 3.1.14 kerberos single sign on
> > >
> > > Hi Markus,
> > >
> > > From the windows domain controller:
> > > =======================================================
> > > Microsoft Windows [Version 6.0.6002]
> > > Copyright (c) 2006 Microsoft Corporation. All rights reserved.
> > >
> > > C:\Users\Administrator>setspn -L squid
> > > Registered ServicePrincipalNames for
> > > CN=squid,CN=Users,DC=sit26,DC=borderware,DC
> > > =com:
> > > HTTP/squid.sit26.borderware.com
> > >
> > > C:\Users\Administrator>
> > > =========================================================
> > >
> > > From the wireshark:
> > > ==============================================================
> > > The Kerberos response error is
> > > Error code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> > > Realm: SIT26.BORDERWARE.COM
> > > Server Name (Service and Instance): HTTP/squid.sit26.borderware.com
> > > Name-type: service and instance (2)
> > > Name: HTTP
> > > Name: squid.sit26.borderware.com
> > > ===============================================================
> > >
> > > I can attach the whole tcpdump if necessary.
> > >
> > > Regards,
> > > Ming
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Markus Moeller [mailto:huaraz_at_moeller.plus.com]
> > > > Sent: Monday, July 25, 2011 4:27 PM
> > > > To: squid-users_at_squid-cache.org
> > > > Subject: [squid-users] Re: squid 3.1.14 kerberos single sign on
> > > >
> > > > This looks like the client does not get a Kerberos token, which
> can
> > > have
> > > > several reasons.
> > > >
> > > > 1) Is the proxy name used in the browser the fqdn used in the
> > > > serviceprincipaname in AD e.g. HTTP/<fqdn> ?
> > > > 2) Is the right encryption type used (Win7 / 2008 do not support
> > DES
> > > > out
> > > > of the box)
> > > >
> > > > Can you capture with wireshark the communication between your
> Win7
> > > > client
> > > > and AD on port 88 ( Kerberos port ) and send me the capture file
> ?
> > > >
> > > > Regards
> > > > Markus
> > > >
> > > >
> > > > "Ming Fu" <Ming.Fu_at_watchguard.com> wrote in message
> > > > news:09177155B3E82945AD8AF1F744B326458A7E1581_at_es05co...
> > > > Hi,
> > > >
> > > > I am trying to setup squid 3.1.14 on linux with Kerberos SSO
> against
> > > > windows
> > > > 2008 server and win7 client.
> > > > But both firefox 5.0.1 and IE 8 generate same log from squid.
> > > >
> > > > Is this a problem with squid or the browsers?
> > > >
> > > > ---- squid logs ----
> > > > 2011/07/25 10:54:29| Accepting HTTP connections at [::]:3128, FD
> > 31.
> > > > 2011/07/25 10:54:29| HTCP Disabled.
> > > > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > > > 2011/07/25 10:54:29| squid_kerb_auth: INFO: Starting version 1.0.5
> > > > 2011/07/25 10:54:29| Loaded Icons.
> > > > 2011/07/25 10:54:29| Ready to serve requests.
> > > > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Got 'YR
> > > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from
> squid
> > > > (length: 59).
> > > > 2011/07/25 10:55:40| squid_kerb_auth: DEBUG: Decode
> > > > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw=='
> (decoded
> > > > length:
> > > > 40).
> > > > 2011/07/25 10:55:40| squid_kerb_auth: WARNING: received type 1
> NTLM
> > > > token
> > > > 2011/07/25 10:55:40| authenticateNegotiateHandleReply: Error
> > > validating
> > > > user
> > > > via Negotiate. Error returned 'BH received type 1 NTLM token'
> > > >
> > > >
> > > > --- HTTP exchange Firefox to squid -----
> > > > GET http://www.google.ca/ HTTP/1.1
> > > > Host: www.google.ca
> > > > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > > > Firefox/5.0.1
> > > > Accept:
> > > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > > > Accept-Language: en-us,en;q=0.5
> > > > Accept-Encoding: gzip, deflate
> > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > > > Proxy-Connection: keep-alive
> > > > Referer: http://www.google.ca/
> > > > Cookie:
> > > >
> > >
> >
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > > > 0546:S=CwtXJNRFT1U2j2O8;
> > > >
> > >
> >
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > > > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> > > >
> > > > HTTP/1.0 407 Proxy Authentication Required
> > > > Server: squid/3.1.14
> > > > Mime-Version: 1.0
> > > > Date: Mon, 25 Jul 2011 15:38:05 GMT
> > > > Content-Type: text/html
> > > > Content-Length: 3945
> > > > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> > > > Vary: Accept-Language
> > > > Content-Language: en-us
> > > > Proxy-Authenticate: Negotiate
> > > > X-Cache: MISS from squid.sit26.borderware.com
> > > > Via: 1.0 squid.sit26.borderware.com (squid/3.1.14)
> > > > Connection: keep-alive
> > > >
> > > > GET http://www.google.ca/ HTTP/1.1
> > > > Host: www.google.ca
> > > > User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0.1) Gecko/20100101
> > > > Firefox/5.0.1
> > > > Accept:
> > > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > > > Accept-Language: en-us,en;q=0.5
> > > > Accept-Encoding: gzip, deflate
> > > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > > > Proxy-Connection: keep-alive
> > > > Referer: http://www.google.ca/
> > > > Cookie:
> > > >
> > >
> >
> PREF=ID=c7a9ded9c38f7fe3:U=5104260d840ffece:FF=0:TM=1311350545:LM=131135
> > > > 0546:S=CwtXJNRFT1U2j2O8;
> > > >
> > >
> >
> NID=49=W5u6mljBsItvKL3sO3IeIPlhRWCzhZ29I_vbIPqWOlIGJkraxqtEfFdfCz2Hqs4HP
> > > > rqf-O4eBSR6BUpyEfmw6CXbxQEnMDRnD8PRRVWLQbuJYgKsCwaUGJIf8sJWDGu7
> > > > Proxy-Authorization: Negotiate
> > > > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
> > > >
> > > >
> > > > Regards,
> > > > Ming
> > > >
> >
> >
>
>
Received on Tue Aug 02 2011 - 19:24:11 MDT