Hi Ludovit,
As background information the Negotiate protocol is a protocol which can
handle Kerberos and NTLM tokens and the client decides based on its
configuration (and actice Directory) if Kerberos or NTLM will be used.
Usually if Kerberos is not correctly setup the client will use NTLM. What
you are seeing is that the client uses NTLM and squid/samba/ntlm_auth seems
to not allow it. Is your NTLM setup working ?
To check why the client uses NTLM look at a Network trace on port 88. You
should see a Kerberos AS request/AS reply followed by a TGS request/TGS
reply. Have a look at the TGS reply details. I assume in your case it
contains an error message.
Markus
"Ludovit Koren" <ludovit.koren_at_gmail.com> wrote in message
news:20130129.134941.1568838937885763075.koren_at_tempest.sk...
>
> Hi,
>
> I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.
>
> The /etc/krb5.conf file:
>
> [logging]
> default = FILE:/var/log/krb.log
> kdc = FILE:/var/log/krb.log
> admin_server = FILE:/var/log/krb.log
> default_keytab_name = /usr/local/etc/squid/HTTP.keytab
>
> [libdefaults]
> default_realm = MDPT.LOCAL
> dns_lookup_realm = no
> dns_lookup_kdc = no
> ticket_lifetime = 24h
> forwardable = yes
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
> [realms]
> EXAMPLE.LOCAL = {
> kdc = ads01.example.local:88
> admin_server = ads01.example.local:464
> default_domain = EXAMPLE.LOCAL
> }
>
> [domain_realm]
> .domain.local = EXAMPLE.LOCAL
> domain.local = EXAMPLE.LOCAL
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 1
> }
>
>
>
> # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: xkoren_at_EXAMPLE.LOCAL
>
> Issued Expires Principal
> Jan 29 13:26:54 Jan 29 23:26:54 HTTP/squid2_at_EXAMPLE.LOCAL
>
>
> and I get the following error:
>
> 2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator helpers...
> 2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32
> 'negotiate_wrapper_auth' processes
> 2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
> 2013/01/29 13:36:30| negotiate_wrapper: NTLM command:
> /usr/local/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> 2013/01/29 13:36:30| negotiate_wrapper: Kerberos command:
> /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> 2013/01/29 13:36:30| negotiate_wrapper: Got 'YR
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
> (length: 59).
> 2013/01/29 13:36:30| negotiate_wrapper: Decode
> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
> length: 40).
> 2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
> negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30|
> negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> 2013/01/29 13:36:30| negotiate_wrapper: Return 'TT
> TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
> '
> 2013/01/29 13:36:30| negotiate_wrapper: Got 'KK
> TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> from squid (length: 571).
> 2013/01/29 13:36:30| negotiate_wrapper: Decode
> 'TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> (decoded length: 426).
> 2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
> 2013/01/29 13:36:30| negotiate_wrapper: Return 'NA =
> NT_STATUS_UNSUCCESSFUL
>
> I tried google, but I cannot resolve the problem. Please could you be
> so kind as far as to point me in the right direction?
>
> Thank you very much in advance.
>
> regards,
>
> lk
>
Received on Wed Jan 30 2013 - 23:17:13 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 31 2013 - 12:00:04 MST