Re: [squid-users] Re: Squid 3.2 kerberos authentication

>>>>> On Wed, 30 Jan 2013 23:16:46 -0000
>>>>> huaraz_at_moeller.plus.com("Markus Moeller") said:
>
> Hi Ludovit,
>
> As background information the Negotiate protocol is a protocol which
> can handle Kerberos and NTLM tokens and the client decides based on
> its configuration (and actice Directory) if Kerberos or NTLM will be
> used. Usually if Kerberos is not correctly setup the client will use
> NTLM. What you are seeing is that the client uses NTLM and
> squid/samba/ntlm_auth seems to not allow it. Is your NTLM setup
> working ?
>

It used to, but 10 days ago I got the following error to the log and
it stopped to work:

2013/01/22 11:04:20| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
Login for user [<domain>]\[<loginname>]@[<machinename>] failed due to [Access denied]
NTLMSSP BH: NT_STATUS_ACCESS_DENIED

I must change it to LDAP authentication.

Afterwards, I started configuring kerberos authentication. (Do you
know about some security patches from MS that could change the behavior?)

> To check why the client uses NTLM look at a Network trace on port
> 88. You should see a Kerberos AS request/AS reply followed by a TGS
> request/TGS reply. Have a look at the TGS reply details. I assume in
> your case it contains an error message.
>

Could you, please, specify the MS client configuration. (I have a hard
time with windows people to get it working...)

lk

> Markus
>
> "Ludovit Koren" <ludovit.koren_at_gmail.com> wrote in message
> news:20130129.134941.1568838937885763075.koren_at_tempest.sk...
> >
> > Hi,
> >
> > I am using FreeBSD 8.1, samba 3.6.9 and squid 3.2.6.
> >
> > The /etc/krb5.conf file:
> >
> > [logging]
> > default = FILE:/var/log/krb.log
> > kdc = FILE:/var/log/krb.log
> > admin_server = FILE:/var/log/krb.log
> > default_keytab_name = /usr/local/etc/squid/HTTP.keytab
> >
> > [libdefaults]
> > default_realm = MDPT.LOCAL
> > dns_lookup_realm = no
> > dns_lookup_kdc = no
> > ticket_lifetime = 24h
> > forwardable = yes
> > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> > des-cbc-md5
> > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> > des-cbc-md5
> > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> > des-cbc-md5
> >
> > [realms]
> > EXAMPLE.LOCAL = {
> > kdc = ads01.example.local:88
> > admin_server = ads01.example.local:464
> > default_domain = EXAMPLE.LOCAL
> > }
> >
> > [domain_realm]
> > .domain.local = EXAMPLE.LOCAL
> > domain.local = EXAMPLE.LOCAL
> >
> > [appdefaults]
> > pam = {
> > ticket_lifetime = 1d
> > renew_lifetime = 1d
> > forwardable = true
> > proxiable = false
> > retain_after_close = false
> > minimum_uid = 1
> > }
> >
> >
> >
> > # klist
> > Credentials cache: FILE:/tmp/krb5cc_0
> > Principal: xkoren_at_EXAMPLE.LOCAL
> >
> > Issued Expires Principal
> > Jan 29 13:26:54 Jan 29 23:26:54 HTTP/squid2_at_EXAMPLE.LOCAL
> >
> >
> > and I get the following error:
> >
> > 2013/01/29 13:36:30 kid1| Starting new negotiateauthenticator helpers...
> > 2013/01/29 13:36:30 kid1| helperOpenServers: Starting 1/32
> > negotiate_wrapper_auth' processes
> > 2013/01/29 13:36:30 kid1| WARNING: no_suid: setuid(0): (1) Operation
> > not permitted
> > 2013/01/29 13:36:30| negotiate_wrapper: Starting version 1.0.1
> > 2013/01/29 13:36:30| negotiate_wrapper: NTLM command:
> > /usr/local/bin/ntlm_auth --diagnostics
> > --helper-protocol=squid-2.5-ntlmssp
> > 2013/01/29 13:36:30| negotiate_wrapper: Kerberos command:
> > /usr/local/libexec/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
> > 2013/01/29 13:36:30| negotiate_wrapper: Got 'YR
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
> > (length: 59).
> > 2013/01/29 13:36:30| negotiate_wrapper: Decode
> > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
> > length: 40).
> > 2013/01/29 13:36:30| negotiate_wrapper: received type 1 NTLM token
> > negotiate_kerberos_auth.cc(271): pid=93059 :2013/01/29 13:36:30|
> > negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
> > 2013/01/29 13:36:30| negotiate_wrapper: Return 'TT
> > TlRMTVNTUAACAAAACAAIADgAAAAVgoniY4vxELxfaaEAAAAAAAAAAG4AbgBAAAAABgEAAAAAAA9NAEQAUABUAAIACABNAEQAUABUAAEADABTAFEAVQBJAEQAMgAEABwAdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAMAKgBzAHEAdQBpAGQAMgAuAHQAZQBsAGUAYwBvAG0ALgBnAG8AdgAuAHMAawAAAAAA
> > '
> > 2013/01/29 13:36:30| negotiate_wrapper: Got 'KK
> > TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> > from squid (length: 571).
> > 2013/01/29 13:36:30| negotiate_wrapper: Decode
> > TlRMTVNTUAADAAAAGAAYAHwAAAAGAQYBlAAAAAgACABYAAAAEAAQAGAAAAAMAAwAcAAAABAAEACaAQAAFYKI4gYBsR0AAAAPgUvYFXzvBnilZfvLSfLzUE0ARABQAFQAdQB6AGkAdgBhAHQAZQBsAE8AUABJAFMATgBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOVyvgVb93T48t/OT6r29XQBAQAAAAAAAF/s0kMd/s0BRgY0Vi13cR0AAAAAAgAIAE0ARABQAFQAAQAMAFMAUQBVAEkARAAyAAQAHAB0AGUAbABlAGMAbwBtAC4AZwBvAHYALgBzAGsAAwAqAHMAcQB1AGkAZAAyAC4AdABlAGwAZQBjAG8AbQAuAGcAbwB2AC4AcwBrAAgAMAAwAAAAAAAAAAEAAAAAEAAAlgAoFHA9U+vb8UFwVQMvpx50bpEtKKqtZSzHIFFAsDkKABAAAAAAAAAAAAAAAAAAAAAAAAkAHABIAFQAVABQAC8AMQAwAC4AMQAuADgALgAzADEAAAAAAAAAAAD9G0LzjgxFX4gXbxAPqzuD'
> > (decoded length: 426).
> > 2013/01/29 13:36:30| negotiate_wrapper: received type 3 NTLM token
> > 2013/01/29 13:36:30| negotiate_wrapper: Return 'NA =
> > NT_STATUS_UNSUCCESSFUL
> >
> > I tried google, but I cannot resolve the problem. Please could you be
> > so kind as far as to point me in the right direction?
> >
> > Thank you very much in advance.
> >
> > regards,
> >
> > lk
> >
>
>
Received on Fri Feb 01 2013 - 13:14:43 MST