[squid-users] Eliminate PopUP authentication for web Windows Users

From: Carlos Daniel Perez <krlosdaniel21_at_gmail.com>
Date: Fri, 22 Mar 2013 16:22:35 -0430

Hi,

I configure Squid with Kerberos athentication, but when a client with
windows 7 try to surf web appear:

==> /var/log/squid3/cache.log <==
2013/03/22 16:07:09| negotiate_wrapper: Got 'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).
2013/03/22 16:07:09| negotiate_wrapper: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).
2013/03/22 16:07:09| negotiate_wrapper: received Kerberos token
2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Got 'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).
2013/03/22 16:07:09| squid_kerb_auth: DEBUG: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAALv3Bs/GeImNryJCPliRU4J64wGv+JW11hiPEZ3knb5360uTrKKtHBe8GVif0T00OwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).
2013/03/22 16:07:09| squid_kerb_auth: ERROR: gss_accept_sec_context()
failed: An unsupported mechanism was requested.
2013/03/22 16:07:09| negotiate_wrapper: Return 'BH
gss_accept_sec_context() failed: An unsupported mechanism was
requested.
'
2013/03/22 16:07:09| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: An unsupported mechanism was
requested. '

if i put the username (in format username and not in Domain\username
format) all is fine and client can surf... but i need authentication
without popup...

If a Windows XP client try to surf this error appear:

==> /var/log/squid3/cache.log <==
2013/03/22 16:07:39| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M='
from squid (length: 231).
2013/03/22 16:07:39| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAAAYABgBIAAAAEgASAE4AAAAaABoAYAAAAAAAAACqAAAABYKIogUBKAoAAAAPUwBWAFEAZABwAGEAbABhAGMAaQBvAHMAQwAtAEkATgBGAE8AUgBNAEEAVABJAEMAQQCnfWU6vlE1SAAAAAAAAAAAAAAAAAAAAACf6zTftZnnH1TtUXw/0u3x1D7nej1u78M='
(decoded length: 170).
2013/03/22 16:07:39| negotiate_wrapper: received type 120 NTLM token
2013/03/22 16:07:39| negotiate_wrapper: Return 'NA = NT_STATUS_UNSUCCESSFUL

Doesn't work if i put the username like Windows 7...

The first lines of my squid.conf have:

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ENT --kerberos
/usr/lib/squid3/squid_kerb_auth -d -s HTTP/squid-proxy.enterprise.com
auth_param negotiate children 10
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=ENT
auth_param ntlm children 10
auth_param ntlm keep_alive off

auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
        -b dc=enterprise,dc=com \
        -D soporte_at_enterprise.com \
        -w 12345 \
        -f sAMAccountName=%s \
        -h svq-wsus.enterprise.com
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

external_acl_type internet_users %LOGIN
/usr/lib/squid3/squid_ldap_group -R -K -S \
        -b dc=enterprise,dc=com \
        -D soporte_at_enterprise.com \
        -w 12345 \
        -f (&(objectclass=person)(sAMAccountName=%v)(memberof=ou=%a,ou=Vip,dc=enterprise,dc=com))
\
        -h svq-wsus.enterprise.com

I create my .keytab without problem follow this guide:

http://www.howtoforge.com/debian-squeeze-squid-kerberos-ldap-authentication-active-directory-integration-and-cyfin-reporter
and http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Why happend these errors? PD. My domain is ENTERPRISE.COM and the
users use ENT\username to acces Domain and network resources...

Thank you very much!
Received on Fri Mar 22 2013 - 20:52:44 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 23 2013 - 12:00:05 MDT