[squid-users] Re: Kerberos with 2008/2003 DC

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 8 May 2013 21:08:15 +0100

Has IE integrated windows authentication enabled ? Can you get a wireshark
capture from your windows machine on port 88.

Markus

"SPG" <spggps8.2_at_gmail.com> wrote in message
news:1367914304369-4659821.post_at_n4.nabble.com...
>A lot of thanks Markus and sorry by my big delay in answering but I didn't
> know suficient for reply you.
> I read a lot of posts and I checked my configuration and I think that now
> I
> can reply you.
> My configuration
>
> [logging]
> default = FILE:/var/log/krb/krb5libs.log
> kdc = FILE:/var/log/krb/krb5kdc.log
> admin_server = FILE:/var/log/krb/kadmind.log
>
> [libdefaults]
> default_realm = ABG.CORP
> default_tgs_enctypes = rc4-hmac
> default_tkt_enctypes = rc4-hmac
>
> [realms]
> ABG.CORP = {
> default_domain = abg.corp
> kdc = XXXXXXX.abg.corp:88
> kdc = XXXXXXX.abg.corp:88
> admin_server = XXXXX.abg.corp:749
> }
>
> [domain_realm]
> .abg.corp = ABG.CORP
> abg.corp = ABG.CORP
>
> -rw-r----- 1 root squid 75 may 6 12:23 squid_w2008.keytab
>
> kinit work properly for kdc and admin_server with 2003 and 2008
>
> [root_at_proxyprueba ~]# kinit -V -kt /etc/squid/squid_w2008.keytab
> HTTP/proxyprueba.abg.corp
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/proxyprueba.abg.corp_at_ABG.CORP
> Using keytab: /etc/squid/squid_w2008.keytab
> Authenticated to Kerberos v5
>
> and y view the ticket
>
> [root_at_proxyprueba ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/proxyprueba.abg.corp_at_ABG.CORP
>
> Valid starting Expires Service principal
> 05/07/13 09:32:53 05/07/13 19:33:15 krbtgt/ABG.CORP_at_ABG.CORP
> renew until 05/08/13 09:32:53
>
> All DNS resolution are good
>
> direct --> proxyprueba.abg.corp. 3600 IN A 10.155.196.29
>
> reverse --> 29.196.155.10.in-addr.arpa. 3600 IN PTR proxyprueba.abg.corp.
>
> with DC is the same.
>
> I configure the client (Windows XP and IE8) with the proxy name and port
> 8080. If I don't put autentication the client has internet if I put
> authentication this doesn't have internet.
> I list in the client, with kerbtray, all tickets and never view
> HTTP/proxyprueba.abg.corp_at_ABG.CORP. I capture the traffic betewn
>
>
>
>
> with DC is the same.
>
> I configured the client (Windows XP and IE8) with the proxy name and port
> 8080, with proxypack (url). If I don't put autentication the client has
> internet if I put authentication this doesn't have internet.
> I list in the client, with kerbtray, all tickets and never view
> HTTP/proxyprueba.abg.corp_at_ABG.CORP. I capture the traffic between proxy
> and
> client and only view this
>
> Hypertext Transfer Protocol
> HTTP/1.0 407 Proxy Authentication Required\r\n
> [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy Authentication
> Required\r\n]
> [Message: HTTP/1.0 407 Proxy Authentication Required\r\n]
> [Severity level: Chat]
> [Group: Sequence]
> Request Version: HTTP/1.0
> Status Code: 407
> Response Phrase: Proxy Authentication Required
> Server: squid/3.1.10\r\n
> Mime-Version: 1.0\r\n
> Date: Tue, 07 May 2013 06:53:18 GMT\r\n
> Content-Type: text/html\r\n
> Content-Length: 3931\r\n
> [Content length: 3931]
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
> Vary: Accept-Language\r\n
> Content-Language: es\r\n
> Proxy-Authenticate: Negotiate\r\n
> X-Cache: MISS from proxyprueba.abg.corp\r\n
> X-Cache-Lookup: NONE from proxyprueba.abg.corp:8080\r\n
> Via: 1.0 proxyprueba.abg.corp (squid/3.1.10)\r\n
> Connection: keep-alive\r\n
>
>
> After NTML requirement
>
> Can you help me? Now, I think that all is correct.
>
> A lot of thanks.
>
>
>
>
>
>
>
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-with-2008-2003-DC-tp4659198p4659821.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Wed May 08 2013 - 20:08:37 MDT

This archive was generated by hypermail 2.2.0 : Thu May 09 2013 - 12:00:07 MDT