I would expect that a proxy Negotiate auth request creates a popup into
which you can type your username as user_at_domain and your domain password.
If your home PC points to the corporate WINS server via the VPN your PC
will get the domain controller name to authenticate you against.
Markus
"Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
news:51EDE943.6030101_at_treenet.co.nz...
> On 23/07/2013 1:50 p.m., Brendan Kearney wrote:
>> On Tue, 2013-07-23 at 00:07 +0100, Markus Moeller wrote:
>>> Hi Eugene,
>>>
>>> Looks like an interesting problem. Can you wireshark the traffic on
>>> your
>>> home machine on port 88 ( Kerberos ). If the negotiate wrapper says you
>>> got
>>> a Kerberos token you should see traffic on port 88.
>>>
>>> Markus
>>>
>>>
>>> "Eugene M. Zheganin" <emz_at_norma.perm.ru> wrote in message
>>> news:51ED7F3B.3080501_at_norma.perm.ru...
>>>> Hi.
>>>>
>>>> I'm still getting issues with squid 3.3.x. :) I don't want to misreport
>>>> any of the issues, thus making the developers to do some extra work,
>>>> instead of just answering in the maillist, so I decided to ask here
>>>> first.
>>>> (Once again: I use squid in the corporate AD environment, lots of
>>>> domain
>>>> controllers, ldap, all the stuff). Everything is fine about domain
>>>> members
>>>> and everything is fine about basic auth from various software running
>>>> on
>>>> these domain members machines. But. I have a home machine, and it seems
>>>> like there's no way of letting it throught the VPNed proxies: they
>>>> refuse
>>>> to authenticate this machine. I tried to use a SPNEGO/NTLM proxy with a
>>>> kerberos_ldap_group helper, and I tried different proxy with NTLM auth
>>>> and
>>>> the good ol squid_ldap_group helper. I tried chrome/FF, they behave
>>>> identically. On the SPNEGO/NTLM proxy I'm getting (lots of these):
>>>>
>>>> ===Cut===
>>>> 2013/07/23 00:40:18| negotiate_wrapper: Got 'YR
>>>> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAN05UVacRCxcGu+HRovNodg9kxO5KzyBFBwm/EkKTwW6F/WWzC6Av1PmXT1oFIorlAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>>>> from squid (length: 219).
>>>> 2013/07/23 00:40:18| negotiate_wrapper: Decode
>>>> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAN05UVacRCxcGu+HRovNodg9kxO5KzyBFBwm/EkKTwW6F/WWzC6Av1PmXT1oFIorlAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>>>> (decoded length: 161).
>>>> 2013/07/23 00:40:18| negotiate_wrapper: received Kerberos token
>>>> negotiate_kerberos_auth.cc(315): pid=95629 :2013/07/23 00:40:18|
>>>> negotiate_kerberos_auth: DEBUG: Got 'YR
>>>> YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAN05UVacRCxcGu+HRovNodg9kxO5KzyBFBwm/EkKTwW6F/WWzC6Av1PmXT1oFIorlAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>>>> from squid (length: 219).
>>>> negotiate_kerberos_auth.cc(378): pid=95629 :2013/07/23 00:40:18|
>>>> negotiate_kerberos_auth: DEBUG: Decode
>>>> 'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAN05UVacRCxcGu+HRovNodg9kxO5KzyBFBwm/EkKTwW6F/WWzC6Av1PmXT1oFIorlAAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
>>>> (decoded length: 161).
>>>> negotiate_kerberos_auth.cc(200): pid=95629 :2013/07/23 00:40:18|
>>>> negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed: No
>>>> credentials
>>>> were supplied, or the credentials were unavailable or inaccessible..
>>>> unknown mech-code 0 for mech unknown
>>>> 2013/07/23 00:40:18| negotiate_wrapper: Return 'BH gss_acquire_cred()
>>>> failed: No credentials were supplied, or the credentials were
>>>> unavailable
>>>> or inaccessible.. unknown mech-code 0 for mech unknown'
>>>> 2013/07/23 00:40:18 kid1| ERROR: Negotiate Authentication validating
>>>> user.
>>>> Error returned 'BH gss_acquire_cred() failed: No credentials were
>>>> supplied, or the credentials were unavailable or inaccessible.. unknown
>>>> mech-code 0 for mech unknown'
>>>> ===Cut===
>>>>
>>>> In the wireshark I see that NTLM/SPNEGO authentication is running and
>>>> the
>>>> client machine is sending authentication back to the proxy, but for
>>>> some
>>>> reason squid doesn't think they are valid, so squid just answers with
>>>> 407.
>>>> Is this a bug, or, again, some misconfiguration ?
>>>>
>>>> Thanks.
>>>> Eugene.
>>>>
>>>
>> your "home machine", is it part of the domain that the work proxies are
>> authenticating against? You would never be able to retrieve a kerberos
>> ticket from the domain to use for authentication to the proxies if your
>> home machine is not part of the domain. as for ntlm, you should be able
>> to use the proxies if they force auth and support ntlm.
>
> NOTE: but only with NTLMv1 or older LanManager protocols, which are
> terribly insecure. NTLMv2 with any kind of security has the same domain
> membership limits as Kerberos (or slighty worse - one must be actively
> connected to the domain).
>
> Amos
>
Received on Tue Jul 23 2013 - 19:55:22 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 24 2013 - 12:00:43 MDT