[squid-users] Re: squid proxy kerberos authentication failure. Help!!!

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 21 Dec 2013 13:33:18 -0000

What is the KVNO and encryption type you see in the capture ? You may need
to clear the cache on the XP machine by either lock/unlock the PC pr
logging off/on or using kerbtray. It could be that XP had an old key cached.

Markus

"flypast" wrote in message news:1387618150867-4663964.post_at_n4.nabble.com...

Hi,
I am working to enable kerberos authentication for Squid proxy.

My environment is as below:

DC: dc1.deeplayer.com (windows 2008 r2 domain level 2003) IP 10.1.1.91
Squid proxy: centos 6.4 IP 10.1.1.97
Client: windows xp sp3, IE8 IP 10.1.1.211

I have followed the guide at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

I use the CLI below to create the keytab file.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.deeplayer.com -k
/etc/squid/squid.keytab --computer-name proxy02 --upn
HTTP/proxy02.deeplayer.com --server dc1.deeplayer.com --verbose --enctypes
28

everything looks good.

But the authentication is failed.

I did a few tests. DNS all works.

[root_at_proxy01 ~]# klist -etk /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac)
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(arcfour-hmac)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes128-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes256-cts-hmac-sha1-96)

I reset the proxy02 account in AD DC.

Then update the keytab as below. Looks good as well.
[root_at_proxy01 squid]# msktutil --auto-update --verbose --computer-name
proxy02 -k squid.keytab
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 81
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR
TCP)
-- get_dc_host: Found DC: dc1.deeplayer.com
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller: dc1.deeplayer.com
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-5Mu62Q
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: proxy02$
-- try_machine_keytab_princ: Trying to authenticate for proxy02$ from local
keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for
host/proxy01.deeplayer.com from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for proxy02$ with password.
-- create_default_machine_password: Default machine password for proxy02$
is proxy02
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4

-- ldap_connect: Connecting to LDAP server: dc1.deeplayer.com try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc1.deeplayer.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: Administrator_at_DEEPLAYER.COM
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56

-- ldap_get_base_dn: Determining default LDAP base: dc=DEEPLAYER,dc=COM
-- get_default_ou: Determining default OU: CN=Computers,DC=deeplayer,DC=com
-- ldap_check_account: Checking that a computer account for proxy02$ exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000

-- ldap_check_account: Found supportedEncryptionTypes = 28

-- ldap_check_account: Found dNSHostName = proxy01.deeplayer.com

-- ldap_check_account: Found Principal: HTTP/proxy02.deeplayer.com
-- ldap_check_account: Found User Principal: HTTP/proxy02.deeplayer.com
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28

-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000

-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache

-- ldap_get_pwdLastSet: pwdLastSet is 130320907474715458
-- set_password: Successfully set password, waiting for it to be reflected
in LDAP.
-- ldap_get_pwdLastSet: pwdLastSet is 130320909218174520
-- set_password: Successfully reset computer's password
-- execute: Updating all entries for proxy01.deeplayer.com in the keytab
WRFILE:squid.keytab

-- update_keytab: Updating all entires for proxy02$
-- ldap_get_kvno: KVNO is 12
-- add_principal_keytab: Adding principal to keytab: proxy02$
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Using salt of
DEEPLAYER.COMhostproxy02.deeplayer.com
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
DEEPLAYER.COMhostproxy02.deeplayer.com
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
DEEPLAYER.COMhostproxy02.deeplayer.com
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab:
HTTP/proxy02.deeplayer.com
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Using salt of
DEEPLAYER.COMhostproxy02.deeplayer.com
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Using salt of
DEEPLAYER.COMhostproxy02.deeplayer.com
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Using salt of
DEEPLAYER.COMhostproxy02.deeplayer.com
-- add_principal_keytab: Adding entry of enctype 0x12
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
[root_at_proxy01 squid]# klist -ekt squid.keytab
Keytab name: FILE:squid.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac)
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(arcfour-hmac)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes128-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes256-cts-hmac-sha1-96)
  12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (arcfour-hmac)
  12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
  12 12/21/13 20:15:26 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
  12 12/21/13 20:15:26 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(arcfour-hmac)
  12 12/21/13 20:15:26 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes128-cts-hmac-sha1-96)
  12 12/21/13 20:15:26 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes256-cts-hmac-sha1-96)

The squid logs:

2013/12/21 19:48:33| squid_kerb_auth: DEBUG: Got 'YR
YIIFGwYGKwYBBQUCoIIFDzCCBQugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOEEggTdYIIE2QYJKoZIhvcSAQICAQBuggTIMIIExKADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEIooIDkASCA4w9FJVsdtgNmVY5N4LshDVuKPnbl6cyyWea1is75rLcJ2Tvd9Qx/yVpKy+XpbxDFPWsJIzl6gk/+1q11YOrvk8gy4wpYc7uRm6KePf20kHkzZ/LL2uaeokVcXNz9Tf2p6/5GYZBY/8bWOSdVd63FbeM0CCaCoGKS9YU1VDYehEk9FndnIc0oV08A0p8ldJHjKDOtVrkwLpT994zazq49fMbM24aftpXwYZKySgsEBHI1fcpo2zYpuUfZdtVL2xQuKpTD8KvsCgMuV7PIAbDHwXqkfjBUw5IC5TEARzrqHNK0FumWVsIBOw7YWKrB9nD2oGCo+3/BbhquIlE0DrJHuGQ/Un7diSCkSxAmNPGupIX8X6zLy+mVolOgpisy4MPutZJBjftqxVxCA1yecI3xhuLd3JbppbP6Y0ttCo4VXiR/X7j/Z6EtLlh8LYsAWbr4jaLRXQs23Ww1IYBmBYyDkcinpPdKTvxwNHeyhccxX+EXjKuKQBC+2BmQdJu95LGvT7BJYm4Vq+RMJagKPOvdmLack9tOqYXzOwin6PwU3e7CI0CmtCOg4St4t0kwt7XlnL1j9HRktUXwv1jGPseK1+5kwE7ntIA/tDOANEr2jG6lHZ0gou+l5YrSaif2gAaneJ3+zoDlGSNGSptevAux56xByvOfqijHolhyaTu8ZIao3IHnE2nn59TKo8W8K5T5MU/KkKgibufPbuYS7FWkvFKnUrIm043KR0JHZx
X2c+mlUEZF/zXJf5aMNxWwARwv56x13hvqrikPzHbdPU3YTjQsKp8WcrplNS2MwuHmlrlEBpDf08NHzscPX9rODxReTNLKyLMi6tPCGMPfl3o4iPUR1gt8ZtNUH2s/LI7f4HkNSWYDsh0jzFxSqByIOaqvkq9yspoByKg7aE+JHBOknODsJTeZT8NmIRcoGk/CjEEb8RgPPfkax8g3BiQtwQZlTXUicouRlzPh12ofTtVEVXzI/kh/veeLjgjruSKujDft3x9HVu0LhTcIAkGSZMYfbwwhGgUeIiwqDR3Omyy8ZTjOG4y7+L/+58mGnZLj7CiAu1D7SGBwlSzJeXZ8kThyn/lubSAC/1iuLHWjMA84oB56hgxL7cKFMjVTbb8dPTDbKpReDIdc3y5t8mxdLBcNp135CsheuIbK8qKXeAxQ27Tla+fMn4IxNIXstuQyixIELAsB0cDIX+kEhIbKaSBvDCBuaADAgEXooGxBIGuaVlqY0IcvwuuYrDmYd/WiDFdC4TVUrdJJ8feEL961R+6FqYgz2GzF1jUGT/jW6Tvt38LBTxj8+v66CqsUqqfxjNvSsUdxFvyT3kf6pgIFxP4mfOMqfTeb2BO+uJup5+ld0WRdZCFzc1rdAlodCQFfEXIyXrAc+0TfMdTt/DfYsXYn9aL5moU1cnNP6ip84Olthk7az0m4aRfSN6im+8ky2L1aG6BupU5zw0SzlLU'
from squid (length: 1751).
2013/12/21 19:48:33| squid_kerb_auth: DEBUG: Decode
'YIIFGwYGKwYBBQUCoIIFDzCCBQugJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBOEEggTdYIIE2QYJKoZIhvcSAQICAQBuggTIMIIExKADAgEFoQMCAQ6iBwMFACAAAACjggPuYYID6jCCA+agAwIBBaEPGw1ERUVQTEFZRVIuQ09NoigwJqADAgECoR8wHRsESFRUUBsVcHJveHkwMi5kZWVwbGF5ZXIuY29to4IDojCCA56gAwIBF6EDAgEIooIDkASCA4w9FJVsdtgNmVY5N4LshDVuKPnbl6cyyWea1is75rLcJ2Tvd9Qx/yVpKy+XpbxDFPWsJIzl6gk/+1q11YOrvk8gy4wpYc7uRm6KePf20kHkzZ/LL2uaeokVcXNz9Tf2p6/5GYZBY/8bWOSdVd63FbeM0CCaCoGKS9YU1VDYehEk9FndnIc0oV08A0p8ldJHjKDOtVrkwLpT994zazq49fMbM24aftpXwYZKySgsEBHI1fcpo2zYpuUfZdtVL2xQuKpTD8KvsCgMuV7PIAbDHwXqkfjBUw5IC5TEARzrqHNK0FumWVsIBOw7YWKrB9nD2oGCo+3/BbhquIlE0DrJHuGQ/Un7diSCkSxAmNPGupIX8X6zLy+mVolOgpisy4MPutZJBjftqxVxCA1yecI3xhuLd3JbppbP6Y0ttCo4VXiR/X7j/Z6EtLlh8LYsAWbr4jaLRXQs23Ww1IYBmBYyDkcinpPdKTvxwNHeyhccxX+EXjKuKQBC+2BmQdJu95LGvT7BJYm4Vq+RMJagKPOvdmLack9tOqYXzOwin6PwU3e7CI0CmtCOg4St4t0kwt7XlnL1j9HRktUXwv1jGPseK1+5kwE7ntIA/tDOANEr2jG6lHZ0gou+l5YrSaif2gAaneJ3+zoDlGSNGSptevAux56xByvOfqijHolhyaTu8ZIao3IHnE2nn59TKo8W8K5T5MU/KkKgibufPbuYS7FWkvFKnUrIm043KR0JHZ
xX2c+mlUEZF/zXJf5aMNxWwARwv56x13hvqrikPzHbdPU3YTjQsKp8WcrplNS2MwuHmlrlEBpDf08NHzscPX9rODxReTNLKyLMi6tPCGMPfl3o4iPUR1gt8ZtNUH2s/LI7f4HkNSWYDsh0jzFxSqByIOaqvkq9yspoByKg7aE+JHBOknODsJTeZT8NmIRcoGk/CjEEb8RgPPfkax8g3BiQtwQZlTXUicouRlzPh12ofTtVEVXzI/kh/veeLjgjruSKujDft3x9HVu0LhTcIAkGSZMYfbwwhGgUeIiwqDR3Omyy8ZTjOG4y7+L/+58mGnZLj7CiAu1D7SGBwlSzJeXZ8kThyn/lubSAC/1iuLHWjMA84oB56hgxL7cKFMjVTbb8dPTDbKpReDIdc3y5t8mxdLBcNp135CsheuIbK8qKXeAxQ27Tla+fMn4IxNIXstuQyixIELAsB0cDIX+kEhIbKaSBvDCBuaADAgEXooGxBIGuaVlqY0IcvwuuYrDmYd/WiDFdC4TVUrdJJ8feEL961R+6FqYgz2GzF1jUGT/jW6Tvt38LBTxj8+v66CqsUqqfxjNvSsUdxFvyT3kf6pgIFxP4mfOMqfTeb2BO+uJup5+ld0WRdZCFzc1rdAlodCQFfEXIyXrAc+0TfMdTt/DfYsXYn9aL5moU1cnNP6ip84Olthk7az0m4aRfSN6im+8ky2L1aG6BupU5zw0SzlLU'
(decoded length: 1311).
2013/12/21 19:48:33| squid_kerb_auth: ERROR: gss_acquire_cred() failed:
Unspecified GSS failure. Minor code may provide more information.
2013/12/21 19:48:33| squid_kerb_auth: INFO: User not authenticated
2013/12/21 19:48:33| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure. Minor code may provide more information. '

I have performed the packet capture on the winxp client. From the packet
capture. i can see
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4663964/01.png>

However, i checked the key info in the authentication reply from client to
Squid proxy server. I found the KVNO version is different and encryption
type is different. But I dont know what cause this? Please help!!!
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4663964/02.png>

[root_at_proxy01 ~]# klist -etk /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (arcfour-hmac)
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes128-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 proxy02$@DEEPLAYER.COM (aes256-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(arcfour-hmac)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes128-cts-hmac-sha1-96)
   8 12/21/13 19:32:36 HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
(aes256-cts-hmac-sha1-96)

The content of my squid.conf file:
[root_at_proxy01 ~]# more /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -d -i -s
HTTP/proxy02.deeplayer.com_at_DEEPLAYER.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
acl ad_auth proxy_auth REQUIRE
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#http_access allow localhost
http_access allow ad_auth
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 

--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-proxy-kerberos-authentication-failure-Help-tp4663964.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sat Dec 21 2013 - 13:33:42 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 22 2013 - 12:00:04 MST