[squid-dev] Testing kerb_auth helper + 2012r2 and bug 4129

Eliezer Croitoru eliezer at ngtech.co.il
Wed Nov 26 21:39:05 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As part of the effort to make it possible to test kerb_auth helpers
and related issues that was reported in the users list I have built a
testing environment.
The testing environment structure:
- - The realm\domain: LOCAL.LAN
- - 192.168.11.100 = windows 8 user in the domain elicro
- - 192.168.11.1(master.local.lan) = windows server 2012r2, dns, AD
- - 192.168.11.254(proxy1.local.lan) = CentOS 6.6, GW, squid

I am unsure about the details but as I understood from the MS nice
sysadmin somewhere in a chat it's very simple to implement.
He explained to me that I only need a basic domain AD(which must have
a DNS) and a basic user.

In: http://bugs.squid-cache.org/show_bug.cgi?id=4129
I responded with an article link:
http://www.theadmin.ru/linux/squid/proksi-server-squid-v-active-directory-s-kerberos-autentifikaciej/
(I have not used the group external_acl just the auth)

Which demonstrates how to make it work with WS 2008r2.
The last article I was reading about the concept was:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

But it's updated to 2013 and leaves couple things open which I am
unsure about.

I would like to dedicate this thread for 2012r2 + kerb_auth.

My last debug output after the above mentioned Russian written
tutorial was:
2014/11/26 23:35:44 kid1| Starting new negotiateauthenticator helpers...
2014/11/26 23:35:44 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
negotiate_kerberos_auth.cc(212): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded
length: 40).
negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
2014/11/26 23:35:44 kid1| Starting new negotiateauthenticator helpers...
2014/11/26 23:35:44 kid1| helperOpenServers: Starting 1/10
'negotiate_kerberos_auth' processes
negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded
length: 40).
negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded
length: 40).
negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:35:44|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(212): pid=1922 :2014/11/26 23:35:44|
negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=1922 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(311): pid=1922 :2014/11/26 23:35:44|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded
length: 40).
negotiate_kerberos_auth.cc(321): pid=1922 :2014/11/26 23:35:44|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/11/26 23:35:44 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
negotiate_kerberos_auth.cc(258): pid=1921 :2014/11/26 23:36:01|
negotiate_kerberos_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' from squid
(length: 59).
negotiate_kerberos_auth.cc(311): pid=1921 :2014/11/26 23:36:01|
negotiate_kerberos_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGA4AlAAAADw==' (decoded
length: 40).
negotiate_kerberos_auth.cc(321): pid=1921 :2014/11/26 23:36:01|
negotiate_kerberos_auth: WARNING: received type 1 NTLM token
2014/11/26 23:36:01 kid1| ERROR: Negotiate Authentication validating
user. Result: {result=BH, notes={message: received type 1 NTLM token; }}
##END

Thanks,
Eliezer Croitoru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUdkh5AAoJENxnfXtQ8ZQUAvUIAIsdYthfHHuXrexkQw5C6mO1
xI/k8amCQuDpoXlgUTLVd1OoTnbMRvMMlnjcwSKlGLr7LVlJGurIsIZpWQZ8vS+N
X0LHTEbBX/Gj+moTygKk4X0/HU3RlgCHv/4t11E1LYL+TbtxS1ju0bpw6yri17I+
h7PWUy9T/vr0ClCXQUj5xZmvDnTOQKyLy0la4nnreyE8EL2X1G/XbFXT3b8KW3EC
5NsLiMWU2tUofrNhulInBOkBAqtvt+ukyDJy72pBzksDhmO6EJ9Imb42SAqGJHp3
93WIVJD7MqHnXJXK1L5MFeX4phyPlUlVdqxmPXuqjngIzrjCKfnvGlNK32TZOp8=
=rq42
-----END PGP SIGNATURE-----

More information about the squid-dev mailing list