[squid-users] Kerberos Authentication Failing for Windows 7+with BH gss_accept_sec_context() failed

Markus Moeller huaraz at moeller.plus.com
Sat Nov 1 13:11:37 UTC 2014 

Hi Pedro,

    I looked at your captures and I observed something similar to Victor’s issue.   I see KRB5KRB_AP_ERR_MODIFIED and then the use of the name of the AD object (e.g. proxy$) instead of HTTP/<proxy fqdn>.   I also see that you have more than one AD server and I assume there is a sync problem between your AD servers ( You said it start working after removing an unused AD  server which would support y assumption). 

Regards
Markus

"Pedro Lobo" <palobo at gmail.com> wrote in message news:09275CEC-ABC1-4BC6-B4F3-546E8C5D3B7E at gmail.com...
Hi Markus, 

When I get in to the office tomorrow, I'll do that and send you the .cap file. Thanks for all the help so far. 

Pedro Lobo

On 27 Oct 2014, at 20:53, Markus Moeller <huaraz at moeller.plus.com> wrote:


  Hi Pedro,

     Can you capture the traffic from one Windows 7 on XP client on port 88 ( just after the login before access a website via squid until successful or unsuccessful accessing the website) using wireshark ?   Send me the .cap files to check.

  Markus

  "Pedro Lobo" <palobo at gmail.com> wrote in message news:b4adceec-5a53-4212-b16c-106237fc4504 at Pedros-iPhone...
  Hi Markus Moeller,


  Hi Markus,

  Yeah, I'm currently using that option and permissions are correct too. 

  On 27 Oct 2014 19:47, Markus Moeller wrote: 


    Hi Pedro,

      Did you try the –s GSS_C_NO_NAME option ?

    Markus

    "Pedro Lobo" <palobo at gmail.com> wrote in message news:94F74226-F24B-4910-95B7-B86ACE815995 at gmail.com...
    Hey Everybody,

    Seems as though I celebrated too soon on Saturday. Today things are back to not working for Windows 7+ machines and XP/2003 machines are working just fine.

    I've also checked the permissions on the keytab file and they haven't changed since Saturday, so it's not that... ARGH!!!!

    Craving ideas and solutions right now... Pilot users are less than satisfied ;)

    Cheers,
    Pedro

    On 25 Oct 2014, at 14:13, Markus Moeller wrote:

      Hi Pedro,

      I wonder if he upper case in the name is a problem. Can you try

      auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s GSS_C_NO_NAME

      instead of

      auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net

      Markus

      "Pedro Lobo" palobo at gmail.com wrote in message news:FD6832B9-3F1F-48C6-A76F-47A224F1697B at gmail.com...
      Hi Markus,

      I used msktutil to create the keytab.

      msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
      Output of klist -ekt:

      2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
      2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
      2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
      2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (arcfour-hmac)
      2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (aes128-cts-hmac-sha1-96)
      2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (aes256-cts-hmac-sha1-96)
      2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (arcfour-hmac)
      2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (aes128-cts-hmac-sha1-96)
      2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (aes256-cts-hmac-sha1-96)
      Yep, using MIT Kerberos

      Thanks in advance for any help.

      Cheers,
      Pedro

      On 25 Oct 2014, at 1:26, Markus Moeller wrote:

      Hi Pedro,

      How did you create your keytab ? What does klist –ekt <squid.keytab> show ( I assume you use MIT Kerberos) ?

      Markus

      "Pedro Lobo" palobo at gmail.com wrote in message news:40E1E0E7-50C6-4117-94AA-50B06573430A at gmail.com...
      Hi Squid Gurus,

      I'm at my wit's end and in dire need of some squid expertise.

      We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry.

      If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with:

      negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
      2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
      The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :)

      Current Setup
      Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers).

      krb5.conf

      [libdefaults]
      default_realm = FAKE.NET
      dns_lookup_kdc = yes
      dns_lookup_realm = yes
      ticket_lifetime = 24h
      default_keytab_name = /etc/squid3/PROXY.keytab

      ; for Windows 2003
      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

      [realms]
      FAKE.NET = {
      kdc = srv01.fake.net
      kdc = srv02.fake.net
      kdc = srv03.fake.net
      admin_server = srv01.fake.net
      default_domain = fake.net
      }

      [domain_realm]
      .fake.net = FAKE.NET
      fake.net = FAKE.NET

      [logging]
      kdc = FILE:/var/log/kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log
      squid.conf

      auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net
      auth_param negotiate children 20 startup=0 idle=1
      auth_param negotiate keep_alive off

      auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
      auth_param ntlm children 10
      auth_param ntlm keep_alive off
      Cheers,
      Pedro

      Cumprimentos
      Pedro Lobo
      Solutions Architect | System Engineer

      pedro.lobo at pt.clara.net
      Tlm.: +351 939 528 827 | Tel.: +351 214 127 314

      Claranet Portugal
      Ed. Parque Expo
      Av. D. João II, 1.07-2.1, 4º Piso
      1998-014 Lisboa
      www.claranet.pt

      Empresa certificada ISO 9001, ISO 20000 e ISO 27001


--------------------------------------------------------------------------

--------------------------------------------------------------------------

      squid-users mailing list
      squid-users at lists.squid-cache.org
      http://lists.squid-cache.org/listinfo/squid-users


--------------------------------------------------------------------------

      squid-users mailing list
      squid-users at lists.squid-cache.org
      http://lists.squid-cache.org/listinfo/squid-users

      Cumprimentos
      Pedro Lobo
      Solutions Architect | System Engineer

      pedro.lobo at pt.clara.net
      Tlm.: +351 939 528 827 | Tel.: +351 214 127 314

      Claranet Portugal
      Ed. Parque Expo
      Av. D. João II, 1.07-2.1, 4º Piso
      1998-014 Lisboa
      www.claranet.pt

      Empresa certificada ISO 9001, ISO 20000 e ISO 27001


--------------------------------------------------------------------------

--------------------------------------------------------------------------

      squid-users mailing list
      squid-users at lists.squid-cache.org
      http://lists.squid-cache.org/listinfo/squid-users


--------------------------------------------------------------------------

      squid-users mailing list
      squid-users at lists.squid-cache.org
      http://lists.squid-cache.org/listinfo/squid-users


----------------------------------------------------------------------------
    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users


------------------------------------------------------------------------------
  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users

  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users



--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141101/84af5a02/attachment.html>

More information about the squid-users mailing list