[squid-users] Kerberos Authentication Failing for Windows 7+ with BH gss_accept_sec_context() failed

Markus Moeller huaraz at moeller.plus.com
Sat Oct 25 14:22:52 UTC 2014 

Hi Pedro,

   Good to know you solved it.  From your post it sounded like XP worked and Win 7 didn’t

Markus 


"Pedro Lobo" <palobo at gmail.com> wrote in message news:75991CAE-5F10-4635-B012-D372C27F8AC4 at gmail.com...
Hi Markus,

I initially had it configured as such and changed it to auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net as a troubleshooting step. I've since then changed it back. Dan pointed out earlier that it could be a permissions problem, and sure enough, permissions on /etc/squid3/PROXY.keytab were wrong (group had no read permissions). Fixing that seems to have sorted out the problem. I'll be doing more extensive testes on Monday when the test group start surfing the web.

Thanks for all the help!

On 25 Oct 2014, at 14:13, Markus Moeller wrote:

  Hi Pedro,

  I wonder if he upper case in the name is a problem. Can you try

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s GSS_C_NO_NAME

  instead of

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net

  Markus

  "Pedro Lobo" palobo at gmail.com wrote in message news:FD6832B9-3F1F-48C6-A76F-47A224F1697B at gmail.com...
  Hi Markus,

  I used msktutil to create the keytab.

  msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/proxy01tst.fake.net --server srv01.fake.net --verbose
  Output of klist -ekt:

  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (arcfour-hmac)
  2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (aes256-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (arcfour-hmac)
  2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (aes128-cts-hmac-sha1-96)
  2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (aes256-cts-hmac-sha1-96)
  Yep, using MIT Kerberos

  Thanks in advance for any help.

  Cheers,
  Pedro

  On 25 Oct 2014, at 1:26, Markus Moeller wrote:

  Hi Pedro,

  How did you create your keytab ? What does klist –ekt <squid.keytab> show ( I assume you use MIT Kerberos) ?

  Markus

  "Pedro Lobo" palobo at gmail.com wrote in message news:40E1E0E7-50C6-4117-94AA-50B06573430A at gmail.com...
  Hi Squid Gurus,

  I'm at my wit's end and in dire need of some squid expertise.

  We've got a production environment with a couple of squid 2.7 servers using NTLM and basic authentication. Recently though, we decided to upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've followed just about every guide I could find and in my testing environment, things were working great. Now that I've hooked it up to the main domain, things are awry.

  If I use a machine that's not part of the domain, NTLM kicks in and I can surf the web fine. If I use a Windows XP or Windows Server 2003, kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008 server, I keep getting a popup asking me to authenticate and even then, it's and endless loop until it fails. My cache.log is littered with:

  negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
  2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '
  The odd thing, is that this has worked before. Help me Obi Wan... You're my only hope! :)

  Current Setup
  Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003 server with function level 2000 (I know, we're trying to fase out the older servers).

  krb5.conf

  [libdefaults]
  default_realm = FAKE.NET
  dns_lookup_kdc = yes
  dns_lookup_realm = yes
  ticket_lifetime = 24h
  default_keytab_name = /etc/squid3/PROXY.keytab

  ; for Windows 2003
  default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
  permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

  [realms]
  FAKE.NET = {
  kdc = srv01.fake.net
  kdc = srv02.fake.net
  kdc = srv03.fake.net
  admin_server = srv01.fake.net
  default_domain = fake.net
  }

  [domain_realm]
  .fake.net = FAKE.NET
  fake.net = FAKE.NET

  [logging]
  kdc = FILE:/var/log/kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log
  squid.conf

  auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r -s HTTP/proxy01tst.fake.net
  auth_param negotiate children 20 startup=0 idle=1
  auth_param negotiate keep_alive off

  auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
  auth_param ntlm children 10
  auth_param ntlm keep_alive off
  Cheers,
  Pedro

  Cumprimentos
  Pedro Lobo
  Solutions Architect | System Engineer

  pedro.lobo at pt.clara.net
  Tlm.: +351 939 528 827 | Tel.: +351 214 127 314

  Claranet Portugal
  Ed. Parque Expo
  Av. D. João II, 1.07-2.1, 4º Piso
  1998-014 Lisboa
  www.claranet.pt

  Empresa certificada ISO 9001, ISO 20000 e ISO 27001


------------------------------------------------------------------------------

------------------------------------------------------------------------------

  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


------------------------------------------------------------------------------

  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users

  Cumprimentos
  Pedro Lobo
  Solutions Architect | System Engineer

  pedro.lobo at pt.clara.net
  Tlm.: +351 939 528 827 | Tel.: +351 214 127 314

  Claranet Portugal
  Ed. Parque Expo
  Av. D. João II, 1.07-2.1, 4º Piso
  1998-014 Lisboa
  www.claranet.pt

  Empresa certificada ISO 9001, ISO 20000 e ISO 27001


------------------------------------------------------------------------------

------------------------------------------------------------------------------

  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


------------------------------------------------------------------------------

  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users



--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141025/2161dfa9/attachment.html>

More information about the squid-users mailing list