[squid-users] Kerberos authentication only working with 1 domain server
Drikus Brits
drikus at geocastsp.co.za
Tue Apr 5 13:50:59 UTC 2016
Hi Experts,
After much struggling it seems i've reached some point of success but
yet still not. I've checked a multitude of websites for help before
coming here, but didn't get anything valuable yet. My problem as follows
:
I have 1x win2008R2 server that works with kerberos authentication, but
none of the other PC's in the network wants to work, the others all come
up with a login challenge/
My Configs :
/etc/krb5.conf
<snip>
#cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [1]
[libdefaults]
default_realm = DOMAIN.CO.ZA
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
#; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
DOMAIN.CO.ZA = {
kdc = mw-ad.domain.co.za
admin_server = mw-ad.domain.co.za
default_domain = domain.co.za
}
[domain_realm]
.domain.co.za = DOMAIN.CO.ZA
domain.co.za = DOMAIN.CO.ZA
[login]
krb4_convert = true
krb4_get_tickets = false
</snip>
my /etc/squid/squid.conf
<snip>
#auth_param negotiate program /usr/local/bin/negotiate_wrapper -d
--ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego
--domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i
###WORKING - half/half
auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d
--ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos
/usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
-d -s GSS_C_NO_NAME
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/basic_ldap_auth -b
"DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder
Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P at 55w0rd -H
ldap://MW-AD.domain.co.za -R
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 1 minute
acl proxy-auth proxy_auth REQUIRED
http_access allow proxy-auth
</snip>
When the Win2008R2 connectes is get the following in
/var/log/squid3/cache.log
<snip>
2016/04/05 12:26:46| negotiate_wrapper: Got 'YR
YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc='
from squid (length: 2419).
2016/04/05 12:26:46| negotiate_wrapper: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc='
(decoded length: 1811).
2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token
negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
from squid (length: 2419).
negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46|
negotiate_kerberos_auth: DEBUG: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc='
(decoded length: 1811).
2016/04/05 12:26:46| negotiate_wrapper: Return 'AF
oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw=
Administrator at DOMAIN.CO.ZA
</snip>
But when other PC's connect of which another win2008R2 or win10 or win7
i get :
<snip>
negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: DEBUG: Got 'YR
YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid
(length: 2419).
negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: DEBUG: Decode
'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded
length: 1811).
negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47|
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information.
2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. '
</snip>
My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not
supposed to say that :). I've had others that had Successfully
authenticated to Kerberos V5 as well, but then the working win2008r2
doesn't work -- see below..
<snip>
# kinit -V -kt /etc/squid3/PROXY.keytab
Using default cache: /tmp/krb5cc_0
Using principal: host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
Using keytab: /etc/squid3/PROXY.keytab
kinit: Preauthentication failed while getting initial credentials
</snip>
working with "authenticated with kerberos but no srv or pc working
<snip>
msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s
HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k
/etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn
HOST/mw-sqproxy-test.domain.co.za --server mw-ad.domain.co.za --verbose
--enctypes 28
</snip>
my working klist entries
<snip>
klist -ekt /etc/squid3/PROXY.keytab
Keytab name: FILE:/etc/squid3/PROXY.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac)
2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
2 05/04/2016 09:43:05 HOST/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
2 05/04/2016 09:43:05 HOST/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
2 05/04/2016 09:43:05 HOST/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)
3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
4 04/04/2016 16:29:08 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
4 04/04/2016 16:29:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
4 04/04/2016 16:29:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(arcfour-hmac)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
5 04/04/2016 19:19:28 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
5 04/04/2016 19:19:28 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
5 04/04/2016 19:19:28 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
6 04/04/2016 19:22:47 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
6 04/04/2016 19:22:47 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
6 04/04/2016 19:22:47 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
7 04/04/2016 20:40:09 host/mw-sqproxy-test at DOMAIN.CO.ZA (arcfour-hmac)
7 04/04/2016 20:40:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes128-cts-hmac-sha1-96)
7 04/04/2016 20:40:09 host/mw-sqproxy-test at DOMAIN.CO.ZA
(aes256-cts-hmac-sha1-96)
</snip>
I'm using the fqdn in IE to authenticate with kerberos, if i change it
to IP it only tries NTLM, which i'm assuming is correct or not?
I've investigated the PC's and all of them have properly joined the
domain.
I've checked and i'm getting kvno 3 values from a working win2008r2 as
well as kvno 3 values from other pc's but yet, they have a popup asking
auth details.
--
Drikus Brits
Links:
------
[1] FILE:/var/log/kadmind.log
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160405/a9af4fbb/attachment.html>
More information about the squid-users
mailing list