[squid-users] Trouble negotiate_kerberos_auth

Markus Moeller huaraz at moeller.plus.com
Mon Aug 29 13:54:42 UTC 2016


Hi Marcio,

That looks OK.  TT means the helper requires additional data from the client which I did not prepare a test for. In my case I get the AF response.

#  /opt/squid-trunk/sbin/negotiate_kerberos_auth_test opensuse42.suse.home | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}'  | /opt/squid-trunk/sbin/negotiate_kerberos_auth -r -k squid.keytab -s HTTP/opensuse42.suse.home
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== markus group=
BH quit command

  Anyway the basic check looks good. You now just need to run the helper with squid.  I will see if I can create a test which deals with the TT response too.

Regards
Markus

"Marcio Demetrio Bacci" <marciobacci at gmail.com> wrote in message news:CA+0Tdyr+2jEL7p09yrtJQ516M-2uE-q=Zayd3F5J0A=25zcacQ at mail.gmail.com...
Hi Markus, thank you for help me.

When I type the klist command, the result is:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: robert at CMS.ENSINO.BR
Valid starting       Expires              Service principal
28-08-2016 22:40:53  29-08-2016 08:40:53  krbtgt/CMS.ENSINO.BR at CMS.ENSINO.BR
    renew until 29-08-2016 22:40:41

But, I have the following result to command bellow:
/usr/lib64/squid/negotiate_kerberos_auth_test proxy.cms.ensino.br| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.cms.ensino.br 

Result:
TT oYGbMIGYoAMKAQGhCAYGKwYBBQIFooGGBIGDBQEwFKESBBBDTUIuRU5TSU5PLkVCLkJSfmkwZ6ADAgEFoQMCAR6iERgPMjAxNjA4MjkwMTM2MDVaowUCAwK7P6QRGA8yMDE2MDgyOTAxMzYwNVqlBQIDBhpppgMCAQepFRsTPHVuc3BlY2lmaWVkIHJlYWxtPqoLMAmgAwIBAKECMAA=
BH quit command


The HTTP/proxy.cms.ensino.br is in keytab files

I don't have the "test_negotiate_auth.sh" file in src/auth/negotiate/kerberos, but I have /usr/lib64/squid/negotiate_kerberos_auth_test, thus I'm using it.

My Linux distribution is CentOS 7


Regards,


Márcio






2016-08-28 15:24 GMT-03:00 Markus Moeller <huaraz at moeller.plus.com>:


  HI Marcio,

    The helper need a Kerberos token as input.  Please have a look at test_negotiate_auth.sh  which is in src/auth/negotiate/kerberos of the trunk version. The squid hostname must match the entry in your keytab and you must have done kinit to authenticate against a Kerberos server (e.g. AD) as user first.

  Regards
  Markus 


  "Marcio Demetrio Bacci" <marciobacci at gmail.com> wrote in message news:CA+0TdyqEAt4L5KO4zrJNJ1aUe64mY2Re7z95KFdqW7Y8SV_qbg at mail.gmail.com...
  I have trouble to authenticate Squid3 with kerberos in Samba4 domain. I'm using CentOS 7 and Squid 3.3.8 (yum install squid)


  When I type the bellow command in terminal: 
  /usr/lib64/squid/negotiate_kerberos_auth -d -i -s HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
  john xyz at 12345

  I have the following error:
  negotiate_kerberos_auth.cc(315): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: DEBUG: Got 'john xyz at 12345' from squid (length: 14).
  negotiate_kerberos_auth.cc(362): pid=6364 :2016/08/27 10:44:33| negotiate_kerberos_auth: ERROR: Invalid request [john xyz at 12345]
  BH invalid request 


  Here are my files configuration:

  /etc/krb5.conf
  [libdefaults]
      default_realm = CMS.ENSINO.BR
  [realms]
      CMS.ENSINO.BR = {
      kdc = dc1.cms.ensino.br:88
      admin_server = dc1.cms.ensino.br
      default_domain = CMS.ENSINO.BR 
      }
  [domain_realm]
      .cms.ensino.br = CMS.ENSINO.BR
      cms.ensino.br = CMS.ENSINO.BR



  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  ---- --------------------------------------------------------------------------
     1 proxy-k$@CMS.ENSINO.BR
     1 proxy-k$@CMS.ENSINO.BR
     1 proxy-k$@CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/PROXY at CMS.ENSINO.BR
     1 host/PROXY at CMS.ENSINO.BR
     1 host/PROXY at CMS.ENSINO.BR
     1 host/PROXY at CMS.ENSINO.BR
     1 host/PROXY at CMS.ENSINO.BR
     1 PROXY$@CMS.ENSINO.BR
     1 PROXY$@CMS.ENSINO.BR
     1 PROXY$@CMS.ENSINO.BR
     1 PROXY$@CMS.ENSINO.BR
     1 PROXY$@CMS.ENSINO.BR
     1 proxy-k$@CMS.ENSINO.BR
     1 proxy-k$@CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 HTTP/PROXY at CMS.ENSINO.BR
     1 HTTP/PROXY at CMS.ENSINO.BR
     1 HTTP/PROXY at CMS.ENSINO.BR
     1 HTTP/PROXY at CMS.ENSINO.BR
     1 HTTP/PROXY at CMS.ENSINO.BR


  Keytab name: FILE:/etc/squid/PROXY.keytab
  KVNO Principal
  ---- --------------------------------------------------------------------------
     1 proxy-k$@CMS.ENSINO.BR
     1 proxy-k$@CMS.ENSINO.BR
     1 proxy-k$@CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 HTTP/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR
     1 host/proxy.cms.ensino.br at CMS.ENSINO.BR


  /etc/sysconfig/squid
  # default squid options
  SQUID_OPTS=""
  # Time to wait for Squid to shut down when asked. Should not be necessary
  # most of the time.
  SQUID_SHUTDOWN_TIMEOUT=100
  # default squid conf file
  SQUID_CONF="/etc/squid/squid.conf"

  KRB5_KTNAME=/etc/squid/PROXY.keytab
  export KRB5_KTNAME



  kinit and klist commands are OK.


  Best Regards,


  Márcio



------------------------------------------------------------------------------
  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users





--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160829/bd5d9d7f/attachment-0001.html>


More information about the squid-users mailing list