[squid-users] Kerberos (Negotiate) problem with win2008 AD users

Victor Sudakov sudakov at sibptus.tomsk.ru
Fri Mar 4 12:54:22 UTC 2016 

Victor Sudakov wrote:
> 
> I have squid 3.5.14 successfully authenticating users from a Windows 2003
> domain, but there is a problem authenticating Windows 2008R2 domain
> users from another realm. I am using the standard
> negotiate_kerberos_auth helper with "-s GSS_C_NO_NAME".
> 
> I have collected a traffic dump of failed HTTP sessions, could someone
> knowledgeable look at them and give me a hint what to debug? Does
> anything look suspicious? It's at
> ftp://ftp.sibptus.ru/pub/vas/badkrb1.zip

I have tried debugging it like this:


KRB5_KTNAME=/usr/local/etc/squid/squid.keytab ; export KRB5_KTNAME
KRB5_CONFIG=/usr/local/etc/squid/krb5.conf ; export KRB5_CONFIG
/usr/local/libexec/squid//negotiate_kerberos_auth_test proxy2.sibptus.ru |\
         awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |\
        /usr/local/libexec/squid/negotiate_kerberos_auth -d  -s GSS_C_NO_NAME

And below is what I get. What I am doing wrong? I am trying to
authenticate users from the STN.TN.CORP realm.

negotiate_kerberos_auth.cc(487): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: Setting keytab to /usr/local/etc/squid/squid.keytab
negotiate_kerberos_auth.cc(570): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_37067
negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: DEBUG: Got 'YR YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3EgECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0lCUFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBIjCCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJMorycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQwi5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kRopa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh+Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7xkIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTAYE/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i8et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj7FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M4doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLVNLk5qxOKxiNnyo=' from squid (length: 979).
negotiate_kerberos_auth.cc(663): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: DEBUG: Decode 'YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3EgECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0lCUFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBIjCCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJMorycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQwi5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kRopa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh+Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7xkIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTAYE/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i8et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj7FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M4doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLVNLk5qxOKxiNnyo=' (decoded length: 731).
negotiate_kerberos_auth.cc(725): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: INFO: continuation needed
TT oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command

/usr/local/etc/squid/squid.keytab:

Vno  Type              Principal
  1  arcfour-hmac-md5  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5  squiduser at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5  HTTP/proxy2.sibptus.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5  HTTP/proxy2.SIBPTUS.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5  HTTP/proxy2.sibptus.ru at STN.TN.CORP

/usr/local/etc/squid/krb5.conf:
[libdefaults]
        default_realm = SIBPTUS.TRANSNEFT.RU
        default_keytab_name = FILE:/usr/local/etc/squid/squid.keytab

[domain_realm]
        .sibptus.transneft.ru = SIBPTUS.TRANSNEFT.RU
        .stn.tn.corp = STN.TN.CORP

[logging]
  default = FILE:/var/tmp/krb5lib.log
  libkrb5 = FILE:/var/tmp/krb5lib.log


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the squid-users mailing list