[squid-users] Kerberos (Negotiate) problem with win2008 AD users

L.P.H. van Belle belle at bazuin.nl
Fri Mar 4 13:13:12 UTC 2016 

Hai, 

 

What is the output of 

ktutil list  

(of the squid keytab. )

 

 

And you can try adding To krb5.conf 

 

; for Windows 2008 with AES

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 

 

; for Windows 2003

;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 

 

 

 

Greetz, 

 

Louis

 

 

> -----Oorspronkelijk bericht-----

> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens

> Victor Sudakov

> Verzonden: vrijdag 4 maart 2016 13:54

> Aan: squid-users at lists.squid-cache.org

> Onderwerp: Re: [squid-users] Kerberos (Negotiate) problem with win2008 AD

> users

> 

> Victor Sudakov wrote:

> >

> > I have squid 3.5.14 successfully authenticating users from a Windows

> 2003

> > domain, but there is a problem authenticating Windows 2008R2 domain

> > users from another realm. I am using the standard

> > negotiate_kerberos_auth helper with "-s GSS_C_NO_NAME".

> >

> > I have collected a traffic dump of failed HTTP sessions, could someone

> > knowledgeable look at them and give me a hint what to debug? Does

> > anything look suspicious? It's at

> > ftp://ftp.sibptus.ru/pub/vas/badkrb1.zip

> 

> I have tried debugging it like this:

> 

> 

> KRB5_KTNAME=/usr/local/etc/squid/squid.keytab ; export KRB5_KTNAME

> KRB5_CONFIG=/usr/local/etc/squid/krb5.conf ; export KRB5_CONFIG

> /usr/local/libexec/squid//negotiate_kerberos_auth_test proxy2.sibptus.ru

> |\

>          awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' |\

>         /usr/local/libexec/squid/negotiate_kerberos_auth -d  -s

> GSS_C_NO_NAME

> 

> And below is what I get. What I am doing wrong? I am trying to

> authenticate users from the STN.TN.CORP realm.

> 

> negotiate_kerberos_auth.cc(487): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: INFO: Starting version 3.0.4sq

> negotiate_kerberos_auth.cc(546): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: INFO: Setting keytab to

> /usr/local/etc/squid/squid.keytab

> negotiate_kerberos_auth.cc(570): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: INFO: Changed keytab to

> MEMORY:negotiate_kerberos_auth_37067

> negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: DEBUG: Got 'YR

> YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3Eg

> ECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0lC

> UFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBIj

> CCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJMo

> rycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQw

> i5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kRo

> pa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh+

> Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7x

> kIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTAY

> E/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i8

> et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj7

> FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M4

> doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLVN

> Lk5qxOKxiNnyo=' from squid (length: 979).

> negotiate_kerberos_auth.cc(663): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: DEBUG: Decode

> 'YIIC1wYGKwYBBQUCoIICyzCCAsegDTALBgkqhkiG9xIBAgKiggK0BIICsGCCAqwGCSqGSIb3E

> gECAgEAboICmzCCApegAwIBBaEDAgEOogcDBQAAAAAAo4IBbWGCAWkwggFloAMCAQWhEhsQU0l

> CUFRVUy5UT01TSy5SVaIkMCKgAwIBAaEbMBkbBEhUVFAbEXByb3h5Mi5zaWJwdHVzLnJ1o4IBI

> jCCAR6gAwIBEqEDAgEBooIBEASCAQw6QeHYCvLNVmW7+HtnXHZvBQwitJhJ7rNnqu/yoveNqJM

> orycAT8WGzgjM00SdwLzIWmyEI9Bd4fdFjt06iLGYkFxIKf1HJHS8HFphmSZva2AAMZSuzXonQ

> wi5aIssr7GX8C0kWAauRtPrxOKVTFMNVpOQaVIc6SdN0JSiS6qk5wRIarIZ3uIRdPmXCWd30kR

> opa6YHAnq8QdXj0CqbLXUQpHXOalSH1nefxFZm8s2DZmSkCFxuhkFWWL3V66w4BeOnlxhtpLYh

> +Kjc3DptFzroAkdW8ch0CpyGqy5Y0SQSEtj4wkjpmX0RW/3aA9ukt7cI3nVTcETOmYwjZ88yQ7

> xkIeCRZ46DmSnkyTrpIIBDzCCAQugAwIBEqKCAQIEgf8P+sto+nW0gceVxz8H/gRU/oJhTySTA

> YE/qX4Dv/IYqzShgqptlAp2TSWiYsS/HzpxXTKqNoFqi4SYfTnVLM5wb3+h0TVaY+x2TJm9D9i

> 8et0xElcFUoSd20B72/nCr+Tkeb8XP3TA/vm6Lfg3c0wTsiglwpAhxgYFNfwmaSIEIR1oWkHBj

> 7FDogrJ/oz0BTmq17kQtXlhxLu0oiCpYhnrt69oc/LWOb7Adx2NMU6xsR++2YaTCQYt5ouyp5M

> 4doSAf7zoB90HNNFAOUXi2WMnmeP09YXlg/Roj3u2y6aObqce7X3DeZk6ypsIPhLuPRJteAeLV

> NLk5qxOKxiNnyo=' (decoded length: 731).

> negotiate_kerberos_auth.cc(725): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: INFO: continuation needed

> TT oRQwEqADCgEBoQsGCSqGSIb3EgECAg==

> negotiate_kerberos_auth.cc(610): pid=37067 :2016/03/04 18:50:22|

> negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).

> BH quit command

> 

> /usr/local/etc/squid/squid.keytab:

> 

> Vno  Type              Principal

>   1  arcfour-hmac-md5

> HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU

>   1  arcfour-hmac-md5  squiduser at SIBPTUS.TRANSNEFT.RU

>   1  arcfour-hmac-md5  HTTP/proxy2.sibptus.ru at SIBPTUS.TRANSNEFT.RU

>   1  arcfour-hmac-md5  HTTP/proxy2.SIBPTUS.ru at SIBPTUS.TRANSNEFT.RU

>   1  arcfour-hmac-md5  HTTP/proxy2.sibptus.ru at STN.TN.CORP

> 

> /usr/local/etc/squid/krb5.conf:

> [libdefaults]

>         default_realm = SIBPTUS.TRANSNEFT.RU

>         default_keytab_name = FILE:/usr/local/etc/squid/squid.keytab

> 

> [domain_realm]

>         .sibptus.transneft.ru = SIBPTUS.TRANSNEFT.RU

>         .stn.tn.corp = STN.TN.CORP

> 

> [logging]

>   default = FILE:/var/tmp/krb5lib.log

>   libkrb5 = FILE:/var/tmp/krb5lib.log

> 

> 

> --

> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN

> sip:sudakov at sibptus.tomsk.ru

> _______________________________________________

> squid-users mailing list

> squid-users at lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160304/cad90340/attachment-0001.html>

More information about the squid-users mailing list