[squid-users] Kerberos (Negotiate) problem with win2008 AD users

Markus Moeller huaraz at moeller.plus.com
Sat Mar 5 14:46:19 UTC 2016 

Hi Victor,

If I look at the wireshark capture details I see that the client  is sending 
a key of version 3( kvno) , but the keytab is version 1. This will create a 
mismatch.  What do you get when using the 2003 clients ?

[truncated]Proxy-Authorization: Negotiate 
YIISrgYGKwYBBQUCoIISojCCEp6gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCEmgEghJkYIISYAYJKoZIhvcSAQICAQBughJPMIISS6ADAgEFoQMCAQ6iBwMFACAAAACjghDTYYIQzzCCEMugAwIBBaENGwtTVE4u
   GSS-API Generic Security Service Application Program Interface
       OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
       Simple Protected Negotiation
           negTokenInit
               mechTypes: 4 items
               mechToken: 
6082126006092a864886f71201020201006e82124f308212...
               krb5_blob: 
6082126006092a864886f71201020201006e82124f308212...
                   KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                   krb5_tok_id: KRB5_AP_REQ (0x0001)
                   Kerberos
                       ap-req
                           pvno: 5
                           msg-type: krb-ap-req (14)
                           Padding: 0
                           ap-options: 20000000 (mutual-required)
                           ticket
                               tkt-vno: 5
                               realm: STN.TN.CORP
                               sname
                               enc-part
                                   etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                   kvno: 3
                                   cipher: 
265a0b2badd3eb5a0677731ae8a61f5ca6b1c63c466defe9...
                           authenticator



"Victor Sudakov"  wrote in message 
news:20160305112825.GA91944 at admin.sibptus.tomsk.ru...

Markus Moeller wrote:
>
>     What does the squid log say when you use -d for the authentication
> helper ?

I have uploaded the cache.log here: ftp://ftp.sibptus.ru/pub/vas/1.zip
There seems to be a message size limit in this list, so I cannot
attach it.

The helper error message is along the lines of the dreaded

negotiate_kerberos_auth.cc(180): pid=40787 :2016/03/05 10:31:25| 
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: 
Miscellaneous failure (see text). unknown mech-code 0 for mech unknown
2016/03/05 10:31:25 kid1| ERROR: Negotiate Authentication validating user. 
Result: {result=BH, notes={message: gss_accept_sec_context() failed: 
Miscellaneous failure (see text). unknown mech-code 0 for mech unknown; }}

>
>      Can you  provide a wireshark capture from the client ?

I have also uploaded the capture to ftp://ftp.sibptus.ru/pub/vas/1.zip

> I guess that 2008 is using AES not RC4.

I am pretty sure the client is using arcfour-hmac-md5, but all right.
This time I have given to squid the whole keytab as is (as received
from the Windows admin). It contains:

squid.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              HTTP/proxy2.sibptus.ru at STN.TN.CORP
  1  des-cbc-md5              HTTP/proxy2.sibptus.ru at STN.TN.CORP
  1  arcfour-hmac-md5         HTTP/proxy2.sibptus.ru at STN.TN.CORP
  1  aes256-cts-hmac-sha1-96  HTTP/proxy2.sibptus.ru at STN.TN.CORP
  1  aes128-cts-hmac-sha1-96  HTTP/proxy2.sibptus.ru at STN.TN.CORP



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list