[squid-users] Negotiate Kerberos Auth - BH Invalid request

L.P.H. van Belle belle at bazuin.nl
Tue Jun 13 12:54:38 UTC 2017 

First, it very handy to know your os and samba and squid versions used. 
?
Second, 
Squid/radius etc anything that uses NTLMv1 with samba stopped working after 4.5.0 
I think your main problem can be explained by this extract from the release notes for 4.5.0:
?

NTLMv1 authentication disabled by default

-----------------------------------------

 

In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no".?
This may have impact on very old clients which doesn't support NTLMv2 yet.

 

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

 

By default, Samba will only allow NTLMv2 via NTLMSSP now, 
as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no".

?

?

Greetz, 

?

Louis

?

?

?

Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Kevin M???hlparzer
Verzonden: dinsdag 13 juni 2017 14:00
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] Negotiate Kerberos Auth - BH Invalid request




Hello list,




I asked about a problem with NTLM-Authentication before. (BH SPNEGO request invalid prefix; thats the error of the helper protocol "helper-protocol=squid-2.5-ntlmssp" I used with NTLM, while basic works fine)

A user told me I should use negotiate_kerberos_auth instead of ntlm_auth.

Now here's my new problem:





root at x-x-testproxy01:/etc/squid# /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
negotiate_kerberos_auth.cc(487): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(546): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/squid/HTTP.keytab
negotiate_kerberos_auth.cc(570): pid=5305 :2017/06/13 13:29:41| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_5305
testuser xxxxxxx
negotiate_kerberos_auth.cc(610): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: DEBUG: Got 'testuser xxxxxx' from squid (length: 18).
negotiate_kerberos_auth.cc(647): pid=5305 :2017/06/13 13:29:47| negotiate_kerberos_auth: ERROR: Invalid request [testuser xxxxxxx]
BH Invalid request
So my configuration has mistakes, but I can't find them. I don't really know where to search, or what works for sure. I tried many tutorials on krb5 and samba. Every form of testing I tried works fine except indeed using the required kerberos authentication of my squid-proxy.






Tests that come to my mind:

kinit a user

Warning: Your password will expire in 36 days on Don 20 Jul 2017 13:23:54 CEST










klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser at X-XXX.LOCAL

Valid starting?????? Expires????????????? Service principal
2017-06-13 13:38:37? 2017-06-13 23:38:37? krbtgt/X-XXX.LOCAL at X-XXX.LOCAL
?? ?renew until 2017-06-14 13:38:34





klist -k on my HTTP.keytab



Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
?? 1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
?? 1 host/x-x-testproxy01.x-xxx.local at X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
?? 1 host/X-X-TESTPROXY01 at X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL
?? 1 X-X-TESTPROXY01$@X-XXX.LOCAL





basic-auth using ntlm


root at x-x-testproxy01:/etc/squid# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --username=testuser --password=xxxxxxxx
testuser xxxxxxxxxx
OK
testuser at x-xxx.local xxxxxxxx
OK

wbinfo -u
administrator
testuser
...
wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
...

wbinfo --krb5auth=testuser%xxxxxxx
plaintext kerberos password authentication for [testuser%xxxxxxx] succeeded (requesting cctype: FILE)

wbinfo -t
checking the trust secret for domain X-XXX via RPC calls succeeded

wbinfo --authenticate=testuser%xxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded

/usr/lib/squid/negotiate_kerberos_auth_test x-x-testproxy01.x-xxx.local
Token: YIIFOgYGKwYBBQUCoIIFLjCCBSqgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgIGBisGAQUCBaKCBP0EggT5YIIE9QYJKoZIhvcSAQICAQBuggTkMIIE4KADAgEFoQMCAQ6iBwMFAAAAAACjggP2YYID8jCCA+6gAwIBBaENGwtYLU5FVC5MT0NBTKIuMCygAwIBA6ElMCMbBEhUVFAbG3gtbC10ZXN0cHJveHkwMS54LW5ldC5sb2NhbKOCA6YwggOioAMCARKhAwIBAaKCA5QEggOQIMtincRDtWjh44pew3twk26Gm9rTC7CbkobNrzaRq/weljVl5TSbMQTFIVRQXVe4CQBWJ/Gcg472cgLA3mjOH8Z30zxQFP8fsK46wAtTEzJhonzXLImhaPtXvCVz94xaCVG7cBlNJCUmZQHsQMxFsGJZfKCkDvztiNplXEEwRgT7S6f8HQNm62xPAyz9aK8Wqfz9suW5cSBk8wdRAQNleKP1Xe/2LqZ4jfDpodPdcy9A8vh1dKu4tmbz+EJ/bKvWA+/twuXiOhhGq4W39TlOu/3zD87pXAh65ka1QsepkCWgUMHImDw8nUr8Zvi4j4vI9WhyMyLFYBya8BvAX9kLg73zl80g82bQVIAb8QU3gS2Akhpd7r1flfUbfRDUQfuS/bsaHspZoP+2c8+Bxy38OML4Gg29y6fJvRNfDaCnqmTQdiPtyqELVUS+4x7r260mM1wQKzD2Jb5pcz4wMHUK0sdw8xmMARGxB7XdyGSbo759GD6tOaTAKkNwccno6i9wyOoLqfhVRjE/K9FLCvCnzEFI07q1/dFz1Ce/ZzroW3nOwNQe3V6qqBELwuTvHgxIdGq4HEPeLqAUkVWxneXemRNbLKiOs/BIe3qkXxizgAkFLqRO5az2pVOD7/KBevxYZKeAgIuDsbIYG/u3Ic+KtCDaaM/to2b41SB8ZOFKJau3BuMPOvZ4ipiMbv0N/Svk4Tg61BIhN3CJYKA3ep/3p3wSfJlkcYeRVkDpasQnmFnjxV2YS7Q8nvmf9LIz+KIYBIT8X9yRPuV/E2lSELZlxJ8CySLFLUKgtMj97GPMlacc+UN3lJjyoExUKHpMZtUmaKrw7ueT3wnLMWgx0BBPkiAebUAedKj9u9sEscFylmI/+PdCCraMNbkOckCsggYXfJm6LxFZJhnDvw1+Z87xsJFDs5fasF6j8REiG8aHTmKHgt2M9TmIRNo/PsYrZGvuVQhkk2fuyFxwwyfs7ysNEkOmBWlFlTEjddjT9YShHfV8Fo8+M2UYY5nYiUIQq5BBfZ679ntivs7F80lKMOqhc7SOY63VwRJOwoq35+bnsIB08b9cttySiOcFsZb6uTnYvHzUFVSUha4nxrg3zW3fL9KVu4XY+lgCRZrBZMxioy6vbAOJBmpqXOJvel2gBbGN6PEd2ReeX43l1gcn+Bd3mQykmUIEzMMuRpSHda9233aWHbwEZ9H9rOdJdhgX4U+upIHQMIHNoAMCARKigcUEgcJu7kcC1zuJdhOQk+YA0Hw2G9kyg46tpaNIgj1CEgkD/KE28kaKivCTZTnHfrNOpIOJaaiYw4RMwJsbgZdRU+fz/jUwxvXdUSGon6JrU7S2XZ9CjXRXfdpXc4HjP0QW6Cql1SE95MpkcbMRH8FQvGNryBzsqIkELnvXceTGCmwlN3n60nqkoR5/41p2PtSz4hFMOVdT6AkPlNC5VTCtCZUj7YbrYVYImPnG3aAfQxXEHRy19/v0mL2845jZFA7Xw96s1A==




Sorry for posting so many output...
I already read many documentations, but no one really tests in small steps, they just assume that it works for everyone out of the box...


Does anyone have a clue what could be my mistake?



Thanks in advance.








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170613/8a4f419b/attachment.html>

More information about the squid-users mailing list