[squid-users] Problem with kerb/ntlm authentication
Yanier Salazar Sanchez
yanier at eleccav.une.cu
Tue Sep 18 13:26:05 UTC 2018
I already fixed the problem that caused NTLM authentication to work only.
Greetings yanier
Ing. Yanier Salazar Sánchez
Administrador de Red
Empresa Eléctrica Ciego de Avila
Teléfonos: (33) 228613 ext 305
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
Yanier Salazar Sanchez
Sent: Friday, September 14, 2018 13:57
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Problem with kerb/ntlm authentication
Sorry for my bad english.
This is the scenario
I have ubuntu 18.04.01 (with las update) with squid 4.2-2, samba and winbind
4.7.6, AD on Windows Server 2012 R2/2016 with the las update, Client with
windows 10 1709 with the las update, firefox 60.2.0esr, google chrome
61.0.3163.79, firefox quantum 62.0 and internet explorer
I using this guide
https://blog.it-kb.ru/2014/06/16/forward-proxy-squid-3-3-on-ubuntu-server-14
-04-lts-part-1-install-os-on-hyper-v-generation-2-vm/ (Only to where
kerberos and NTLM are configured)
I joined the proxy to the active directory
All the commands seem to work correctly
I run this command
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP//srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP//srv-squid-krb.mired.lan at MIRED.LAN>
Valid starting Expires Service principal
09/13/2018 16:29:48 09/14/2018 02:29:48 krbtgt/MIRED.LAN at MIRED.LAN
<mailto:krbtgt/MIRED.LAN at MIRED.LAN>
09/13/2018 16:55:57 09/14/2018 02:29:48
host/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:host/srv-squid-krb.mired.lan at MIRED.LAN>
09/13/2018 16:56:13 09/14/2018 02:29:48 host/srv-dc.mired.lan at MIRED.LAN
<mailto:host/srv-dc.mired.lan at MIRED.LAN>
I run this command
kinit squidtest
password for squidtest at MIRED.LAN <mailto:squidtest at MIRED.LAN> :
I create a proxy.keytab in my windows server 2012 r2 with this command
ktpass -princ HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN> -mapuser MIRED\squidtest
-pass password -crypto All -ptype KRB5_NT_PRINCIPAL -out d:\proxy.keytab
proxy.keytab permission
rw-rr root proxy proxy.keytab
My krb5.conf file
[libdefaults]
default_realm = MIRED.LAN
dns_lookup_kdc = yes
dns_lookup_kdc = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/proxy.keytab
[realms]
MIRED.LAN = {
kdc = srv-dc.mired.lan
admin_server = srv-dc.mired.lan
default_domain = mired.lan
}
[domain_relam]
mired.lan = MIRED.LAN
.mired.lan = MIRED.LAN
I run this command
klist k /etc/squid/proxy.keytab
Keytab name: FILE/etc/squid/proxy.keytab
KVNO Principal
6 HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN>
6 HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN>
6 HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN>
6 HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN>
6 HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN>
I run this command
wbinfo authenticate=squidtest%mypassword
Plaintest password athentication succeded
Challenge/response password authentication succeded
I run this command
wbinfo krb5auth=squidtest%mypassword
Plaintest kerberos password athentication for [squidtest:mypassword]
succeded (requesting cctype: FILE) credential were put in; FILE/tmp/krbcc_0
I run this command
wbinfo g (List all groups in AD)
I run this command
wbinfo u (List all users in AD)
I run this command
/usr/lib/squid/negotiate_kerberos_auth_test srv-squid-krb.mired.lan
Token: YIICSAYGRKw
.. blabla /B8VWAxn29WaG/j
The squid.conf its basic configuration only with
auth_program negotiate program /usr/lib/squid/negotiate_wrapper_auth d
ntlm /usr/bin/ntlm_auth diagnostics helper-protocol=2.5-ntlmssp
domain=mired kerberos /usr/lib/squid/negotiate_kerberos_auth d r s
HTTP//srv-squid-krb.mired.lan at mired.lan
<mailto:HTTP//srv-squid-krb.mired.lan at mired.lan>
auth_program negotiate children 10
auth_program negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive off
acl red src 192.168.0.0/24
acl auth proxy_auth REQUIRED
and
http_access allow red auth
But the problem is that Kerberos dont work. Only NTLM.
cache.log
2018/09/14 06:25:02| negotiate_wrapper: Starting version 1.0.1
2018/09/14 06:25:02| negotiate_wrapper: NTLM command: /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp
2018/09/14 06:25:02| negotiate_wrapper: Kerberos command:
/usr/lib/squid/negotiate_kerberos_auth -d -r -s
HTTP/srv-squid-krb.mired.lan at MIRED.LAN
<mailto:HTTP/srv-squid-krb.mired.lan at MIRED.LAN>
negotiate_kerberos_auth.cc(487): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(546): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/proxy.keytab
negotiate_kerberos_auth.cc(570): pid=10816 :2018/09/14 06:25:02|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_10816
2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA==
'
2018/09/14 13:39:18.197 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='
2018/09/14 13:39:18.197 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonigQb5TAh6RigAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIALqX2txRTNQBAAAAAA=
='!
2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA==
'
2018/09/14 13:39:18.202 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='
2018/09/14 13:39:18.202 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgonig5b0rgxfAqwAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAD5e29xRTNQBAAAAAA=
='!
2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA==
'
2018/09/14 13:39:18.212 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='
2018/09/14 13:39:18.212 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni/IpqOarkGm0AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAF7Y3NxRTNQBAAAAAA=
='!
2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA==
'
2018/09/14 13:39:18.213 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='
2018/09/14 13:39:18.213 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniE4M9MFIcoxQAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIAIoG3dxRTNQBAAAAAA=
='!
2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA==
'
2018/09/14 13:39:18.234 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='
2018/09/14 13:39:18.235 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoniyKjYPBGi9DAAAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIADpT4NxRTNQBAAAAAA=
='!
2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJe
sRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
from squid (length: 683).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPTClxtLRmctSfR7SLfnA2O0UATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD6IIRx8JJ
esRgbGAVoQxrwAQEAAAAAAABe2NzcUUzUATZJB+HrulrgAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAF7Y3NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAyh1ssj6oWg4B+eQjlqv2aA=='
(decoded length: 510).
2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall
'
2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall
2018/09/14 13:39:18.297 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'
2018/09/14 13:39:18.297 kid1| 29,2| User.cc(227) addIp: user 'crystall' has
been seen at a new IP address (192.168.0.2:53116)
2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6Ul
IPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
from squid (length: 683).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPNdmk9QQok2ZtAJi07Aft0EUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIdVVkN6U
lIPyfEZl+tFbZAQEAAAAAAAA6U+DcUUzUAbDPblk1F39AAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIADpT4NxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAASlVupH80E90xsICozM0MDw=='
(decoded length: 510).
2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5c
V4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
from squid (length: 683).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPktrvZwcp20ZMz2vUT1MqrEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/ktNdTT5
cV4Jw+7d4icVSAQEAAAAAAAA+XtvcUUzUAQvLOUptjrxtAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAD5e29xRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAC9hZLo1JeXWlUlkutHco2Q=='
(decoded length: 510).
2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHbA
PUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
from squid (length: 683).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPcvqx2ByNCA8nHjzEmlCuRkUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV9wKDCHb
APUCj0iTVPM9cAQEAAAAAAACKBt3cUUzUAQ3p911SxBpmAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIAIoG3dxRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAWt0nSXk+Ix4DbAvzOrubNA=='
(decoded length: 510).
2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/+
TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
from squid (length: 683).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPsug30D9/WWwwJJE0C5LgOUUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB9ekE7/
+TbqkYU6Gx64qAQEAAAAAAAC6l9rcUUzUAS71gyhoa7SHAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIALqX2txRTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAA/6MII/C9uGEWH4s9EE+W/g=='
(decoded length: 510).
2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall
'
2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall
2018/09/14 13:39:18.326 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'
2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall
'
2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall
2018/09/14 13:39:18.331 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'
2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall
'
2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall
2018/09/14 13:39:18.335 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'
2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall
'
2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(336) HandleReply:
authenticated user crystall
2018/09/14 13:39:18.340 kid1| 29,4| UserRequest.cc(355) HandleReply:
Successfully validated user via Negotiate. Username 'crystall'
2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.
2018/09/14 13:39:18.340 kid1| ICP is disabled! Cannot send ICP request to
peer.
2018/09/14 13:39:18.779 kid1| 29,4| UserRequest.cc(294) authenticate: No
Proxy-Auth header and no working alternative. Requesting auth header.
2018/09/14 13:39:18.782 kid1| 29,4| UserRequest.cc(354) authenticate: No
connection authentication type
2018/09/14 13:39:18| negotiate_wrapper: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' from squid
(length: 59).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAKs/AAAADw==' (decoded length:
42).
2018/09/14 13:39:18| negotiate_wrapper: received type 1 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Return 'TT
TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9F
AEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsA
UgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBk
AC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA==
'
2018/09/14 13:39:18.785 kid1| 29,4| UserRequest.cc(311) HandleReply: Need to
challenge the client with a server token:
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='
2018/09/14 13:39:18.785 kid1| 29,2| UserRequest.cc(203) authenticate: need
to challenge client
'TlRMTVNTUAACAAAADgAOADgAAAAVgoni6re6l3Xwbr4AAAAAAAAAAJwAnABGAAAABgEAAAAAAA9
FAEwARQBDAEMAQQBWAAIADgBFAEwARQBDAEMAQQBWAAEAGgBTAFIAVgAtAFMAUQBVAEkARAAtAEs
AUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQB
kAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBjAHUABwAIANJNNN1RTNQBAAAAAA=
='!
2018/09/14 13:39:18| negotiate_wrapper: Got 'KK
TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEADs
AQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGEA
bABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnEc
JGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAEA
GgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgBj
AHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGUA
LgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKKO
F8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADEA
NwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
from squid (length: 683).
2018/09/14 13:39:18| negotiate_wrapper: Decode
'TlRMTVNTUAADAAAAGAAYAIwAAABIAUgBpAAAAA4ADgBYAAAAEAAQAGYAAAAWABYAdgAAABAAEAD
sAQAAFYKI4goAqz8AAAAPZToO29GZi9mTSaZo7kC+uEUATABFAEMAQwBBAFYAYwByAHkAcwB0AGE
AbABsAEMATABJAC0AUgBFAEQARQBTAC0AMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMCXZljnE
cJGfczvMrEXsbAQEAAAAAAADSTTTdUUzUATkI4mevwzXdAAAAAAIADgBFAEwARQBDAEMAQQBWAAE
AGgBTAFIAVgAtAFMAUQBVAEkARAAtAEsAUgBCAAQAHABlAGwAZQBjAGMAYQB2AC4AdQBuAGUALgB
jAHUAAwA4AHMAcgB2AC0AcwBxAHUAaQBkAC0AawByAGIALgBlAGwAZQBjAGMAYQB2AC4AdQBuAGU
ALgBjAHUABwAIANJNNN1RTNQBBgAEAAIAAAAIADAAMAAAAAAAAAAAAAAAADAAANSO8haD472JTKK
OF8vBYpu8Z0WdTYbu7c7tqLmb/9ooCgAQAAAAAAAAAAAAAAAAAAAAAAAJACQASABUAFQAUAAvADE
ANwAyAC4AMQA5AC4AMgAyADQALgA0ADYAAAAAAAAAAAAAAAAAxTDFbTI2R1oQS5sjProTRQ=='
(decoded length: 510).
2018/09/14 13:39:18| negotiate_wrapper: received type 3 NTLM token
2018/09/14 13:39:18| negotiate_wrapper: Return 'AF = crystall
Access.log
1536946843.113 66541 192.168.0.2 TCP_TUNNEL/200 3806 CONNECT
www.facebook.com:443 <http://www.facebook.com:443> crystall
FIRSTUP_PARENT/PARENT_PROXY_IP
The question is, that only NTLM works, I've tried with Internet Explorer,
Google Chrome and Firefox. The other thing is that he never asks for
username and password, he uses the user credentials that he initiates
session to work (I do not know if this is the correct operation).
What could be happening?
Sorry for the long email.
Gretting Yanier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180918/c6710c60/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4312 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180918/c6710c60/attachment-0001.jpg>
More information about the squid-users
mailing list