[squid-users] please, can someone help me with the negotiate kerberos?

Rafael Silva Daniel rafaelsilvadaniel at gmail.com
Sat Feb 15 20:08:21 UTC 2020 

Helo! i think i did almost everything right, firstly i made it in a test
enviroment with debian stretch running squid 3.5 and a windows server 2008
based domain controller, and it worked!

but when i tried to deploy it in the production enviroment running debian
stretch, squid 3.5 and windows server 2012 as the domain controller the
authentication never works, the file /var/log/squid/cache.log shows this:

2020/02/14 15:40:21 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: gss_acquire_cred() failed: Unspecified
GSS failure.  Minor code may provide more information. No principal in
keytab matches desired name; }}
negotiate_kerberos_auth.cc(610): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Got 'YR (LETTERS AND NUMBERS)' from squid
(length: 2439).
negotiate_kerberos_auth.cc(663): pid=13887 :2020/02/14 15:40:22|
negotiate_kerberos_auth: DEBUG: Decode '(LETTERS AND NUMBERS)' (decoded
length: 1826).

Obs1:I replaced a big string with letters and numbers by "(LETTERS AND
NUMBERS)"
Obs2: i posted more of the file in this link https://pastebin.com/Z2fe98dB

well, the results of running: kinit -kt /etc/squid/HTTP.keytab
HTTP/squid2.domain.local at DOMAIN.LOCAL:
root at SERVER:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/squid2.domain.local at DOMAIN.LOCAL

Valid starting       Expires              Service principal
02/15/2020 10:55:32  02/15/2020 20:55:32  krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
        renew until 02/16/2020 09:55:32



The results of running:klist -kte /etc/squid/HTTP.keytab

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp           Principal
---- -------------------
------------------------------------------------------
   1 02/12/2020 17:33:15 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
(arcfour-hmac)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
   1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   1 02/12/2020 17:33:16 host/squid2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 squid2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 SQUID2$@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
(arcfour-hmac)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 HTTP/squid2.domain.local at DOMAIN.LOCAL
(aes256-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (arcfour-hmac)
   3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)
   3 02/12/2020 17:36:59 host/squid2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)

And the results of running: root at SERVER:~#
/usr/lib/squid/negotiate_kerberos_auth_test server.domain.local
Token: (Alonglinewithnumbersandletters)

the configs of the /etc/krb5.conf:

[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/HTTP.keytab

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

[realms]
    DOMAIN.LOCAL = {
        kdc = dc01.domain.local
        admin_server = dc01.domain.local
        default_domain = domain.local
    }

[domain_realm]
    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL

and the /etc/squid/squid.conf:

http_port 3128
dns_nameservers 200.198.5.4 200.198.5.5
visible_hostname PROXY
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

url_rewrite_program /usr/bin/squidGuard

#auth parameter NEGOTIATE
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s
HTTP/squid.domain.local -k /etc/squid/HTTP.keytab
auth_param negotiate children 30
auth_param negotiate keep_alive on

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 90 # metodo
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access allow auth



In the domain controller i created in the two zones the proper dns records,
the host with squid can have his ip resolved to its right hostname, and its
hostname resolved to its right ip, in the clients i setted the proxy as
server.domain.local, and in the squid access.log the requests came but are
all denied and a prompt for user and password are showed to the user

Obs: the only data edited while posting was that i replaced our domain by
domain.local, the name of the host by SERVER, and long strings of data in
the cache log  and negotiate kerberos test out, all the rest is what is
really running in the files.

please someone help me, i tried to read everything i could find but i am not
finding how to understand what i am doing wrong, thanks in advance, D:





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list