[squid-users] squid 5.9 Kerberos authentication problem

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 12 16:04:45 UTC 2023 

On 6/10/23 06:15, Ludovit Koren wrote:
>>>>>> Amos Jeffries writes:
> 
>      > On 5/10/23 19:30, Ludovit Koren wrote:
>      >> Hello,
>      >> I am using squid 5.9 with AD Kerberos authentication and could not
>      >> solve
>      >> the problem of sending incorrect request according to client
>      >> configuration followed by the correct one, i.e.:
>      >> 1695983264.808      0 x.y.z TCP_DENIED/407 4135 CONNECT
>      >> th.bing.com:443 - HIER_NONE/- text/html
>      >> 1695983264.834     21 x.y.z TCP_TUNNEL/200 6080 CONNECT th.bing.com:443 name at domain FIRSTUP_PARENT/squid-parent -
>      >>
> 
>      > This looks fine to me. The first request is sent without credentials,
>      > then the second contains the correct ones using the correct
>      > authentication scheme.
> 
> ok, this is little bit longer output:


> 1695983167.837      0 x.y.z TCP_DENIED/407 4135 CONNECT th.bing.com:443 - HIER_NONE/- text/html
> 1695983167.842      1 x.y.z TCP_DENIED/407 4135 CONNECT th.bing.com:443 - HIER_NONE/- text/html
> 1695983167.873     27 x.y.z TCP_TUNNEL/200 6080 CONNECT th.bing.com:443 name at domain FIRSTUP_PARENT/squid-parent -

Taking this set of th.bing.com requests as clearly a bunch related they 
look like an NTLM or Negotiate/NTLM authentication sequence.


The rest of the log entries are a little too spread out with a mix of 
domains to tell where the connections are.

Also, the 200 status CONNECT tunnels in this log extract were all 
running from a time before the first line of the log snippet. So we 
cannot see how they reached 200 status.


> 
> In the gw1.ris.datacentrum.sk, there is authentication on the site
> inside SSL. It is not working.

FYI, "inside SSL" is just opaque bytes to Squid. Any failure there is 
between the client and server at the other end of the CONNECT tunnel. 
Nothing to do with this Squid.


> As soon as I exclude
> gw1.ris.datacentrum.sk from the authentication in squid, it starts
> working.

That is an indication that the client software is unable to handle 
authentication on the CONNECT tunnel properly.



For better troubleshooting there are several steps to take:

* making a custom log format and a debug log for your Squid would be 
useful to get more details about each transaction.

  I suggest adding this to your squid.conf:

  logformat debug %ts.%03tu %6tr %>a cid=%>p_%lp_%ssl::bump_mode \
     %Ss/%03>Hs %<st %rm %ru \
     user=%[un/login=%[ul/token=%[credentials %Sh/%<a/%03<Hs

  access_log /var/log/squid/debug.log debug


The "cid=" entry should be a semi-unique value per TCP connection. It is 
not true unique since ports get re-used, but should be reliable enough 
to separate overlapping connections with duplicate request URLs.

The user=/login=/token= part should allow you to see what/why the 407 is 
occuring. You can investigate the token value with this tool 
<https://gist.github.com/aseering/829a2270b72345a1dc42> to see if it is 
truly a Negotiate/Kerberos token vs a Negotiate/NTLM one.



If you need more assistance, I/we will need to see your squid.conf (in 
full but without the "#" comment lines) and the output trace from that 
debug.log.

HTH
Amos

More information about the squid-users mailing list