<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-CA link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>I’ve got a Squid 3.3.3 running on Windows 2003 (and 2008) box via CYGWIN, works with the basic config.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My next step is to put in some authentication in place, in this case Kerberos using..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -s HTTP/vis-squid.VAND1.OPPY.COM<o:p></o:p></p><p class=MsoNormal>auth_param negotiate children 10<o:p></o:p></p><p class=MsoNormal>auth_param negotiate keep_alive on<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Before I can do this, I need to get a keytab file and setup the proper SPNs, on CYGWIN we don’t have Samba so I am using msktutil to create the computer account and keytab/SPNs; specifically one that works under CYGWIN (<a href="https://github.com/fd00/yacp/tree/master/msktutil">https://github.com/fd00/yacp/tree/master/msktutil</a>).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When I try to create the keytab as per <a href="http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos">http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a> by running...<br><br><o:p></o:p></p><p class=MsoNormal>msktutil -c -b "CN=computers" -s HTTP/xxx-squid.MY.DOMAIN.COM -k /etc/squid/PROXY.keytab --computer-name xxx-squid --upn HTTP/ xxx-squid.MY.DOMAIN.COM--server DCSRV02 --enctypes 28 –verbose<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It runs but dies at..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'>-- ldap_get_pwdLastSet: pwdLastSet is 130576191605205669<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- set_password: Successfully set password, waiting for it to be reflected in LDAP.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ldap_get_pwdLastSet: pwdLastSet is 130576191607895789<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- set_password: Successfully reset computer's password<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- set_password: Setting samba machine trust account password<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'>The syntax of this command is:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'>NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'>Setting samba secret failed with error code 256<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'>Error: set_password failed<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'>Hint: Does your password policy allow to change vis-squid's password?<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> For example, there could be a "Minimum password age" policy preventing<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> passwords from being changed too frequently. If so, you can reset the<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> password instead of changing it using the --user-creds-only option.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> Be aware that you need a ticket of a user with administrative privileges<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> for that.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ~msktutil_exec: Destroying msktutil_exec<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ldap_cleanup: Disconnecting from LDAP server<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- init_password: Wiping the password structure<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ~KRB5Context: Destroying Kerberos Context<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Looks like it is trying to use Samba’s “net” command which is different than the net command above (windows). So I edited <a href="http://repo.or.cz/w/msktutil.git/blob/9f22f3ec6efa0a6f8bb122fb14095a1ab50d3d6c:/msktpass.cpp">http://repo.or.cz/w/msktutil.git/blob/9f22f3ec6efa0a6f8bb122fb14095a1ab50d3d6c:/msktpass.cpp</a> and commented out the block of code that tries to run “net changesecretpw” samba cmd (I thought the whole purpose of msktutil was an alternative way to perform net ads keytab create so why is it running that cmdlet…) then re-compiled msktutil and re-ran it..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It went through this time with..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'>-- ldap_get_pwdLastSet: pwdLastSet is 130576324675479078<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- set_password: Successfully reset computer's password<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- set_password: Setting samba machine trust account password<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- set_password: Successfully set samba machine trust account password<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ldap_add_principal: Checking that adding principal HTTP/xxx-squid.MY.DOMAIN.COM to vis-squid won't cause a conflict<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ldap_add_principal: Adding principal HTTP/xxx-squid.MY.DOMAIN.COM to LDAP entry<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- execute: Updating all entries for rmt-server01.MY.DOMAIN.COM in the keytab WRFILE:/etc/squid/PROXY.keytab<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- update_keytab: Updating all entires for vis-squid<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ldap_get_kvno: KVNO is 4<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding principal to keytab: vis-squid<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding entry of enctype 0x17<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding entry of enctype 0x11<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding entry of enctype 0x12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding principal to keytab: HTTP/xxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Removing entries with kvno < 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding entry of enctype 0x17<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding entry of enctype 0x11<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Using salt of MY.DOMAIN.COMHTTPxxx-squid.MY.DOMAIN.COM<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- add_principal_keytab: Adding entry of enctype 0x12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ~msktutil_exec: Destroying msktutil_exec<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ldap_cleanup: Disconnecting from LDAP server<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- init_password: Wiping the password structure<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'> -- ~KRB5Context: Destroying Kerberos Context<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal>In AD I can see a new user account named “xxx-squid” (should this not be a computer object instead of a user object?), so now back to Squid (stop/start) and try hitting google.com via IE9/IE10/IE11 I get..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'>2014/10/12 17:37:14 kid1| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key version number for principal in key table is incorrect'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal>So.. something is still not right with my setup.. any suggestions? Can I create the keytab file on my Active Directory server and copy the file and use it instead?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With the recent release of SQUID 3.3.3 to CYGWIN (<a href="http://sourceware.mirrors.tds.net/pub/sourceware.org/cygwin/x86/release/squid/">http://sourceware.mirrors.tds.net/pub/sourceware.org/cygwin/x86/release/squid/</a>) I’ve been at it for a few days trying to make it work but stuck at getting SSO with negotiate_kerberos_auth..<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any ideas?<o:p></o:p></p></div></body></html>