<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=content-type></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi Pedro,</DIV>
<DIV> </DIV>
<DIV> I looked at your captures and I observed something
similar to Victor’s issue. I see KRB5KRB_AP_ERR_MODIFIED and then
the use of the name of the AD object (e.g. proxy$) instead of HTTP/<proxy
fqdn>. I also see that you have more than one AD server and I
assume there is a sync problem between your AD servers ( You said it start
working after removing an unused AD server which would support y
assumption). </DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"Pedro Lobo" <palobo@gmail.com> wrote in message
news:09275CEC-ABC1-4BC6-B4F3-546E8C5D3B7E@gmail.com...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>Hi Markus, </DIV>
<DIV> </DIV>
<DIV>When I get in to the office tomorrow, I'll do that and send you the .cap
file. Thanks for all the help so far. <BR><BR>Pedro Lobo</DIV>
<DIV><BR>On 27 Oct 2014, at 20:53, Markus Moeller <<A
href="mailto:huaraz@moeller.plus.com">huaraz@moeller.plus.com</A>>
wrote:<BR><BR></DIV>
<BLOCKQUOTE type="cite">
<DIV>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi Pedro,</DIV>
<DIV> </DIV>
<DIV> Can you capture the traffic from one Windows 7 on XP client
on port 88 ( just after the login before access a website via squid until
successful or unsuccessful accessing the website) using wireshark
? Send me the .cap files to check.</DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"Pedro Lobo" <<A
href="mailto:palobo@gmail.com">palobo@gmail.com</A>> wrote in message
news:b4adceec-5a53-4212-b16c-106237fc4504@Pedros-iPhone...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>Hi Markus Moeller,<BR><BR><BR>Hi Markus,<BR><BR>Yeah, I'm currently using
that option and permissions are correct too. </DIV>
<DIV><BR>On 27 Oct 2014 19:47, Markus Moeller wrote: <BR><BR></DIV>
<BLOCKQUOTE type="cite">
<DIV>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi Pedro,</DIV>
<DIV> </DIV>
<DIV> Did you try the –s GSS_C_NO_NAME option ?</DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"Pedro Lobo" <<A
href="mailto:palobo@gmail.com">palobo@gmail.com</A>> wrote in message
news:<A
href="mailto:94F74226-F24B-4910-95B7-B86ACE815995@gmail.com">94F74226-F24B-4910-95B7-B86ACE815995@gmail.com</A>...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV class=markdown>
<P>Hey Everybody,</P>
<P>Seems as though I celebrated too soon on Saturday. Today things are back
to not working for Windows 7+ machines and XP/2003 machines are working just
fine.</P>
<P>I've also checked the permissions on the keytab file and they haven't
changed since Saturday, so it's not that... ARGH!!!!</P>
<P>Craving ideas and solutions right now... Pilot users are less than
satisfied ;)</P>
<P>Cheers,<BR>Pedro</P>
<P>On 25 Oct 2014, at 14:13, Markus Moeller wrote:</P>
<BLOCKQUOTE>
<P>Hi Pedro,</P>
<P>I wonder if he upper case in the name is a problem. Can you try</P>
<P>auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
-r -s GSS_C_NO_NAME</P>
<P>instead of</P>
<P>auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
-r -s HTTP/<A
href="http://proxy01tst.fake.net">proxy01tst.fake.net</A></P>
<P>Markus</P>
<P>"Pedro Lobo" <A href="mailto:palobo@gmail.com">palobo@gmail.com</A>
wrote in message news:FD6832B9-<A
href="mailto:3F1F-48C6-A76F-47A224F1697B@gmail.com">3F1F-48C6-A76F-47A224F1697B@gmail.com</A>...<BR>Hi
Markus,</P>
<P>I used msktutil to create the keytab.</P>
<P>msktutil -c -s HTTP/<A
href="http://proxy01tst.fake.net">proxy01tst.fake.net</A> -h <A
href="http://proxy01tst.fake.net">proxy01tst.fake.net</A> -k
/etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/<A
href="http://proxy01tst.fake.net">proxy01tst.fake.net</A> --server <A
href="http://srv01.fake.net">srv01.fake.net</A> --verbose<BR>Output of
klist -ekt:</P>
<P>2 10/24/2014 22:59:50 <A
href="mailto:proxy01-tst$@FAKE.NET">proxy01-tst$@FAKE.NET</A>
(arcfour-hmac)<BR>2 10/24/2014 22:59:50 <A
href="mailto:proxy01-tst$@FAKE.NET">proxy01-tst$@FAKE.NET</A>
(aes128-cts-hmac-sha1-96)<BR>2 10/24/2014 22:59:50 <A
href="mailto:proxy01-tst$@FAKE.NET">proxy01-tst$@FAKE.NET</A>
(aes256-cts-hmac-sha1-96)<BR>2 10/24/2014 22:59:50 HTTP/<A
href="mailto:proxy01tst.FAKE.net@FAKE.NET">proxy01tst.FAKE.net@FAKE.NET</A>
(arcfour-hmac)<BR>2 10/24/2014 22:59:50 HTTP/<A
href="mailto:proxy01tst.FAKE.net@FAKE.NET">proxy01tst.FAKE.net@FAKE.NET</A>
(aes128-cts-hmac-sha1-96)<BR>2 10/24/2014 22:59:50 HTTP/<A
href="mailto:proxy01tst.FAKE.net@FAKE.NET">proxy01tst.FAKE.net@FAKE.NET</A>
(aes256-cts-hmac-sha1-96)<BR>2 10/24/2014 22:59:50 host/<A
href="mailto:proxy01tst.FAKE.net@FAKE.NET">proxy01tst.FAKE.net@FAKE.NET</A>
(arcfour-hmac)<BR>2 10/24/2014 22:59:50 host/<A
href="mailto:proxy01tst.FAKE.net@FAKE.NET">proxy01tst.FAKE.net@FAKE.NET</A>
(aes128-cts-hmac-sha1-96)<BR>2 10/24/2014 22:59:50 host/<A
href="mailto:proxy01tst.FAKE.net@FAKE.NET">proxy01tst.FAKE.net@FAKE.NET</A>
(aes256-cts-hmac-sha1-96)<BR>Yep, using MIT Kerberos</P>
<P>Thanks in advance for any help.</P>
<P>Cheers,<BR>Pedro</P>
<P>On 25 Oct 2014, at 1:26, Markus Moeller wrote:</P>
<P>Hi Pedro,</P>
<P>How did you create your keytab ? What does klist –ekt
<squid.keytab> show ( I assume you use MIT Kerberos) ?</P>
<P>Markus</P>
<P>"Pedro Lobo" <A href="mailto:palobo@gmail.com">palobo@gmail.com</A>
wrote in message news:<A
href="mailto:40E1E0E7-50C6-4117-94AA-50B06573430A@gmail.com">40E1E0E7-50C6-4117-94AA-50B06573430A@gmail.com</A>...<BR>Hi
Squid Gurus,</P>
<P>I'm at my wit's end and in dire need of some squid expertise.</P>
<P>We've got a production environment with a couple of squid 2.7 servers
using NTLM and basic authentication. Recently though, we decided to
upgrade and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback.
I've followed just about every guide I could find and in my testing
environment, things were working great. Now that I've hooked it up to the
main domain, things are awry.</P>
<P>If I use a machine that's not part of the domain, NTLM kicks in and I
can surf the web fine. If I use a Windows XP or Windows Server 2003,
kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008
server, I keep getting a popup asking me to authenticate and even then,
it's and endless loop until it fails. My cache.log is littered with:</P>
<P>negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01|
negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more
information.<BR>2014/10/24 23:03:01| ERROR: Negotiate Authentication
validating user. Error returned 'BH gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. '<BR>The
odd thing, is that this has worked before. Help me Obi Wan... You're my
only hope! :)</P>
<P>Current Setup<BR>Squid 3.3 running on Ubuntu 14.04 server. It's
connected to a 2003 server with function level 2000 (I know, we're trying
to fase out the older servers).</P>
<P>krb5.conf</P>
<P>[libdefaults]<BR>default_realm = <A
href="http://FAKE.NET">FAKE.NET</A><BR>dns_lookup_kdc =
yes<BR>dns_lookup_realm = yes<BR>ticket_lifetime =
24h<BR>default_keytab_name = /etc/squid3/PROXY.keytab</P>
<P>; for Windows 2003<BR>default_tgs_enctypes = rc4-hmac des-cbc-crc
des-cbc-md5<BR>default_tkt_enctypes = rc4-hmac des-cbc-crc
des-cbc-md5<BR>permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5</P>
<P>[realms]<BR><A href="http://FAKE.NET">FAKE.NET</A> = {<BR>kdc = <A
href="http://srv01.fake.net">srv01.fake.net</A><BR>kdc = <A
href="http://srv02.fake.net">srv02.fake.net</A><BR>kdc = <A
href="http://srv03.fake.net">srv03.fake.net</A><BR>admin_server = <A
href="http://srv01.fake.net">srv01.fake.net</A><BR>default_domain = <A
href="http://fake.net">fake.net</A><BR>}</P>
<P>[domain_realm]<BR>.<A href="http://fake.net">fake.net</A> = <A
href="http://FAKE.NET">FAKE.NET</A><BR><A
href="http://fake.net">fake.net</A> = <A
href="http://FAKE.NET">FAKE.NET</A></P>
<P>[logging]<BR>kdc = FILE:/var/log/kdc.log<BR>admin_server =
FILE:/var/log/kadmin.log<BR>default =
FILE:/var/log/krb5lib.log<BR>squid.conf</P>
<P>auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
-r -s HTTP/<A
href="http://proxy01tst.fake.net">proxy01tst.fake.net</A><BR>auth_param
negotiate children 20 startup=0 idle=1<BR>auth_param negotiate keep_alive
off</P>
<P>auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=<A
href="http://FAKE.NET">FAKE.NET</A><BR>auth_param ntlm children
10<BR>auth_param ntlm keep_alive off<BR>Cheers,<BR>Pedro</P>
<P>Cumprimentos<BR>Pedro Lobo<BR>Solutions Architect | System Engineer</P>
<P><A
href="mailto:pedro.lobo@pt.clara.net">pedro.lobo@pt.clara.net</A><BR>Tlm.:
+351 939 528 827 | Tel.: +351 214 127 314</P>
<P>Claranet Portugal<BR>Ed. Parque Expo<BR>Av. D. João II, 1.07-2.1, 4º
Piso<BR>1998-014 Lisboa<BR><A
href="http://www.claranet.pt">www.claranet.pt</A></P>
<P>Empresa certificada ISO 9001, ISO 20000 e ISO 27001</P>
<HR>
<HR>
<P>squid-users mailing list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A></P>
<HR>
<P>squid-users mailing list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A></P>
<P>Cumprimentos<BR>Pedro Lobo<BR>Solutions Architect | System Engineer</P>
<P><A
href="mailto:pedro.lobo@pt.clara.net">pedro.lobo@pt.clara.net</A><BR>Tlm.:
+351 939 528 827 | Tel.: +351 214 127 314</P>
<P>Claranet Portugal<BR>Ed. Parque Expo<BR>Av. D. João II, 1.07-2.1, 4º
Piso<BR>1998-014 Lisboa<BR><A
href="http://www.claranet.pt">www.claranet.pt</A></P>
<P>Empresa certificada ISO 9001, ISO 20000 e ISO 27001</P>
<HR>
<HR>
<P>squid-users mailing list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A></P>
<HR>
<P>squid-users mailing list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A></P></BLOCKQUOTE></DIV>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A><BR></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A><BR></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE>
<BLOCKQUOTE type="cite">
<DIV><SPAN>_______________________________________________</SPAN><BR><SPAN>squid-users
mailing list</SPAN><BR><SPAN><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A></SPAN><BR><SPAN><A
href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A></SPAN><BR></DIV></BLOCKQUOTE>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>