<div dir="ltr"><div><div><div><div>Hi Marcus,<br><br></div>no i don't know if user if NegoEx, on the network they have more 25000 desktop.<br><br></div>I change auth, put only NTLM but same problems, a lot of users are not allowed<br><br>GENSEC login failed: NT_STATUS_INVALID_PARAMETER<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br>GENSEC login failed: NT_STATUS_LOGON_FAILURE<br><br></div><div>they have commercial support on squid ?<br></div><div><br></div>regards<br></div>olivier<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-11-05 22:39 GMT+01:00 Markus Moeller <span dir="ltr"><<a href="mailto:huaraz@moeller.plus.com" target="_blank">huaraz@moeller.plus.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:12pt;FONT-FAMILY:'Calibri';COLOR:#000000">
<div>
<div></div> </div>
<div>Hi Olivier,</div>
<div> </div>
<div> I think on some of your newer clients you have an issue with
Negotiate and NTLM fallback. If I look at </div>
<div> </div>
<div><a href="https://msdn.microsoft.com/en-us/library/ff468736.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/ff468736.aspx</a>
I see this <a href="https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif" target="_blank">https://i-msdn.sec.s-msft.com/dynimg/IC426444.gif</a>
</div>
<div> </div>
<div>If I interpret this correctly the client will try NegoEx after failing with
Kerberos and before trying NTLM. If on the client NegoEx is successful
then NTLM will not be attempted. And I think that is the case here.
Do you know if NegoEx is used on the client ? </div>
<div> </div>
<div> </div>
<div>Does anybody else know about NegoEx ?</div>
<div> </div>
<div>Markus</div>
<div> </div>
<div> </div>
<div>
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline"></div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div dir="ltr">
<div style="FONT-SIZE:12pt;FONT-FAMILY:'Calibri';COLOR:#000000">
<div>
<div> </div>
<div>
<div style="BACKGROUND:#f5f5f5">
<div><font face="Tahoma"><b><font style="FONT-SIZE:10pt">From:</font></b><font style="FONT-SIZE:10pt">
</font></font><font style="FONT-SIZE:10pt"><a title="o.calvano@gmail.com" href="mailto:o.calvano@gmail.com" target="_blank"><font face="Tahoma">Olivier
CALVANO</font></a></font><font face="Tahoma"><font style="FONT-SIZE:10pt">
</font></font></div>
<div><font face="Tahoma"><b><font style="FONT-SIZE:10pt">Sent:</font></b><font style="FONT-SIZE:10pt"> Tuesday, November 03, 2015 9:22 AM</font></font></div>
<div><font face="Tahoma"><b><font style="FONT-SIZE:10pt">To:</font></b><font style="FONT-SIZE:10pt"> </font></font><font style="FONT-SIZE:10pt"><a title="huaraz@moeller.plus.com" href="mailto:huaraz@moeller.plus.com" target="_blank"><font face="Tahoma">Markus Moeller</font></a></font><font face="Tahoma"><font style="FONT-SIZE:10pt"> </font></font></div>
<div><font face="Tahoma"><b><font style="FONT-SIZE:10pt">Subject:</font></b><font style="FONT-SIZE:10pt"> Re: [squid-users] Squit with NTLM and Kerberos auth
=> a error</font></font></div></div></div>
<div> </div></div><div><div class="h5">
<div>
<div dir="ltr">that's said that squid can by used with Windows AD
?<br><br><br></div>
<div class="gmail_extra">
<div> </div>
<div class="gmail_quote">2015-11-02 22:46 GMT+01:00 Markus Moeller <span dir="ltr"><<a href="mailto:huaraz@moeller.plus.com" target="_blank">huaraz@moeller.plus.com</a>></span>:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT:1ex;MARGIN:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid">
<div dir="ltr">
<div dir="ltr">
<div>
<div> </div>
<div>Hi Olivier,</div>
<div> </div>
<div>If I decode a token I see</div>
<div> </div>
<div>/base64> hexdump -c base64_dec.out</div>
<div>0000000 ` 201 236 006 006 + 006 001 005 005 002
240 201 223 0 201</div>
<div>0000010 220 240 032 0 030 006 \n + 006 001
004 001 202 7 002 002</div>
<div>0000020 036 006 \n + 006 001 004 001 202 7
002 002 \n 242 r 004</div>
<div>0000030 p N E
G O E X T S
\0 \0 \0 \0 \0 \0 \0</div>
<div>0000040 \0 ` \0 \0 \0
p \0 \0 \0 020 366 L 3
& 023 256</div>
<div>0000050 O 271 216 4 305 \f 200
! \t 034 340 # 327 322 177 _</div>
<div>0000060 211 202 > 254 { g 234 325
225 001 022 225 \f 323 276 A</div>
<div>0000070 206 024 6 367 ; .
\0 C 273 \0 \0 \0 \0 \0
\0 \0</div>
<div>0000080 \0 ` \0 \0 \0 001
\0 \0 \0 \0 \0 \0 \0 \0
\0 \0</div>
<div>0000090 \0 E r |
2 2 E 213 H 277 331
* k 240 ^ 244</div>
<div>00000a0 \n</div>
<div>00000a1</div>
<div> </div>
<div>It says NEGOEXTS which points me to <a title="https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396" href="https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396" target="_blank">https://technet.microsoft.com/en-us/library/dd560645%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396</a> </div>
<p>That is not supported.</p><span>
<div>Markus</div>
<div> </div>
<div> </div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div>
<div>"Olivier CALVANO" <<a href="mailto:o.calvano@gmail.com" target="_blank">o.calvano@gmail.com</a>> wrote in message
news:CAJajPefqOygT5zsYW7fWszwRTTxN-r1Pd-U73XDfoNax9dLHkA@mail.gmail.com...</div></div></div></span>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div>
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hi<br><br></div>i test a authentification AD with
Kerberos/Ntlm<br><br>### negotiate kerberos and ntlm
authentication<br>auth_param negotiate program
/usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME<br>auth_param negotiate
children 160 startup=5 idle=1<br>auth_param negotiate keep_alive on<br><br>##
Module d'authentification NTLM<br>auth_param ntlm program /usr/bin/ntlm_auth
--diagnostics --helper-protocol=squid-2.5-ntlmssp<br>auth_param ntlm children
160 startup=5 idle=1<br>auth_param ntlm keep_alive on<br><br>## Si echec du
NTLM proposer la fenetre d'authentification<br>auth_param basic program
/usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-basic<br>auth_param basic children 40 startup=5
idle=1<br>auth_param basic realm Company proxy-caching web
server<br>auth_param basic credentialsttl 2 hours<br><br><br></div>i have a
lot of user that works, but for other user, squid request Login/pass in
loop.<br><br></div>In cache.log i have:<br><br>2015/11/02 17:37:57|
squid_kerb_auth: gss_accept_sec_context() failed: An unsupported mechanism was
requested. Unknown error<br>2015/11/02 17:37:57 kid1| ERROR: Negotiate
Authentication validating user. Error returned 'BH gss_accept_sec_context()
failed: An unsupported mechanism was requested. Unknown error'<br>GENSEC login
failed: NT_STATUS_LOGON_FAILURE<br>2015/11/02 17:37:58| squid_kerb_auth: Got
'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).<br>2015/11/02 17:37:58| squid_kerb_auth: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABD2TDMmE65PuY40xQyAIQkc4CPX0n9fiYI+rHtnnNWVARKVDNO+QYYUNvc7LgBDuwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).<br>2015/11/02 17:37:58| squid_kerb_auth:
gss_accept_sec_context() failed: An unsupported mechanism was requested.
Unknown error<br>2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication
validating user. Error returned 'BH gss_accept_sec_context() failed: An
unsupported mechanism was requested. Unknown error'<br>2015/11/02 17:37:58|
squid_kerb_auth: Got 'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).<br>2015/11/02 17:37:58| squid_kerb_auth: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABH2TDMmE65PuY40xQyAIQlCKZmWETDY7iZgTnIeQF9VidD8h6SKLzwap1w7iI5lcwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).<br>2015/11/02 17:37:58| squid_kerb_auth:
gss_accept_sec_context() failed: An unsupported mechanism was requested.
Unknown error<br>2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication
validating user. Error returned 'BH gss_accept_sec_context() failed: An
unsupported mechanism was requested. Unknown error'<br>2015/11/02 17:37:58|
squid_kerb_auth: Got 'YR
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
from squid (length: 219).<br>2015/11/02 17:37:58| squid_kerb_auth: Decode
'YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAABL2TDMmE65PuY40xQyAIQlOCybIQKGs/hmFlEu3FzYMQIag5ivNn4JcpRWBrJ5vMwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo='
(decoded length: 161).<br>2015/11/02 17:37:58| squid_kerb_auth:
gss_accept_sec_context() failed: An unsupported mechanism was requested.
Unknown error<br>2015/11/02 17:37:58 kid1| ERROR: Negotiate Authentication
validating user. Error returned 'BH gss_accept_sec_context() failed: An
unsupported mechanism was requested. Unknown error'<br>GENSEC login failed:
NT_STATUS_LOGON_FAILURE<br>GENSEC login failed:
NT_STATUS_LOGON_FAILURE<br><br><br><br><br></div>anyone know this problems
?<br><br></div>regards<br></div>Olivier<br><br>
<div>
<div>
<div> </div></div></div></div></div></div>
<hr>
<span>_______________________________________________<br>squid-users mailing
list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br></span></div></div></div></div></div><br>_______________________________________________<br>squid-users
mailing list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br><br></blockquote></div>
<div> </div></div></div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline"></div></div></div></div></div></div></div></div></div></div></div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>