<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p> </p>
<p>Hi Experts,</p>
<p>After much struggling it seems i've reached some point of success but yet still not. I've checked a multitude of websites for help before coming here, but didn't get anything valuable yet. My problem as follows :</p>
<p>I have 1x win2008R2 server that works with kerberos authentication, but none of the other PC's in the network wants to work, the others all come up with a login challenge/</p>
<p>My Configs :</p>
<p>/etc/krb5.conf</p>
<p><snip><br /> #cat /etc/krb5.conf<br /> [logging]<br /> <br /> default = FILE:/var/log/krb5libs.log<br /> kdc = FILE:/var/log/krb5kdc.log<br /> admin_server = <a href="FILE:/var/log/kadmind.log" target="_blank" rel="noreferrer">FILE:/var/log/kadmind.log</a><br /> <br /> [libdefaults]<br /> default_realm = DOMAIN.CO.ZA<br /> dns_lookup_kdc = yes<br /> dns_lookup_realm = yes<br /> ticket_lifetime = 24h<br /> default_keytab_name = /etc/squid/PROXY.keytab<br /> <br /> #; for Windows 2008 with AES<br /> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br /> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br /> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<br /> <br /> [realms]<br /> <br /> DOMAIN.CO.ZA = {<br /> kdc = mw-ad.domain.co.za<br /> admin_server = mw-ad.domain.co.za<br /> default_domain = domain.co.za<br /> }<br /> <br /> [domain_realm]<br /> <br /> .domain.co.za = DOMAIN.CO.ZA<br /> domain.co.za = DOMAIN.CO.ZA<br /> <br /> [login]<br /> krb4_convert = true<br /> krb4_get_tickets = false<br /></snip></p>
<p>my /etc/squid/squid.conf</p>
<p> <snip><br /> #auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -i ###WORKING - half/half<br /> auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN.CO.ZA --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME<br /> #auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME<br /> <br /> <br /> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=DOMAIN.CO.ZA<br /> auth_param ntlm children 10<br /> auth_param ntlm keep_alive off<br /> <br /> <br /> auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "DC=domain,DC=co,DC=za" -f sAMAccountName=%s -D "CN=Folder Authentication,CN=Users,DC=domain,DC=co,DC=za" -w P@55w0rd -H ldap://MW-AD.domain.co.za -R<br /> auth_param basic realm Web-Proxy<br /> auth_param basic credentialsttl 1 minute<br /> <br /> acl proxy-auth proxy_auth REQUIRED<br /> <br /> http_access allow proxy-auth<br /> </snip></p>
<p>When the Win2008R2 connectes is get the following in /var/log/squid3/cache.log</p>
<p> <snip></p>
<p> 2016/04/05 12:26:46| negotiate_wrapper: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xIBAgIGCSq<truncated>DVzSeCUH4ntF1lHc=' from squid (length: 2419).<br /> 2016/04/05 12:26:46| negotiate_wrapper: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBg<truncated>UnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811).<br /> 2016/04/05 12:26:46| negotiate_wrapper: received Kerberos token<br /> negotiate_kerberos_auth.cc(315): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuB<truncated>JDp51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' from squid (length: 2419).<br /> negotiate_kerberos_auth.cc(378): pid=8218 :2016/04/05 12:26:46| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv+gMDAuBgkqhkiC9xI<truncated>51PN7RjUnIKhxWxh52aDVzSeCUH4ntF1lHc=' (decoded length: 1811).<br /> 2016/04/05 12:26:46| negotiate_wrapper: Return 'AF oYG2MIGzoAMKAQChCwYJ<truncated>ZuxzWyWJhUSZttUH70Vw595AsuKtUWvtGjGC7vGmD5Ugufw= Administrator@DOMAIN.CO.ZA</p>
<p> </snip></p>
<p>But when other PC's connect of which another win2008R2 or win10 or win7 i get :</p>
<p> <snip></p>
<p> negotiate_kerberos_auth.cc(315): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Got 'YR YIIHDwYGKwYBBQUCoII<truncated>+BnGBajMprtChSPMuUX9nnZfT+cJk=' from squid (length: 2419).<br /> negotiate_kerberos_auth.cc(378): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: DEBUG: Decode 'YIIHDwYGKwYBBQUCoIIHAzCCBv<truncated>MprtChSPMuUX9nnZfT+cJk=' (decoded length: 1811).<br /> negotiate_kerberos_auth.cc(200): pid=9389 :2016/04/05 12:33:47| negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.<br /> 2016/04/05 12:33:47| ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. '</p>
<p> </snip></p>
<p>My kinit -V -kt /etc/squid3/PROXY.keytab , of which i'm sure if not supposed to say that :). I've had others that had Successfully authenticated to Kerberos V5 as well, but then the working win2008r2 doesn't work -- see below..</p>
<p> <snip></p>
<p> # kinit -V -kt /etc/squid3/PROXY.keytab<br /> Using default cache: /tmp/krb5cc_0<br /> Using principal: host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA<br /> Using keytab: /etc/squid3/PROXY.keytab<br /> kinit: Preauthentication failed while getting initial credentials</p>
<p> </snip></p>
<p>working with "authenticated with kerberos but no srv or pc working</p>
<p> <snip></p>
<p> msktutil -c -b "CN=COMPUTERS" -s HTTP/mw-sqproxy-test -s HTTP/mw-sqproxy-test.domain.co.za -h mw-sqproxy-test.domain.co.za -k /etc/squid3/PROXY.keytab --computer-name MWSQPROXYTEST --upn HOST/mw-sqproxy-test.domain.co.za --server mw-ad.domain.co.za --verbose --enctypes 28</p>
<p> </snip></p>
<p>my working klist entries</p>
<p> <snip></p>
<p> klist -ekt /etc/squid3/PROXY.keytab</p>
<p> Keytab name: FILE:/etc/squid3/PROXY.keytab<br /> KVNO Timestamp Principal<br /> ---- ------------------- ------------------------------------------------------<br /> 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (arcfour-hmac)<br /> 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 2 04/04/2016 11:43:43 MW-SQPROXY-TEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:50:05 HTTP/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:43:05 HOST/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (arcfour-hmac)<br /> 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:43:06 HOST/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (arcfour-hmac)<br /> 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:50:06 host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)<br /> 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 2 05/04/2016 09:50:05 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (arcfour-hmac)<br /> 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 MWSQPROXYTEST$@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (arcfour-hmac)<br /> 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 host/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 4 04/04/2016 16:29:08 host/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 4 04/04/2016 16:29:09 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 4 04/04/2016 16:29:09 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (arcfour-hmac)<br /> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 3 05/04/2016 10:15:33 HTTP/mw-sqproxy-test.domain.co.za@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 5 04/04/2016 19:19:28 host/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 5 04/04/2016 19:19:28 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 5 04/04/2016 19:19:28 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 6 04/04/2016 19:22:47 host/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 6 04/04/2016 19:22:47 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 6 04/04/2016 19:22:47 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)<br /> 7 04/04/2016 20:40:09 host/mw-sqproxy-test@DOMAIN.CO.ZA (arcfour-hmac)<br /> 7 04/04/2016 20:40:09 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes128-cts-hmac-sha1-96)<br /> 7 04/04/2016 20:40:09 host/mw-sqproxy-test@DOMAIN.CO.ZA (aes256-cts-hmac-sha1-96)</p>
<p> </snip></p>
<p>I'm using the fqdn in IE to authenticate with kerberos, if i change it to IP it only tries NTLM, which i'm assuming is correct or not?</p>
<p>I've investigated the PC's and all of them have properly joined the domain.</p>
<p>I've checked and i'm getting kvno 3 values from a working win2008r2 as well as kvno 3 values from other pc's but yet, they have a popup asking auth details.</p>
<div>-- <br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace;">Drikus Brits</div>
</div>
<p> </p>
</body></html>