<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2016-07-15 12:11 GMT-03:00 Sergio Belkin <span dir="ltr"><<a href="mailto:sebelk@gmail.com" target="_blank">sebelk@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">2016-07-15 6:31 GMT-03:00 Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On 15/07/2016 4:07 a.m., Sergio Belkin wrote:<br>
> Hi,<br>
><br>
> Using squid squid-3.5.19-1.el7.centos.x86_64,<br>
><br>
> I obtain a kerberos ticket but I get the following when trying to use the<br>
> proxy:<br>
><br>
> 2016/07/14 12:57:03.711 kid1| 29,4| UserRequest.cc(290) authenticate: No<br>
> Proxy-Auth header and no working alternative. Requesting auth header.<br>
> 2016/07/14 12:57:03.712 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:<br>
> headertype:46 authuser:NULL<br>
> 2016/07/14 12:57:03.712 kid1| 29,9| Config.cc(188) fixHeader: Sending<br>
> type:46 header: 'Negotiate'<br>
> 2016/07/14 12:57:04.159 kid1| 29,4| UserRequest.cc(290) authenticate: No<br>
> Proxy-Auth header and no working alternative. Requesting auth header.<br>
> 2016/07/14 12:57:04.159 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader:<br>
> headertype:46 authuser:NULL<br>
> 2016/07/14 12:57:04.159 kid1| 29,9| Config.cc(188) fixHeader: Sending<br>
> type:46 header: 'Negotiate'<br>
><br>
<br>
</span>That looks like a debug log of Negotiate/Kerberos authentication<br>
beginning on two connections.<br>
<br>
A good secure client does not send credentials until it needs to. Squdi<br>
has received a request that it needs to authenticate, but does not yet<br>
have credentiasl. So it responds with a 407 or 401 message requesting<br>
the client send them using "Negotiate" auth protocol.<br>
 No problem visible.<br>
<br>
<br>
<snip><br>
<span><br>
> Please could you help me? Am I doing something wrong?<br>
<br>
</span>Perhapse if you described what your problem was ?<br></blockquote><div><br><br></div></div></div><div>Amos, thanks, for your clarification, I get as follows: <br><br>"Sorry, you are not currently allowed to request <a href="http://www.lxer.com/" target="_blank">http://www.lxer.com/</a> from this cache until you have authenticated yourself"<br><br>( trying to use from a Linux client:)<br><br></div><div>(And in fact I've RTFM :-) )<br></div><div><br></div><div>tail /var/log/squid/access.log<br><br>192.168.50.37 - - [15/Jul/2016:12:01:05 -0300] "GET <a href="http://www.lxer.com/" target="_blank">http://www.lxer.com/</a> HTTP/1.1" 407 4064 "-" "curl/7.43.0" TCP_DENIED:HIER_NONE<br><br></div><div>I have a kerberos ticket:<br><br>klist<br>Ticket cache: KEYRING:persistent:16777216:16777216<br>Default principal: john.doe@EXAMPLE.LOCAL<br><br>Valid starting     Expires            Service principal<br>15/07/16 12:00:31  15/07/16 22:00:31  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL<br>        renew until 22/07/16 12:00:31<br><br><br></div><div>End of output<br></div><div><br></div><div>I don't know what I'm doing wrong.<br><br></div><div>Thanks in advance!<br></div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span><font color="#888888"><br>
Amos<br>
</font></span><div><div><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></span></div><br><br clear="all"><span class=""><br>-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">-<br></div></div></div></div></span></div></div></blockquote><div><br></div><div>Please any ideas?<br><br></div><div>squid is on Centos 7.2<br></div><div>AD is Windows 2008 R2 Standard<br><br></div><div>Below more details from cache.log when trying to access from a Windows machine:<br><br> 2016/07/15 19:53:47.334 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.<br>2016/07/15 19:53:47.347 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.347 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test on:local=<a href="http://192.168.50.22:3128">192.168.50.22:3128</a> remote=<a href="http://192.168.50.47:61011">192.168.50.47:61011</a> FD 12 flags=1<br>2016/07/15 19:53:47.447 kid1| 29,4| UserRequest.cc(350) authenticate: No connection authentication type<br>2016/07/15 19:53:47.447 kid1| 29,9| Config.cc(36) CreateAuthUser: header = 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 19:53:47.447 kid1| 29,5| User.cc(39) User: Initialised auth_user '0x2cf1e00'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(95) UserRequest: initialised request 0x30c4be0<br>2016/07/15 19:53:47.447 kid1| 29,9| Config.cc(267) decode: decode Negotiate authentication<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. Received blob: 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(46) start: 0x30c4be0<br>2016/07/15 19:53:47.447 kid1| 29,8| UserRequest.cc(134) startHelperLookup: credentials state is '2'<br>negotiate_kerberos_auth.cc(610): pid=5236 :2016/07/15 19:53:47| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: 59).<br>negotiate_kerberos_auth.cc(663): pid=5236 :2016/07/15 19:53:47| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: 40).<br>negotiate_kerberos_auth.cc(673): pid=5236 :2016/07/15 19:53:47| negotiate_kerberos_auth: WARNING: received type 1 NTLM token<br>2016/07/15 19:53:47.447 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: '0x30c5698/0x30c5698' sent us reply={result=BH, notes={message: received type 1 NTLM token; }}<br>2016/07/15 19:53:47.447 kid1| 29,6| UserRequest.cc(175) releaseAuthServer: releasing Negotiate auth server '0x30c5698'<br>2016/07/15 19:53:47.447 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.447 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.448 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.448 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.532 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.532 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.655 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.655 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.688 kid1| 29,4| UserRequest.cc(290) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.<br>2016/07/15 19:53:47.688 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.688 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.698 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.<br>2016/07/15 19:53:47.698 kid1| 29,6| UserRequest.cc(179) releaseAuthServer: No Negotiate auth server to release.<br>2016/07/15 19:53:47.698 kid1| 29,5| UserRequest.cc(101) ~UserRequest: freeing request 0x30c4be0<br>2016/07/15 19:53:47.698 kid1| 29,5| User.cc(21) ~User: doing nothing to clear Negotiate scheme data for '0x2cf1e00'<br>2016/07/15 19:53:47.698 kid1| 29,5| User.cc(127) ~User: Freeing auth_user '0x2cf1e00'.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(332) authenticate: This is a new checklist test on:local=<a href="http://192.168.50.22:3128">192.168.50.22:3128</a> remote=<a href="http://192.168.50.47:61012">192.168.50.47:61012</a> FD 16 flags=1<br>2016/07/15 19:53:47.717 kid1| 29,4| UserRequest.cc(350) authenticate: No connection authentication type<br>2016/07/15 19:53:47.717 kid1| 29,9| Config.cc(36) CreateAuthUser: header = 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 19:53:47.717 kid1| 29,5| User.cc(39) User: Initialised auth_user '0x2cf1e00'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(95) UserRequest: initialised request 0x30c4be0<br>2016/07/15 19:53:47.717 kid1| 29,9| Config.cc(267) decode: decode Negotiate authentication<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(225) authenticate: auth state negotiate none. Received blob: 'Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw=='<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.717 kid1| 29,9| UserRequest.cc(46) start: 0x30c4be0<br>2016/07/15 19:53:47.717 kid1| 29,8| UserRequest.cc(134) startHelperLookup: credentials state is '2'<br>negotiate_kerberos_auth.cc(610): pid=5236 :2016/07/15 19:53:47| negotiate_kerberos_auth: DEBUG: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' from squid (length: 59).<br>negotiate_kerberos_auth.cc(663): pid=5236 :2016/07/15 19:53:47| negotiate_kerberos_auth: DEBUG: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==' (decoded length: 40).<br>negotiate_kerberos_auth.cc(673): pid=5236 :2016/07/15 19:53:47| negotiate_kerberos_auth: WARNING: received type 1 NTLM token<br>2016/07/15 19:53:47.717 kid1| 29,8| UserRequest.cc(266) HandleReply: helper: '0x30c5698/0x30c5698' sent us reply={result=BH, notes={message: received type 1 NTLM token; }}<br>2016/07/15 19:53:47.717 kid1| 29,6| UserRequest.cc(175) releaseAuthServer: releasing Negotiate auth server '0x30c5698'<br>2016/07/15 19:53:47.717 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }}<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(328) authenticate: header Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(256) authenticate: auth state negotiate failed. Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(53) valid: Validating Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,5| UserRequest.cc(73) valid: Validated. Auth::UserRequest '0x30c4be0'.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(63) authenticated: user not fully authenticated.<br>2016/07/15 19:53:47.718 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.718 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.743 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.743 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br>2016/07/15 19:53:47.754 kid1| 29,9| UserRequest.cc(487) addReplyAuthHeader: headertype:46 authuser:NULL<br>2016/07/15 19:53:47.754 kid1| 29,9| Config.cc(188) fixHeader: Sending type:46 header: 'Negotiate'<br><br><br></div><div>Thanks in advance!<br></div></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div>